Edit tour

Windows Analysis Report
rfWu0dUz6A.exe

Overview

General Information

Sample name:	rfWu0dUz6A.exe renamed because original name is a hash value
Original sample name:	746319c0183ec5bb360f3194b3bd43ec.exe
Analysis ID:	1581893
MD5:	746319c0183ec5bb360f3194b3bd43ec
SHA1:	011475d452a291cc9fad14f78572c9eacb479130
SHA256:	4cd8f0f35099c08c08d018cdf3c96d13655e7d034ff4fa11b59f9146c5272bdd
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

rfWu0dUz6A.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\rfWu0dUz6A.exe" MD5: 746319C0183EC5BB360F3194B3BD43EC)

BitLockerToGo.exe (PID: 5688 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rurallyrishz.click", "shapestickyr.lat", "wordyfindy.lat", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "bashfulacid.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "LJychR--matadara"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2379826375.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T08:55:50.441225+0100	2028371	3	Unknown Traffic	192.168.2.6	49755	104.21.32.1	443	TCP
2024-12-29T08:55:52.813248+0100	2028371	3	Unknown Traffic	192.168.2.6	49763	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T08:55:51.559654+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49755	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T08:55:51.559654+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49755	104.21.32.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.BitLockerToGo.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rurallyrishz.click", "shapestickyr.lat", "wordyfindy.lat", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "bashfulacid.lat", "talkynicer.lat", "slipperyloo.lat"], "Build id": "LJychR--matadara"}

Multi AV Scanner detection for submitted file

Source: rfWu0dUz6A.exe	Virustotal: Detection: 67%			Perma Link
Source: rfWu0dUz6A.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rfWu0dUz6A.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rurallyrishz.click
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LJychR--matadara

Source: rfWu0dUz6A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49755 version: TLS 1.2

Source: rfWu0dUz6A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: rfWu0dUz6A.exe, 00000000.00000002.2379826375.0000000001C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: rfWu0dUz6A.exe, 00000000.00000002.2379826375.0000000001C80000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	3_2_00408A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ebx	3_2_00408600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	3_2_0040C805
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00422830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	3_2_0043C830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	3_2_004290D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042E0DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C0E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_0041B8F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_0041B8F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	3_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	3_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	3_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	3_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	3_2_00441160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [00446130h]	3_2_00418169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042B170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0042D17D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0042D116
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004281CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004289E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_0043C990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_004239B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	3_2_004239B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	3_2_0043CA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00436210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042AAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	3_2_0040AB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_00440340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042D34A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0041C300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FB10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00418B1B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FB2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FB28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004073D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004073D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004283D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	3_2_0041EB80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	3_2_00427440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	3_2_00427440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	3_2_0042C465
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C465
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	3_2_0040CC7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041747D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], di	3_2_0041747D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00414CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	3_2_0041B57D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	3_2_00440D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00428528
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00426D2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	3_2_0043EDC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	3_2_0043CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	3_2_0043CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	3_2_0043CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	3_2_0043CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042DDFF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, ecx	3_2_0042A5B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_00422E6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_00422E6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	3_2_00422E6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec edx	3_2_0043FE00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042DE07
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	3_2_004406F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00429E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00402EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	3_2_00427740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00416F52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0042BF13
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	3_2_00425F1B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	3_2_00441720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_00429739
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_004237D6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	3_2_00409780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49755 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49755 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rurallyrishz.click
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: Joe Sandbox View

IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49755 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49763 -> 104.21.32.1:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rurallyrishz.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: rurallyrishz.click

Source: unknown

Source: BitLockerToGo.exe, 00000003.00000003.2418030986.00000000033B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: BitLockerToGo.exe, 00000003.00000003.2418368020.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418537055.0000000003382000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2422050826.0000000003383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rurallyrishz.click/
Source: BitLockerToGo.exe, 00000003.00000003.2418368020.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418537055.0000000003382000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2421786861.000000000332C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2422050826.0000000003383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rurallyrishz.click/api
Source: BitLockerToGo.exe, 00000003.00000002.2421786861.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rurallyrishz.click/apiK
Source: BitLockerToGo.exe, 00000003.00000002.2421873973.0000000003343000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418448302.0000000003343000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rurallyrishz.click/u

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49755 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433E30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433E30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_004348C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_004348C2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2379826375.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Code function: 0_2_0090BD40 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,

0_2_0090BD40

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00408600	3_2_00408600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040C840	3_2_0040C840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041D003	3_2_0041D003
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040D021	3_2_0040D021
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040D83C	3_2_0040D83C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042A0CA	3_2_0042A0CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004338D0	3_2_004338D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C0E6	3_2_0042C0E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004160E9	3_2_004160E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041B8F6	3_2_0041B8F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C09E	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041C8A0	3_2_0041C8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004388B0	3_2_004388B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C09E	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00406160	3_2_00406160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041E960	3_2_0041E960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00418169	3_2_00418169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00405900	3_2_00405900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040B100	3_2_0040B100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426910	3_2_00426910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004281CC	3_2_004281CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004409E0	3_2_004409E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C9EB	3_2_0042C9EB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042E180	3_2_0042E180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043F18B	3_2_0043F18B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004291AE	3_2_004291AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004239B9	3_2_004239B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043CA40	3_2_0043CA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00435A4F	3_2_00435A4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043DA4D	3_2_0043DA4D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041E220	3_2_0041E220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FA20	3_2_0043FA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00411227	3_2_00411227
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00419AD0	3_2_00419AD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004242D0	3_2_004242D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00439280	3_2_00439280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00439A80	3_2_00439A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00428ABC	3_2_00428ABC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040AB40	3_2_0040AB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00421340	3_2_00421340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042D34A	3_2_0042D34A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042F377	3_2_0042F377
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00409310	3_2_00409310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FB10	3_2_0043FB10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00418B1B	3_2_00418B1B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FB2A	3_2_0043FB2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FB28	3_2_0043FB28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040F3C0	3_2_0040F3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004073D0	3_2_004073D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004283D8	3_2_004283D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041EB80	3_2_0041EB80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00427440	3_2_00427440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043A440	3_2_0043A440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00440460	3_2_00440460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041747D	3_2_0041747D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00433C10	3_2_00433C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004204C6	3_2_004204C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004224E0	3_2_004224E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040D4F3	3_2_0040D4F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00431CF0	3_2_00431CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00414CA0	3_2_00414CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042CD4C	3_2_0042CD4C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042CD5E	3_2_0042CD5E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00424560	3_2_00424560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FD70	3_2_0043FD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00421D00	3_2_00421D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00440D20	3_2_00440D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00411D2B	3_2_00411D2B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426D2E	3_2_00426D2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00439D30	3_2_00439D30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C53C	3_2_0042C53C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00405DC0	3_2_00405DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043A5D4	3_2_0043A5D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004065F0	3_2_004065F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043CDF0	3_2_0043CDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043C5A0	3_2_0043C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437DA9	3_2_00437DA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00438650	3_2_00438650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042EE63	3_2_0042EE63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00420E6C	3_2_00420E6C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00422E6D	3_2_00422E6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042FE74	3_2_0042FE74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043FE00	3_2_0043FE00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040F60D	3_2_0040F60D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041961B	3_2_0041961B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041E630	3_2_0041E630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004246D0	3_2_004246D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004406F0	3_2_004406F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040E687	3_2_0040E687
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00438EA0	3_2_00438EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00402EB0	3_2_00402EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041AEB0	3_2_0041AEB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00427740	3_2_00427740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00412750	3_2_00412750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041DF50	3_2_0041DF50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00416F52	3_2_00416F52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00425F1B	3_2_00425F1B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00429739	3_2_00429739
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004157C0	3_2_004157C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00409780	3_2_00409780

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00414C90 appears 77 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00407F60 appears 40 times

Source: rfWu0dUz6A.exe, 00000000.00000002.2379826375.0000000001C80000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs rfWu0dUz6A.exe

Source: rfWu0dUz6A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2379826375.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00432070 CoCreateInstance,

3_2_00432070

Source: rfWu0dUz6A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rfWu0dUz6A.exe	Virustotal: Detection: 67%
Source: rfWu0dUz6A.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\rfWu0dUz6A.exe "C:\Users\user\Desktop\rfWu0dUz6A.exe"
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: rfWu0dUz6A.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rfWu0dUz6A.exe

Static file information: File size 25013249 > 1048576

Source: rfWu0dUz6A.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cca00
Source: rfWu0dUz6A.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e1800

Source: rfWu0dUz6A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: rfWu0dUz6A.exe, 00000000.00000002.2379826375.0000000001C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: rfWu0dUz6A.exe, 00000000.00000002.2379826375.0000000001C80000.00000004.00001000.00020000.00000000.sdmp

Source: rfWu0dUz6A.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437069 push es; retf	3_2_00437074
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043C990 push eax; mov dword ptr [esp], 5C5D5E5Fh	3_2_0043C99E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041B324 push F3B90044h; retf	3_2_0041B32A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00445C05 push ds; iretd	3_2_00445C08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0044856B push cs; retf	3_2_0044856C

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1908	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1476	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000002.2421970607.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418368020.0000000003373000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;P0K
Source: BitLockerToGo.exe, 00000003.00000002.2421970607.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418368020.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2421786861.000000000332C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rfWu0dUz6A.exe, 00000000.00000002.2378435344.00000000010DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0043E110 LdrInitializeThunk,

3_2_0043E110

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: rfWu0dUz6A.exe, 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rurallyrishz.click

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31EF008	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 442000	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000	Jump to behavior

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rfWu0dUz6A.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rfWu0dUz6A.exe	67%	Virustotal		Browse
rfWu0dUz6A.exe	66%	ReversingLabs	Win32.Trojan.LummaStealer
rfWu0dUz6A.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://rurallyrishz.click/apiK	0%	Avira URL Cloud	safe
https://rurallyrishz.click/	0%	Avira URL Cloud	safe
https://rurallyrishz.click/api	0%	Avira URL Cloud	safe
rurallyrishz.click	0%	Avira URL Cloud	safe
https://rurallyrishz.click/u	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rurallyrishz.click	104.21.32.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
rurallyrishz.click	true	Avira URL Cloud: safe	unknown
shapestickyr.lat	false		high
https://rurallyrishz.click/api	true	Avira URL Cloud: safe	unknown
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://rurallyrishz.click/apiK	BitLockerToGo.exe, 00000003.00000002.2421786861.000000000332C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	BitLockerToGo.exe, 00000003.00000003.2418030986.00000000033B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rurallyrishz.click/	BitLockerToGo.exe, 00000003.00000003.2418368020.0000000003373000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418537055.0000000003382000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2422050826.0000000003383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rurallyrishz.click/u	BitLockerToGo.exe, 00000003.00000002.2421873973.0000000003343000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2418448302.0000000003343000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	rurallyrishz.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581893
Start date and time:	2024-12-29 08:54:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rfWu0dUz6A.exe renamed because original name is a hash value
Original Sample Name:	746319c0183ec5bb360f3194b3bd43ec.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 11 Number of non-executed functions: 144
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rfWu0dUz6A.exe, PID 6184 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:55:50	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Gabriel-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	172.67.165.100
	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	104.21.77.48
	EjS7Q5fFCE.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.186.200
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.132.55
	https://belasting.online-factuur.com	Get hash	malicious	Unknown	Browse	172.67.171.151
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	1.1.1.1
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	104.21.32.1
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.469537423091818
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rfWu0dUz6A.exe
File size:	25'013'249 bytes
MD5:	746319c0183ec5bb360f3194b3bd43ec
SHA1:	011475d452a291cc9fad14f78572c9eacb479130
SHA256:	4cd8f0f35099c08c08d018cdf3c96d13655e7d034ff4fa11b59f9146c5272bdd
SHA512:	14b820fbac607cfb19b606afbac502cce5f259675d8ba02746626c290f737837a374634bf5cb6d5bcf4f9853e4588b3d0c5ddc99c13d67fc3e1fc7bef68a3d25
SSDEEP:	49152:J0JEHWJ65cZrFctPdSHdA8Ui4oFcU/sy4cN4EVj5OTVgcKPd3:5W80yEwoFITOcKl
TLSH:	C647F641FACB45F5D8031830515AA23B97325E058B25DB9BFB6C7F5AEB7B6920C33209
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........=..................n......0.........;...@..........................P@.......>...@................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x461830
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007F3335164220h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F3335145086h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 000013A0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F3335166684h
cld
call 00007F333516570Eh
call 00007F3335164349h
add esp, 08h
ret
jmp 00007F3335166530h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F3335166531h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ec000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x403000	0x1f54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3ed000	0x14e80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b02e0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1cc918	0x1cca00	4899822d9e5251bbfc8173b049ab5b51	False	0.4105156037991859	data	6.042558274764513	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ce000	0x1e1794	0x1e1800	6462d99c5e3212aeff7f88c8057c0173	False	0.48901848877206644	data	5.9971372276997235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3b0000	0x3b900	0x14e00	db561d649b14d9979730c978ab72a755	False	0.46813014595808383	data	5.000578117736028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3ec000	0x44c	0x600	007566f7e41bf77eeef5991166dde4f1	False	0.3600260416666667	OpenPGP Public Key	3.874332394538109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3ed000	0x14e80	0x15000	33ac33cfd98ab81037716273c931cedd	False	0.5860770089285714	data	6.592915648969086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x402000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x403000	0x1f54	0x2000	14fbace0757e8a04985c29d13d9fc57b	False	0.33154296875	data	4.670021243104677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4031d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x4032fc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0x403864	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x403b4c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_GROUP_ICON	0x4043f4	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x404434	0x4f4	data	English	United States	0.278391167192429
RT_MANIFEST	0x404928	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T08:55:50.441225+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49755	104.21.32.1	443	TCP
2024-12-29T08:55:51.559654+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49755	104.21.32.1	443	TCP
2024-12-29T08:55:51.559654+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49755	104.21.32.1	443	TCP
2024-12-29T08:55:52.813248+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49763	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 08:55:49.173969984 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:49.174026966 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:49.174115896 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:49.177369118 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:49.177381992 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:50.441107988 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:50.441225052 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:50.481570959 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:50.481606960 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:50.482002974 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:50.531588078 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:50.649148941 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:50.649179935 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:50.649301052 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:51.559678078 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:51.559777975 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:51.559993029 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:51.564075947 CET	49755	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:51.564089060 CET	443	49755	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:51.571930885 CET	49763	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:51.571965933 CET	443	49763	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:51.572076082 CET	49763	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:51.572376966 CET	49763	443	192.168.2.6	104.21.32.1
Dec 29, 2024 08:55:51.572390079 CET	443	49763	104.21.32.1	192.168.2.6
Dec 29, 2024 08:55:52.813247919 CET	49763	443	192.168.2.6	104.21.32.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 08:55:48.838466883 CET	57068	53	192.168.2.6	1.1.1.1
Dec 29, 2024 08:55:49.169151068 CET	53	57068	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 08:55:48.838466883 CET	192.168.2.6	1.1.1.1	0x4b0	Standard query (0)	rurallyrishz.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 29, 2024 08:55:49.169151068 CET	1.1.1.1	192.168.2.6	0x4b0	No error (0)	rurallyrishz.click	104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rurallyrishz.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49755	104.21.32.1	443	5688	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 07:55:50 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rurallyrishz.click
2024-12-29 07:55:50 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-29 07:55:51 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 07:55:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ng5r7s9a5o19jdnunt6itsfb3b; expires=Thu, 24 Apr 2025 01:42:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x2UprwEGDaHReald%2FKVXbOvEilqSXI%2FRf%2BAjpjqeN1%2BJVcrcZ6ibJK5gHpIrzzIQ07SZCkAmvBdEgoed7YvuFzTDDGfgZoTA8Th0WdTW77pUyYVtgV0foUEEfWBVPHEoVRP0PUw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f983aea8fb24344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1684&rtt_var=645&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1679125&cwnd=47&unsent_bytes=0&cid=65fb5060ac49686c&ts=1044&x=0"
2024-12-29 07:55:51 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-29 07:55:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:55:22
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\rfWu0dUz6A.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rfWu0dUz6A.exe"
Imagebase:	0x8e0000
File size:	25'013'249 bytes
MD5 hash:	746319C0183EC5BB360F3194B3BD43EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2379826375.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2379544812.00000000019D4000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:55:44
Start date:	29/12/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x4f0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 0090BD40 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2377757033.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.2377739757.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000AAE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000BA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000BA6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000BBF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2377869250.0000000000BC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378060369.0000000000C90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378074090.0000000000C91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378088142.0000000000C92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378101273.0000000000C93000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378119683.0000000000C9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378119683.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378119683.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378119683.0000000000CC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378192535.0000000000CCC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378207215.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2378207215.0000000000CE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_rfWu0dUz6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fbe74f2dc9bdeeecb80c92d2c3bf0a7ccddc6afbaa0c71453ec2387204da91
Instruction ID: a98d38730e60120a9dce17fd838a47ebf33051779c6b24375a403eed1db749fa
Opcode Fuzzy Hash: d4fbe74f2dc9bdeeecb80c92d2c3bf0a7ccddc6afbaa0c71453ec2387204da91
Instruction Fuzzy Hash: 8751B0B45083018FD304DF28D1A5B5ABBF0BB89758F108A6DE5A88B3A2D776D945CF42

Analysis Process: BitLockerToGo.exePID: 5688, Parent PID: 6184COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30%
Total number of Nodes:	50
Total number of Limit Nodes:	1

Executed Functions

Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408624
GetCurrentThreadId.KERNEL32 ref: 0040862E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087FA
GetForegroundWindow.USER32 ref: 00408974

Part of subcall function 0040B7B0: FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
Part of subcall function 0040B7B0: FreeLibrary.KERNEL32 ref: 0040B7D7

ExitProcess.KERNEL32 ref: 00408A4A

Strings

b]u), xrefs: 00408877
}, xrefs: 00408913
}, xrefs: 0040890C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b]u)$}$}
API String ID: 3676751680-2900034282
Opcode ID: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction ID: 3bf81113ce60e3950654fa87f9b5bc85db09618474996d7b9c4e13ef7b0d228f
Opcode Fuzzy Hash: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction Fuzzy Hash: C4C1E673E187144BC708DF69C84125AF7D6ABC8710F0AC53EA898EB391EA74DD048BC6

Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044148A,?,00000018,?,?,00000018,?,?,?), ref: 0043E13E

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00408A50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction ID: c6ef65a4040eb9722264cce64ace65176086622d4161082164e2e1e487573ca7
Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction Fuzzy Hash: E121C837A62B184BD3108E54DCC87917761E7D9318F3E86B8C9249F7D2C97BA91386C0

Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409D98
LoadLibraryExW.KERNEL32(?,00000000), ref: 00409E78

Strings

CKI, xrefs: 00409E85

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: CKI
API String ID: 1029625771-2433779057
Opcode ID: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction ID: 9df50abc4230604fad3af689b86cbcfc4f62151ff32a39ed9a717dc759385280
Opcode Fuzzy Hash: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction Fuzzy Hash: 1041EFB4D003009FEB149F789992A9A7F71EB06324F5152ADD4902F3E6C635981A8BE6

Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Strings

, xrefs: 0043E365, 0043E37C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-3019521637
Opcode ID: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction ID: 528e16a96f9d9f00b26d3e5e14e5fe829b229e0aa49aafaba4eb36a7b6cd6e75
Opcode Fuzzy Hash: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction Fuzzy Hash: FA112B7AE418614BEF08CF39DC171AA77A2B3C5325B2D56B98816E32D0DA3C5C068A84

Function 0040EF53 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040EF57
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040F09C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
Instruction ID: f51fb2f77ad80b64b0419191bf69b8e44a6001040ca864f0c8a1fa7d7adef59f
Opcode Fuzzy Hash: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
Instruction Fuzzy Hash: 9341C6B4C10B40AFD370EF399A0B7137EB8AB05250F504B1DF9E6866D4E231A4198BD7

Function 0040EC77 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040EC89
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040ECA2

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
Instruction ID: 738adb6083984dd8bacecb44fa1de3dd99d04845307cbd3813f349a55eb87af8
Opcode Fuzzy Hash: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
Instruction Fuzzy Hash: 8BE042783D97417BF6795B14ED57F143225AB86F26F304314B7253D6E58AE03201451D

Function 00437764 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043779D

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction ID: 54b6fee0e0571655c33f26142f93ff03fb1190c0e218daea6acb4e94425ab4d3
Opcode Fuzzy Hash: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction Fuzzy Hash: 0C31E472A466418FD7158B78C8837ADBBE28BD5314F0A80AEE459C73A2D9388942CB10

Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction ID: 5efd1ee9a03ea3c3eb0c12d762aaad34ed982eea5bb01117e5cc31371429f0ae
Opcode Fuzzy Hash: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction Fuzzy Hash: 29F0A0FEE805528FDB04CF55EC5446533A3B7D930631D8479D501A3229DE74A902DA45

Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043C561

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction ID: acefbe7e0d7c30d89c71afa01d78d71c03f6ee103d6cd382e15fa3716b8bb47b
Opcode Fuzzy Hash: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction Fuzzy Hash: 13A012310401109AC5111B10BC08FC53E10DB05221F020051F000040B28260C841C584

Function 0040DDBB Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040DDC3

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
Instruction ID: 5bb00a4b7ef97e9f22d5c03d32b859c0f98b2e4320e2e689d4767ab94f51e1d5
Opcode Fuzzy Hash: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
Instruction Fuzzy Hash: BBC0807C61C0018BC708D731EC2643732569F8B34D724443ED40785357DB7465114A4D

Non-executed Functions

Function 00412750 Relevance: 266.3, APIs: 2, Strings: 149, Instructions: 2041COMMON

Download Yara Rule

Strings

^, xrefs: 00414734
), xrefs: 00414011
", xrefs: 00414059
-, xrefs: 00413FF1
Y, xrefs: 0041281E
j, xrefs: 00412F58
^, xrefs: 00414471
r, xrefs: 00413D9A
g, xrefs: 00413D02
U, xrefs: 00413C72
\, xrefs: 00414481
^, xrefs: 0041399F
], xrefs: 004141F7
, xrefs: 00413C6A
y, xrefs: 004134E9
y, xrefs: 00413D52
o, xrefs: 00413CC2
%, xrefs: 00414031
R, xrefs: 00413D8A
J, xrefs: 00413CDA
j, xrefs: 00413413
;, xrefs: 00413967
^, xrefs: 0041435F
%, xrefs: 00413957
\, xrefs: 004141FF
~, xrefs: 00413433
], xrefs: 0041360C
^, xrefs: 0041463B
8, xrefs: 00413937
~, xrefs: 00412D99
^, xrefs: 004141EF
i, xrefs: 00413744
5, xrefs: 00413FB1
3, xrefs: 00413FE1
2, xrefs: 00412B1F
', xrefs: 00414041
\, xrefs: 0041473E
], xrefs: 00414367
w, xrefs: 00413D82
f, xrefs: 004127B6
?, xrefs: 00413076
h, xrefs: 00412F68
G, xrefs: 00413C02
], xrefs: 00414643
+, xrefs: 00414021
;, xrefs: 00413FA1
_, xrefs: 00413C42
L, xrefs: 00412A71
q, xrefs: 00413D92
d, xrefs: 004134B9
/, xrefs: 00413B87
L, xrefs: 0041392F
., xrefs: 00413C5A
A, xrefs: 00413C12
], xrefs: 00413C32
<, xrefs: 0041336C
6, xrefs: 00412BE4
^, xrefs: 00413604
=, xrefs: 00413C0A
!, xrefs: 00414051
*, xrefs: 00412A6C
A, xrefs: 00412F30
m, xrefs: 00413F89
E, xrefs: 00412CB1
O, xrefs: 00413D5A
m, xrefs: 00413CB2
<, xrefs: 004134C9
0, xrefs: 00413C1A
9, xrefs: 00413927
_, xrefs: 004141E7
n, xrefs: 00412F38
%, xrefs: 00413C4A
=, xrefs: 004134D9
E, xrefs: 00413BF2
_, xrefs: 00414357
e, xrefs: 00413C8A
:, xrefs: 00413BDA
W, xrefs: 00413C82
/, xrefs: 00413C9A
D, xrefs: 00414136
k, xrefs: 00413CE2
^, xrefs: 00412D94
X, xrefs: 0041398F
3, xrefs: 00413BEA
K, xrefs: 00413BE2
2, xrefs: 00413403
/, xrefs: 00414001
\, xrefs: 00413614
1, xrefs: 00413947
&, xrefs: 00413C3A
N, xrefs: 00413FE9
9, xrefs: 00413F91
\, xrefs: 0041464B
o, xrefs: 00413997
D, xrefs: 0041456B
H, xrefs: 00412F10
_, xrefs: 00414633
F, xrefs: 00412F20
], xrefs: 00414739
-, xrefs: 00413B7D
D, xrefs: 00414578
l, xrefs: 00412F48
S, xrefs: 00413CA2
_, xrefs: 0041472F
B, xrefs: 0041393F
{, xrefs: 00413D62
K, xrefs: 00414019
F, xrefs: 0041395F
., xrefs: 00413B82
\, xrefs: 0041436F
&, xrefs: 004129D4
/, xrefs: 00413C2A
|, xrefs: 00413423
Z, xrefs: 0041397F
=, xrefs: 00413F71
], xrefs: 00414479
`, xrefs: 00413588
1, xrefs: 00413FD1
k, xrefs: 00412F60
_, xrefs: 004139A7
<, xrefs: 00412DA3
;, xrefs: 00412F00
Y, xrefs: 00413C52
@, xrefs: 0041394F
c, xrefs: 00413D22
9, xrefs: 00413977
l, xrefs: 00413987
e, xrefs: 00413CF2
_, xrefs: 004135FC
d, xrefs: 00412EF0
i, xrefs: 00413CD2
D, xrefs: 0041396F
a, xrefs: 00413D12
#, xrefs: 00414061
V, xrefs: 00413D7A
7, xrefs: 00413FC1
u, xrefs: 00413D72
?, xrefs: 00413F81
S, xrefs: 00413FC9
\, xrefs: 004139AF
a, xrefs: 0041295D
X, xrefs: 00413D4A
C, xrefs: 00413C22
v, xrefs: 00413C7A
[, xrefs: 00413C62
Q, xrefs: 00413C92
_, xrefs: 00414469
}, xrefs: 00413D32
s, xrefs: 00413DA2

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $!$"$#$%$%$%$&$&$'$)$*$+$-$-$.$.$/$/$/$/$0$1$1$2$2$3$3$5$6$7$8$9$9$9$:$;$;$;$<$<$<$=$=$=$?$?$@$A$A$B$C$D$D$D$D$E$E$F$F$G$H$J$K$K$L$L$N$O$Q$R$S$S$U$V$W$X$X$Y$Y$Z$[$\$\$\$\$\$\$\$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$`$a$a$c$d$d$e$e$f$g$h$i$i$j$j$k$k$l$l$m$m$n$o$o$q$r$s$u$v$w$y$y${$|$}$~$~
API String ID: 0-1985396431
Opcode ID: 98cbdb0545f72a51b331544d030ea1b1ec5a9aed99cdb564fdd75018e8488b28
Instruction ID: ced8a44bc6aa0243e42fbcf990499a39a724809c8ad3eca77b48478e52cee706
Opcode Fuzzy Hash: 98cbdb0545f72a51b331544d030ea1b1ec5a9aed99cdb564fdd75018e8488b28
Instruction Fuzzy Hash: C113BF3150C7C08AD3259B3884443AFBFE1ABD6314F198A6EE4E9873C2D7B98985C757

Function 00422E6D Relevance: 50.5, APIs: 3, Strings: 25, Instructions: 1504COMMON

Download Yara Rule

Strings

CNF8, xrefs: 00422F3F
rp, xrefs: 00423FF3
wdnf, xrefs: 00422F07
_^]\, xrefs: 00422EA5
].n^, xrefs: 00422F57
eN, xrefs: 004241BA
V], xrefs: 004231FA
9#', xrefs: 00423040
R03!, xrefs: 00422F77
- $f, xrefs: 00423038
_^]\, xrefs: 00423695
~SS}, xrefs: 00422F37
+A#C=]=_, xrefs: 00423F9D
Q*RG, xrefs: 00422F5F
g}zh, xrefs: 00422F27
"7B, xrefs: 00423719
I, xrefs: 00423048
p7B, xrefs: 004238C0
Fm, xrefs: 004231F2
JOSP, xrefs: 00422F6F
8]pY, xrefs: 00422EFF
s, xrefs: 00422FCA
rurallyrishz.click, xrefs: 004233BD
=]=_, xrefs: 00423D0E
%", xrefs: 0042334A

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "7B$%"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$g}zh$p7B$rurallyrishz.click$s$wdnf$~SS}$rp
API String ID: 0-2517658032
Opcode ID: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction ID: c461727374bb2b2ad86d2c2bcda0cf258ef6ef710b96b519a2ac6f34890c1cf1
Opcode Fuzzy Hash: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction Fuzzy Hash: 4CB241B5A08311CFD714CF29D8816ABBBF2FF86310F19856DE4859B391D7389902CB96

Function 004242D0 Relevance: 44.9, APIs: 2, Strings: 23, Instructions: 1129COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004243AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042443E

Strings

@SB, xrefs: 0042476C
bFB, xrefs: 0042464E
=:, xrefs: 004257CE
=?, xrefs: 00425BF1
REB, xrefs: 00424542
uw, xrefs: 00425B57
Xs, xrefs: 00425CD8
+$e, xrefs: 004243FA, 0042442B
tj, xrefs: 004253BE
DD, xrefs: 00425CEE
e>n<, xrefs: 0042588E
ut, xrefs: 00425CE3
+$e, xrefs: 00424365, 0042437A
N~4|, xrefs: 0042593E
<j:h, xrefs: 00425975
n l, xrefs: 0042596A
13, xrefs: 00425BFC
gd, xrefs: 00425E60
y{, xrefs: 00425B36
r:i8, xrefs: 00425899
%r?p, xrefs: 0042595F
|r, xrefs: 004253A8
b`, xrefs: 004255F9

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$ n l$%r?p$<j:h$=:$@SB$DD$N~4|$REB$Xs$bFB$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 237503144-794437470
Opcode ID: 53563d1110c0ce498abd0b5aef1fc7c0657eeabe0711a9ee74b8898907b9bb54
Instruction ID: f8f647423d576e668265d6dfaec7d890755528bee7ad0d2edd54b2d027563c0e
Opcode Fuzzy Hash: 53563d1110c0ce498abd0b5aef1fc7c0657eeabe0711a9ee74b8898907b9bb54
Instruction Fuzzy Hash: 84C21CB560C3948AD334CF14D442BDFBAF2FB82300F00892DD5E96B255D7B5864A8B9B

Function 00424560 Relevance: 41.3, APIs: 1, Strings: 22, Instructions: 1081COMMON

Download Yara Rule

Strings

@SB, xrefs: 0042476C
bFB, xrefs: 0042464E
=:, xrefs: 004257CE
=?, xrefs: 00425BF1
REB, xrefs: 00424542
uw, xrefs: 00425B57
Xs, xrefs: 00425CD8
+$e, xrefs: 0042442B
tj, xrefs: 004253BE
DD, xrefs: 00425CEE
e>n<, xrefs: 0042588E
ut, xrefs: 00425CE3
N~4|, xrefs: 0042593E
<j:h, xrefs: 00425975
n l, xrefs: 0042596A
13, xrefs: 00425BFC
gd, xrefs: 00425E60
y{, xrefs: 00425B36
r:i8, xrefs: 00425899
%r?p, xrefs: 0042595F
|r, xrefs: 004253A8
b`, xrefs: 004255F9

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$@SB$DD$N~4|$REB$Xs$bFB$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-2304545085
Opcode ID: 2339d61ac2d6831bd81fcffc1681590cf48379ce400e3ff232e92252cf3600e0
Instruction ID: 88356235315711f5f606bd25b3bf465edc7424c1315111ecbd88736605f36054
Opcode Fuzzy Hash: 2339d61ac2d6831bd81fcffc1681590cf48379ce400e3ff232e92252cf3600e0
Instruction Fuzzy Hash: 96C21DB560C3848AE334CF54D442BDFBAF2FB82304F00892DD5E96B255D7B5464A8B9B

Function 004246D0 Relevance: 41.3, APIs: 1, Strings: 22, Instructions: 1047COMMON

Download Yara Rule

Strings

@SB, xrefs: 0042476C
bFB, xrefs: 0042464E
=:, xrefs: 004257CE
=?, xrefs: 00425BF1
REB, xrefs: 00424542
uw, xrefs: 00425B57
Xs, xrefs: 00425CD8
+$e, xrefs: 0042442B
tj, xrefs: 004253BE
DD, xrefs: 00425CEE
e>n<, xrefs: 0042588E
ut, xrefs: 00425CE3
N~4|, xrefs: 0042593E
<j:h, xrefs: 00425975
n l, xrefs: 0042596A
13, xrefs: 00425BFC
gd, xrefs: 00425E60
y{, xrefs: 00425B36
r:i8, xrefs: 00425899
%r?p, xrefs: 0042595F
|r, xrefs: 004253A8
b`, xrefs: 004255F9

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +$e$ n l$%r?p$<j:h$=:$@SB$DD$N~4|$REB$Xs$bFB$e>n<$gd$r:i8$ut$13$=?$b`$tj$uw$y{$|r
API String ID: 0-2304545085
Opcode ID: d81d3bace8c2fc9146d25b2b37c040d1757dd3db41ab20b44a635f653a107971
Instruction ID: 77509fc424411b4a0d486fde09f37fa936c77a4ff039e271314016283135d8f5
Opcode Fuzzy Hash: d81d3bace8c2fc9146d25b2b37c040d1757dd3db41ab20b44a635f653a107971
Instruction Fuzzy Hash: 80C20CB560C3948AD334CF14D452BDFBAF2FB82300F00892DC5E96B255DBB5464A8B9B

Function 00433E30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433E44
GetClipboardData.USER32 ref: 00433E5F
GlobalLock.KERNEL32 ref: 00433E78
GetWindowLongW.USER32 ref: 00433ED7
GlobalUnlock.KERNEL32 ref: 00433FA9
CloseClipboard.USER32 ref: 00433FB4

Strings

', xrefs: 00433EED
L, xrefs: 00433EFC
5, xrefs: 00433EF2
(, xrefs: 00433F1A
6, xrefs: 00433F10
*, xrefs: 00433F24
-, xrefs: 00433F1F
}, xrefs: 00433F15
I, xrefs: 00433F06
8, xrefs: 00433F01
=, xrefs: 00433EF7
;, xrefs: 00433F0B
q, xrefs: 00433EE8

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: '$($*$-$5$6$8$;$=$I$L$q$}
API String ID: 2832541153-2064290267
Opcode ID: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction ID: e1340490ca777862a7890bfc042d0e04e3e37fcf4304b8f7f5516f793469ed24
Opcode Fuzzy Hash: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction Fuzzy Hash: E0417FB150C3818ED301AF78958835EFEE0AB89319F04497EE4C987292D7BD8689C757

Function 00439280 Relevance: 32.2, APIs: 10, Strings: 8, Instructions: 653memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C,00000000), ref: 004394CF
SysAllocString.OLEAUT32(00001F7A), ref: 00439550
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043958E
SysAllocString.OLEAUT32(8DFD93FD), ref: 00439625
SysAllocString.OLEAUT32(4A105420), ref: 00439706
VariantInit.OLEAUT32(?), ref: 00439774
VariantClear.OLEAUT32(?), ref: 004398BC
SysFreeString.OLEAUT32 ref: 004398DF
SysFreeString.OLEAUT32(?), ref: 004398E5
SysFreeString.OLEAUT32(00000000), ref: 004398F6

Strings

Jtuj, xrefs: 004392E5
t"j, xrefs: 0043966E
=hn, xrefs: 00439676
:;$%, xrefs: 004399C0
O^, xrefs: 004397A6
b{tu, xrefs: 004392D9, 0043939B
gd, xrefs: 0043968E
SB, xrefs: 0043979E

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
API String ID: 2485776651-1335595022
Opcode ID: 00a35f702db370e6906b6da43e33e50153965612b3eb10163526a0eaa7d9f5d2
Instruction ID: 271c0a760e3fad5fe6ae1bc15f56e5fac369995b8e5486316f76b27bd5228644
Opcode Fuzzy Hash: 00a35f702db370e6906b6da43e33e50153965612b3eb10163526a0eaa7d9f5d2
Instruction Fuzzy Hash: F5223476A183019BD314CF28C880B5BBBE2EFC9314F18892DF99497391D779D945CB86

Function 00421D00 Relevance: 26.8, Strings: 21, Instructions: 506COMMON

Download Yara Rule

Strings

^, xrefs: 00422146
_, xrefs: 00421DA4
^, xrefs: 00421DA9
], xrefs: 004223BD
!@, xrefs: 00421D36
g, xrefs: 004220CC
,, xrefs: 004221D9
s, xrefs: 00422284
d, xrefs: 004220D6
Z, xrefs: 004220DB
], xrefs: 00421DAE
8, xrefs: 00421F07
_, xrefs: 00422141
\, xrefs: 004223C2
_, xrefs: 004223B3
\, xrefs: 00421DB3
^, xrefs: 004223B8
], xrefs: 0042214B
\, xrefs: 00422150
9, xrefs: 00421F0C
?, xrefs: 00421F02

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !@$,$8$9$?$Z$\$\$\$]$]$]$^$^$^$_$_$_$d$g$s
API String ID: 0-1565257739
Opcode ID: 3068983d1f1a1fabe0252ccbd4567ff74207e1b532c8074f481bfb1c104ca911
Instruction ID: db4fe44d7fda57002c913c76584d924a9abda88581ad91b5d9c2c3cade1dd483
Opcode Fuzzy Hash: 3068983d1f1a1fabe0252ccbd4567ff74207e1b532c8074f481bfb1c104ca911
Instruction Fuzzy Hash: 8C22CD7160C7A08FD324CF28D58036FBBE1AB96314F54496EE4D587392D3BA8845CB4B

Function 004157C0 Relevance: 21.7, Strings: 16, Instructions: 1713COMMON

Download Yara Rule

Strings

~mfQ, xrefs: 0041613E
uqrs, xrefs: 00416AF0
{zdy, xrefs: 0041611D
ntxE, xrefs: 00416112
WQ, xrefs: 004159E3
t~v:, xrefs: 004161E7
qRb`, xrefs: 00416133
pt}w, xrefs: 004161F2
L4, xrefs: 00416780
w}MI, xrefs: 00416128
*,-", xrefs: 004166EF
_^]\, xrefs: 00415B14
S\], xrefs: 004159EE
L4, xrefs: 00416BA0
`A, xrefs: 004160DF
3F&D, xrefs: 00416273

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *,-"$3F&D$_^]\$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$S\]$WQ$`A$L4$L4
API String ID: 0-2687763561
Opcode ID: 2ca3d70f4f2d6bf23f25f8cefe4c32b226aa5edcbc90fa099cc46ac628274e94
Instruction ID: 9f5ea6b08c49057db174a630c2ad9a5754b08da33700a0e563b445691e8359cf
Opcode Fuzzy Hash: 2ca3d70f4f2d6bf23f25f8cefe4c32b226aa5edcbc90fa099cc46ac628274e94
Instruction Fuzzy Hash: 8FC213B5A083408FD7248F24D8817ABB7E2EF96314F1A893DE4D987391D7389841CB4B

Function 0040B100 Relevance: 19.2, Strings: 15, Instructions: 425COMMON

Download Yara Rule

Strings

9]_, xrefs: 0040B28F
.AtC, xrefs: 0040B249
S%U', xrefs: 0040B203
k=W?, xrefs: 0040B23F
Ym]o, xrefs: 0040B2B7
zMzO, xrefs: 0040B267
Gu@w, xrefs: 0040B2CB
b6j4, xrefs: 0040B57D
Gq\s, xrefs: 0040B2C1
yQrS, xrefs: 0040B271
D!M#, xrefs: 0040B1F9
pE}G, xrefs: 0040B253
XyR{, xrefs: 0040B2D5
(Y6[, xrefs: 0040B285
hI2K, xrefs: 0040B25D

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (Y6[$.AtC$9]_$D!M#$Gq\s$Gu@w$S%U'$XyR{$Ym]o$b6j4$hI2K$k=W?$pE}G$yQrS$zMzO
API String ID: 0-620192811
Opcode ID: 36e256a52d37c926a06e6b4e0bc5f3c1ffda8def055ebc20053dbd3df54a3be5
Instruction ID: ae4c3297f827bc084c7e7dce241a0c520805e5e2d7181d1986d1a2a97cb2d25d
Opcode Fuzzy Hash: 36e256a52d37c926a06e6b4e0bc5f3c1ffda8def055ebc20053dbd3df54a3be5
Instruction Fuzzy Hash: 7E0286B4200B01DFD724CF25D891BA7BBF1FB49314F008A2DD4AA8BAA1D774A415CF95

Function 004239B9 Relevance: 18.3, APIs: 3, Strings: 7, Instructions: 821COMMON

Download Yara Rule

Strings

p7B, xrefs: 004238C0
+A#C=]=_, xrefs: 00423F9D
_^]\, xrefs: 00423865
":B, xrefs: 00423A0E
eN, xrefs: 004241BA
=]=_, xrefs: 00423D0E
rp, xrefs: 00423FF3

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ":B$+A#C=]=_$=]=_$_^]\$eN$p7B$rp
API String ID: 0-2092896893
Opcode ID: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction ID: 182eaf4e6841349a8ef13573fe29d1f0c1c004a6e50f6283d231cbe69a191b93
Opcode Fuzzy Hash: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction Fuzzy Hash: 594267B5B04211CFD714CF28D8816AABBB2FF8A311F1A81BDD4459B395D738D942CB85

Function 00411D2B Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 479COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411EC3

Strings

y, xrefs: 00411EF2
?, xrefs: 00411EE2
[, xrefs: 004121EB
^, xrefs: 00412034
a, xrefs: 004121E6
p, xrefs: 00412095
8, xrefs: 00411EEA
L, xrefs: 00411D8F
|, xrefs: 00412267

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 8$?$L$[$^$a$p$y$|
API String ID: 237503144-3949209405
Opcode ID: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction ID: f3e99263922766072051b57ffb7fb6feee41006b6636dbb619e47a4599fab130
Opcode Fuzzy Hash: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction Fuzzy Hash: 3512A17160C7808BC324DB38C5913EFBBE1AF85314F184A2EE9D9D7392D67898858B47

Function 004160E9 Relevance: 17.1, Strings: 13, Instructions: 807COMMON

Download Yara Rule

Strings

~mfQ, xrefs: 0041613E
uqrs, xrefs: 00416AF0
{zdy, xrefs: 0041611D
ntxE, xrefs: 00416112
t~v:, xrefs: 004161E7
qRb`, xrefs: 00416133
pt}w, xrefs: 004161F2
L4, xrefs: 00416780
w}MI, xrefs: 00416128
*,-", xrefs: 004166EF
JyTK, xrefs: 00416160
L4, xrefs: 00416BA0
3F&D, xrefs: 00416273

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *,-"$3F&D$JyTK$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$L4$L4
API String ID: 0-2746398225
Opcode ID: b36a6903382abf1d3311f1f8c5a02bff5d11fbfb89a15cb0a11960afe5fa8b29
Instruction ID: f24c467e602d7e53293ab8f734e151b1dc9010e88174107412a0d51f1799aca9
Opcode Fuzzy Hash: b36a6903382abf1d3311f1f8c5a02bff5d11fbfb89a15cb0a11960afe5fa8b29
Instruction Fuzzy Hash: 1B4214B66083518FC7248F28D8817ABB7E2BB96304F1A893DD8D987355DB389845CB47

Function 0040F60D Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 845COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 0040FDFC

Strings

=, xrefs: 0040F978
m, xrefs: 0040F8F4
#, xrefs: 0040F721
w, xrefs: 0040FAAD
x, xrefs: 0040FBD4
\, xrefs: 0040FB0F
6, xrefs: 0040F620
g, xrefs: 0040F9EA

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #$6$=$\$g$m$w$x
API String ID: 237503144-139252074
Opcode ID: 445002e21fadfdddb5e3881cb967d1e136511430be7eaba56bb41a49871d47fe
Instruction ID: a1357dc3d9c13fdf07281b97dfdf33e392dfe4b382b2559b3e1eba5c1dc383c8
Opcode Fuzzy Hash: 445002e21fadfdddb5e3881cb967d1e136511430be7eaba56bb41a49871d47fe
Instruction Fuzzy Hash: 8572B33261C7908BD324DA38C85539FBAD2ABD5324F198B3EE8E9D33D1D67889418747

Function 00427740 Relevance: 16.6, Strings: 13, Instructions: 338COMMON

Download Yara Rule

Strings

}9F;, xrefs: 00427F62
Z)o+, xrefs: 00427F8E
f!V#, xrefs: 00427F78
P-X/, xrefs: 00427F99
$Y)[, xrefs: 00427FBA
O=q?, xrefs: 00427F6D
r, xrefs: 0042831A
DE, xrefs: 00427FDB
}5x7, xrefs: 00427F57
1Q>S, xrefs: 00427FA4
S%g', xrefs: 00427F83
!A/C, xrefs: 00427FD0
s1z3, xrefs: 00427F4C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !A/C$$Y)[$1Q>S$DE$O=q?$P-X/$S%g'$Z)o+$f!V#$r$s1z3$}5x7$}9F;
API String ID: 0-3413813421
Opcode ID: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction ID: 5d18dcd57d5afae5d2d04a22ff7efa295b4e1cb49f3d19f2d9ec184adb64bcbb
Opcode Fuzzy Hash: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction Fuzzy Hash: FBC1DFB460C3418FE724DF25D85176BBBF1EF81304F05496DE5998B3A2D7388906CB9A

Function 00411227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON

Download Yara Rule

Strings

L, xrefs: 00411846
`, xrefs: 004113A4
[, xrefs: 00411555
), xrefs: 00411A4D
F, xrefs: 0041184E
+, xrefs: 004117CB
>, xrefs: 004116FF
@, xrefs: 004117D0

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$+$>$@$F$L$[$`
API String ID: 0-4163809010
Opcode ID: 044f42da5d756521c1d2f2a39874e1519ebd206fa650f033b5c434c037831c99
Instruction ID: 2c21a52bb848bfcd7622a7916f474c4d624f7ec9d4be2f62fa6d6f295705de25
Opcode Fuzzy Hash: 044f42da5d756521c1d2f2a39874e1519ebd206fa650f033b5c434c037831c99
Instruction Fuzzy Hash: 8052A07260C7808BD3249B38C5943EFBBE1ABD5324F198A2EE5D9D73D1D63889418B47

Function 0041C8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON

Download Yara Rule

Strings

MO, xrefs: 0041CD10
AC, xrefs: 0041CCF8
pv, xrefs: 0041CB36
wt, xrefs: 0041CB3E
"nl, xrefs: 0041CC10
uvw, xrefs: 0041CA0A
a`|v, xrefs: 0041C8A1
\701, xrefs: 0041CF55
4UW, xrefs: 0041CCE0
*", xrefs: 0041CE7A
#M%O, xrefs: 0041C9FA
\701, xrefs: 0041CF0C, 0041CF03

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
API String ID: 0-635595044
Opcode ID: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction ID: cacfe30d0b9b21159c86ccf72fc2d8f2746876e9854ab90a0990479cac9f29fc
Opcode Fuzzy Hash: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction Fuzzy Hash: 8902F3B594C3008BC7049F29D8916ABBBF1EFD2314F15892DF4C59B351E238DA49C79A

Function 00438EA0 Relevance: 15.3, Strings: 12, Instructions: 287COMMON

Download Yara Rule

Strings

], xrefs: 0043905E
_, xrefs: 00439054
^, xrefs: 00439191
\, xrefs: 0043919B
^, xrefs: 00438F41
\, xrefs: 00438F4B
\, xrefs: 00439063
^, xrefs: 00439059
], xrefs: 00438F46
_, xrefs: 00438F3C
], xrefs: 00439196
_, xrefs: 0043918C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: \$\$\$]$]$]$^$^$^$_$_$_
API String ID: 0-1108506012
Opcode ID: dee77f85eafafd8285531f7185f1cb6dfcdb87b50f456c5ab410846e0d476b9f
Instruction ID: 6d16451c1d6517a7850bb2f7919ecef7538f6145022e8f2c7fa2380d8578bc65
Opcode Fuzzy Hash: dee77f85eafafd8285531f7185f1cb6dfcdb87b50f456c5ab410846e0d476b9f
Instruction Fuzzy Hash: 1CB1F87264D7808BE3148A28CC8436BBBD257CA314F1D4B6EE5E9473C2C6BDC845874B

Function 00419AD0 Relevance: 13.9, APIs: 2, Strings: 5, Instructions: 1641COMMON

Download Yara Rule

APIs

Part of subcall function 0043E110: LdrInitializeThunk.NTDLL(0044148A,?,00000018,?,?,00000018,?,?,?), ref: 0043E13E

FreeLibrary.KERNEL32(?), ref: 0041A21A
FreeLibrary.KERNEL32(?), ref: 0041A2AB

Strings

_^]\, xrefs: 0041A0E5
_^]\, xrefs: 0041AAAE
#v, xrefs: 0041A21A, 0041A2AB
_^]\, xrefs: 00419B05
VX, xrefs: 00419F94

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: VX$_^]\$_^]\$_^]\$#v
API String ID: 764372645-1888206996
Opcode ID: 7b4e982e0e33c19eb5b8ef386f69021f065be736a1a31b70f99e38736f096eb6
Instruction ID: 3092da7f8588215271bcea726d908b0be7fe5f6f11a5a714137d58635e7ab542
Opcode Fuzzy Hash: 7b4e982e0e33c19eb5b8ef386f69021f065be736a1a31b70f99e38736f096eb6
Instruction Fuzzy Hash: B6A278B660A3005BD718CB24CC917ABBBD3EBD1314F1D892EE5D587392D639DC82874A

Function 0041EB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON

Download Yara Rule

Strings

hch&, xrefs: 0041EEA8
t|f, xrefs: 0041EE88
uvqs, xrefs: 0041EEC0
, xrefs: 0041F25F, 0041F26A, 0041F29C
O}nl, xrefs: 0041EED8
CPm5, xrefs: 0041EEE0
AL, xrefs: 0041EF3D
f>mI, xrefs: 0041EED0
Yxqs, xrefs: 0041EEC8

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
API String ID: 0-1556426300
Opcode ID: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction ID: 72dbec98d39b44e021400b4b3f7dd457a245ac0fe219d5a174d4001ed2214f73
Opcode Fuzzy Hash: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction Fuzzy Hash: 0252467050C3918FC721CF25C8406AFBBE1AF95314F144A7EE8E45B392D739994ACB9A

Function 0042B980 Relevance: 10.3, Strings: 8, Instructions: 329COMMON

Download Yara Rule

Strings

UXWZ, xrefs: 0042BC26
" , xrefs: 0042BC08
220, xrefs: 0042BBE0
nV[k, xrefs: 0042BC30
47:, xrefs: 0042BBD6
pMC@, xrefs: 0042BC3A
:/', xrefs: 0042BBFE
AZDH, xrefs: 0042BC44

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 47:$ " $220$AZDH$UXWZ$nV[k$pMC@$:/'
API String ID: 0-3711047884
Opcode ID: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction ID: 65e572282dc53975798f39d0df5fbe4ea82dc72bdd677536ff169635eb849b4a
Opcode Fuzzy Hash: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction Fuzzy Hash: 46C169B4904B819FD320AF3A95467A3BFF0EB06300F444A5ED4EA4B795E735601ACBD6

Function 004388B0 Relevance: 10.3, Strings: 8, Instructions: 281COMMON

Download Yara Rule

Strings

q, xrefs: 00438A23
Z, xrefs: 004388CB
X, xrefs: 0043892A
Y, xrefs: 004388C7
}, xrefs: 00438A27
Y, xrefs: 0043892E
X, xrefs: 004388C3
Z, xrefs: 00438932

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: X$X$Y$Y$Z$Z$q$}
API String ID: 0-540668698
Opcode ID: 92023e53b11931f45d32f5ecdcf6ed19e405229557f51b4b8869f4eaeec5f576
Instruction ID: 44e251e1d42a43443c47623141fe0b33dcbcf36c918ea48704f4e4504905c0cf
Opcode Fuzzy Hash: 92023e53b11931f45d32f5ecdcf6ed19e405229557f51b4b8869f4eaeec5f576
Instruction Fuzzy Hash: 9FA12B23E087D94ADB1189FC8C542EEEFA25BAB220F1D476AD4F1E73C2D56C49078365

Function 0041747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON

Download Yara Rule

Strings

_^]\, xrefs: 004175C5

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction ID: 53d5d62a5b06f007e29734ec6a967500c823bb8f017ec32fffb38b320ea18f22
Opcode Fuzzy Hash: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction Fuzzy Hash: CC8234715083518BC724CF28C8917ABB7F1EFCA324F198A6DE8D5973A5E7388845C746

Function 00418B1B Relevance: 9.7, Strings: 7, Instructions: 994COMMON

Download Yara Rule

Strings

BVLm, xrefs: 0041902A
_^]\, xrefs: 00419115
_^]\, xrefs: 00418F25
_^]\, xrefs: 00419425
_^]\, xrefs: 00418DE5
_^]\, xrefs: 00418B44
/, xrefs: 004192BA

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: /$BVLm$_^]\$_^]\$_^]\$_^]\$_^]\
API String ID: 2994545307-2892575238
Opcode ID: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction ID: 8a47e0abde06d641331a8f2ba33a8f9f198beecf63cce3fe2238518d353f80c2
Opcode Fuzzy Hash: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction Fuzzy Hash: F5325AB56083408BD718CB348CA17BBB7D2FBD6314F19593DD0D6872A2DB398D428B5A

Function 00409310 Relevance: 9.2, Strings: 7, Instructions: 431COMMON

Download Yara Rule

Strings

,6.2, xrefs: 00409446
FM, xrefs: 00409370
cbrn, xrefs: 004093EE
WAg., xrefs: 0040943E
A, xrefs: 00409698
;"I, xrefs: 0040944E
PTvu, xrefs: 004096F3

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;"I$,6.2$A$FM$PTvu$WAg.$cbrn
API String ID: 0-3116088196
Opcode ID: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction ID: 030584e18240735509e656f0148e9cb3d91c12f90208a5de0f84838ae6c3dd54
Opcode Fuzzy Hash: c9e207116f0d0e1d3c010b878aae285ff6d7d53aed98aae9b503113e93668ba5
Instruction Fuzzy Hash: 80C1257260C3958BD322CF6994A075BFFD19FD6200F084AADE4D51B382D3798D0AC796

Function 00426D2E Relevance: 8.0, Strings: 6, Instructions: 482COMMON

Download Yara Rule

Strings

_^]\_^]\, xrefs: 00427064
PV, xrefs: 00426DB3
\R, xrefs: 00426DAC
X^, xrefs: 00426DA5
uYD\, xrefs: 00426E3D
rqB, xrefs: 0042715F

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\_^]\$rqB$uYD\$PV$X^$\R
API String ID: 0-1627709806
Opcode ID: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction ID: 5825545f21314853fe0769d62852bd8f916bf307171877822417e4e5256747d8
Opcode Fuzzy Hash: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction Fuzzy Hash: 42F1EEB5E04318CFDB14CFA9D8816AEBBB1FF49304F18446DD642AB351D779A902CB98

Function 0040AB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

Y2^0, xrefs: 0040AC7B
>, xrefs: 0040AB5E
]><, xrefs: 0040AC83
UMAG, xrefs: 0040AEF0
HYZF, xrefs: 0040B07E, 0040B075, 0040AE05
HYZF, xrefs: 0040AE40

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
API String ID: 0-2666672646
Opcode ID: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction ID: 560480d45fa7c8791f5dd325a32e0fd9eca2933a49feb221361dc50e24506aec
Opcode Fuzzy Hash: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction Fuzzy Hash: 38E12A7674C7504BD324CF6888512AFBBE2DFC1304F18893EE5E5AB385DA798905878A

Function 004281CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

_^]\, xrefs: 00428A15
LF7Y, xrefs: 00428951

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction ID: 00d2ad6f27f0b0783341daf9d6c4bd9e01a02a9b0560c8c7bc353a94b2bfb0e2
Opcode Fuzzy Hash: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction Fuzzy Hash: 90221375A08351CFD3248F28E88072FB7E1BF8A310F194A7DE995673A1D7349912CB5A

Function 004283D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

_^]\, xrefs: 00428A15
LF7Y, xrefs: 00428951

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction ID: 9e148bf222026bc2ff09e9b78a5b6d6e6f400f6959469ba780e6b53d717f86de
Opcode Fuzzy Hash: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction Fuzzy Hash: F812F175A08351CFD3248F28E88071FBBE1BF8A310F194A6DE995673A1D734D942CB5A

Function 0043CDF0 Relevance: 6.9, Strings: 5, Instructions: 697COMMON

Download Yara Rule

Strings

f, xrefs: 0043D081
_^]\, xrefs: 0043D006
fiP, xrefs: 0043D2CF
jiP, xrefs: 0043D301
_^]\, xrefs: 0043CE29

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\$_^]\$f$fiP$jiP
API String ID: 2994545307-2734853458
Opcode ID: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction ID: 745ca490046a6ac68c59f9825e457d0a566b3cc6b4523f93947a3945e487c19a
Opcode Fuzzy Hash: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction Fuzzy Hash: 972213B1A0C3029FD718CF29D89072FBBE2ABD9314F189A2DE4D597395D634DC418B4A

Function 004224E0 Relevance: 6.6, Strings: 5, Instructions: 304COMMON

Download Yara Rule

Strings

pCj], xrefs: 00422528
=K0E, xrefs: 00422544
.[TU, xrefs: 00422538
;GsA, xrefs: 00422520
"_,Y, xrefs: 00422530

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "_,Y$.[TU$;GsA$=K0E$pCj]
API String ID: 0-1171452581
Opcode ID: e3b293a5228f7cd8b14bdae7c9d7a79eee6c85cd2fe21641caa9749c910aa056
Instruction ID: 5f39ce5bd59565f93966477bc4b6ae811dd98e86c20f13f0a434068e22de0a00
Opcode Fuzzy Hash: e3b293a5228f7cd8b14bdae7c9d7a79eee6c85cd2fe21641caa9749c910aa056
Instruction Fuzzy Hash: CC9112B1A08310ABC710DF24D891B67B3B0EFC5718F14852DE8898B391E7B8E906C75A

Function 00418169 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

SP, xrefs: 00418396
7, xrefs: 00418419
2h?n, xrefs: 004183A0
gfff, xrefs: 00418458
^`/4, xrefs: 004181E1

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2h?n$7$SP$^`/4$gfff
API String ID: 0-3257051659
Opcode ID: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction ID: 27920faaac780ccf3f5efe4f99c0b1a63c78e90bde3d2871b705a1280bebe65e
Opcode Fuzzy Hash: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction Fuzzy Hash: 59A14876A143504BD314CF28C8517AFB7E2FBC5318F198A3EE895D7391EA3889428786

Function 00421340 Relevance: 5.5, Strings: 4, Instructions: 493COMMON

Download Yara Rule

Strings

eb, xrefs: 004216F6
{s, xrefs: 00421520
sp, xrefs: 00421528
9deZ, xrefs: 00421818

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 9deZ$eb$sp${s
API String ID: 0-3993331145
Opcode ID: 97f6dc2e96f5542af754cd671644341b5bbff5812463ffaff74c0c67d6ae7dc8
Instruction ID: f412023b930b77d36aaa4a43ee1b5a56c448ce0ea34fb1d0ef58f09a7e0ea514
Opcode Fuzzy Hash: 97f6dc2e96f5542af754cd671644341b5bbff5812463ffaff74c0c67d6ae7dc8
Instruction Fuzzy Hash: 34D138B16183148BC724DF24D89166BB7F2FFE1354F48CA2DE4968B3A0E7789904C746

Function 004291AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 004291DA

Strings

+Ku, xrefs: 004292AF
wpq, xrefs: 004292B7

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +Ku$wpq
API String ID: 237503144-1953850642
Opcode ID: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction ID: 7bb714cd0adbe8f34d65affdf2b55708b4274e5c8486b9e210027d19f02d6b7d
Opcode Fuzzy Hash: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction Fuzzy Hash: 6F51CE7220C3528FC324CF29984076FB7E2EBC5310F55892EE5D9CB285DB34D50A8B96

Function 00437DA9 Relevance: 5.4, Strings: 4, Instructions: 421COMMON

Download Yara Rule

Strings

_, xrefs: 00438242
], xrefs: 0043824A
^, xrefs: 00438246
\, xrefs: 0043824E

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: \$]$^$_
API String ID: 0-1726580471
Opcode ID: 068281520505a5c8e76487aa9793abf0ab24853e0396dd97eec9f8abe3b04abf
Instruction ID: 75544cc565fed9cb88ccd0f39017a3e98bce34d02de20e3526bf602741f1a3e9
Opcode Fuzzy Hash: 068281520505a5c8e76487aa9793abf0ab24853e0396dd97eec9f8abe3b04abf
Instruction Fuzzy Hash: DE228C215087D1CED326CB3C8888B497F911B67324F0E82D9D4E95F3F3C6A9894AC766

Function 004348C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00434910
GetSystemMetrics.USER32 ref: 0043491F

Strings

, xrefs: 004349F3

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction ID: fc399c5893f09ab22ce38e0ca23dce90b2d9510c132352c7ff6b67ebebce5796
Opcode Fuzzy Hash: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction Fuzzy Hash: 725160B4E142089FCB40EFACD98569DBBF0AB48710F11852EE898E7350D734A944CF96

Function 004290D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00429170

Strings

M/(, xrefs: 0042913D
M/(, xrefs: 0042919E

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M/($M/(
API String ID: 237503144-1710806632
Opcode ID: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction ID: a6fe4633539d009e024b46cdafe5f934a4e6010abeff1ae95be2d2e31fad33eb
Opcode Fuzzy Hash: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction Fuzzy Hash: 9E21017165C3615BE714CE34A88579BB7AAEBC2700F01892CA0D1AB2C5D679880B8756

Function 0042C9EB Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

EXCm, xrefs: 0042C9FE
_^]\, xrefs: 0042C96F
EXCm, xrefs: 0042C8F5
_^]\, xrefs: 0042CA6F

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: EXCm$EXCm$_^]\$_^]\
API String ID: 0-1657758763
Opcode ID: 64e7e2a6776dd06035cbbe55cf03ca37bfa578565a0bcd6c2f5ad12ca9290cbc
Instruction ID: a4e339109728a5fb2646e179492e18e09a2e3c8e1f4800d7862929aa98c2f7f9
Opcode Fuzzy Hash: 64e7e2a6776dd06035cbbe55cf03ca37bfa578565a0bcd6c2f5ad12ca9290cbc
Instruction Fuzzy Hash: B45112B02046A28BD725CF3980A077BBBD2AF57300F6DC5ADC4D78B752D634A885CB94

Function 0042A5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

i, xrefs: 0042A527
VN, xrefs: 0042A520
i, xrefs: 0042A5CD
VN, xrefs: 0042A5C6

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: VN$VN$i$i
API String ID: 0-1885346908
Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction ID: 20de38ffdec1ef662448aae0f94b74d237ba66483fbda11b24aa8be7d4a8abcc
Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction Fuzzy Hash: B721F6212083918BD3058E6590402A7BBE3AFC6318F684A5FD8F15B395E63BC94A875B

Function 00414CA0 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00415715
7UA, xrefs: 00415528
D]+\, xrefs: 00415380

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7UA$D]+\$_^]\
API String ID: 0-3619184598
Opcode ID: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction ID: 9cee455d72e7dd9915cda87ad3665199875abe0b71a1f7719e3c07a7155446ef
Opcode Fuzzy Hash: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction Fuzzy Hash: E4524474608300DBE704DF28EC527BBB3A1FB86314F19493DE586973A1E7399981CB5A

Function 00439D30 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00439D60
_^]\, xrefs: 00439F20
_^]\, xrefs: 0043A261, 00439F06

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\$_^]\$_^]\
API String ID: 0-3175222818
Opcode ID: e6731a566dc2b886aa95c2d60d7bb4f031c949f538159a3f2987683a6fbfa65d
Instruction ID: defabe940294792856ce7260436e610636c405c822bfbbc78cfe9182011a65e5
Opcode Fuzzy Hash: e6731a566dc2b886aa95c2d60d7bb4f031c949f538159a3f2987683a6fbfa65d
Instruction Fuzzy Hash: 6ED16776A483104BD714CF25CC8162BBB92EBC9714F1A9A3EE9E953391D774DC02C78A

Function 0042A0CA Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0042A49C, 0042A188
<\hX, xrefs: 0042A236
.txt, xrefs: 0042A371

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .txt$<\hX$_^]\
API String ID: 0-3117400391
Opcode ID: 48097b576fbdebbef17ec6d016b202c865e28d50fdd48820a57a2f1043a08bf0
Instruction ID: 8360b796762b9efa6bc41ed42f48af7333c13c9bf92b36dd2fc71876421fab67
Opcode Fuzzy Hash: 48097b576fbdebbef17ec6d016b202c865e28d50fdd48820a57a2f1043a08bf0
Instruction Fuzzy Hash: 08C1237460C341DFD704DF28E88162BBBE2AF86314F488A7DF895432A2D739D9568B17

Function 0040D4F3 Relevance: 4.0, Strings: 3, Instructions: 295COMMON

Download Yara Rule

Strings

Fm, xrefs: 0040D6DD
rurallyrishz.click, xrefs: 0040D819
V], xrefs: 0040D6E4

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Fm$V]$rurallyrishz.click
API String ID: 0-49901464
Opcode ID: 0ae453aec9c72886fbbee616b84707b366276653fbf3727c7b42b4839df49488
Instruction ID: 8fbc5bdc4bdb1c4bfda45ec6562ed29f4b2833b3b04abb9a6a71dcbd204dcdff
Opcode Fuzzy Hash: 0ae453aec9c72886fbbee616b84707b366276653fbf3727c7b42b4839df49488
Instruction Fuzzy Hash: 299114B52557408FD325CF29C880652BFA2EFD631872D86ADC0954F766C33AE80BCB54

Function 0040D83C Relevance: 4.0, Strings: 3, Instructions: 278COMMON

Download Yara Rule

Strings

Fm, xrefs: 0040DA1E
V], xrefs: 0040DA25
rurallyrishz.click, xrefs: 0040DB46

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Fm$V]$rurallyrishz.click
API String ID: 0-49901464
Opcode ID: 79e4275427c97aeb8b67a6f9def161cb81770d367aef702d9929433cebcb8ca5
Instruction ID: fae0fd455f2dc9594d554e2592982b17243c3c85d84b0ea3df2bc8f1ba9fb341
Opcode Fuzzy Hash: 79e4275427c97aeb8b67a6f9def161cb81770d367aef702d9929433cebcb8ca5
Instruction Fuzzy Hash: A28132B65487408FD725CF29C4C0652BFA2FF9630071985ADC8D65F3AAC339E80ACB94

Function 0042D17D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(1A11171A), ref: 0042D2A4

Strings

#v, xrefs: 0042D2A4

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction ID: 8c0201977aaad96103e3db66e91fe0e05dd0d7e7661fbda8aa4fd031d2e77fc5
Opcode Fuzzy Hash: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction Fuzzy Hash: 1B41F3706043828BE3158F34D9A0B63BFE0EF57318F28869DE5D64B393D63998068769

Function 0041D003 Relevance: 3.4, Strings: 2, Instructions: 883COMMON

Download Yara Rule

Strings

bh, xrefs: 0041D4D6
[V, xrefs: 0041D4DD

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [V$bh
API String ID: 0-2174178241
Opcode ID: 9a337899af21f3c9a5d71be9b72ff0d359dbad53d65be419db5bbfc1023c5173
Instruction ID: a467afd2ba1cfd42098a5b254582c1ff8b1369fb59904e36b9569880b8d35242
Opcode Fuzzy Hash: 9a337899af21f3c9a5d71be9b72ff0d359dbad53d65be419db5bbfc1023c5173
Instruction Fuzzy Hash: 033227B1D01625CBCB24CF29C8916F7B7B1FF95310F18825DD8969B394E738A841CB95

Function 00404BA0 Relevance: 3.3, Strings: 2, Instructions: 832COMMON

Download Yara Rule

Strings

8, xrefs: 00405505
0, xrefs: 0040550D

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 5d573639b5672c12dac5da88f9b5a1c79f67207e20f8c0edb0b0b49a37888c7a
Instruction ID: 07248a76c9a0e45422006fc01a60651f18f3e9c34e44e5b99c316639bb415f8d
Opcode Fuzzy Hash: 5d573639b5672c12dac5da88f9b5a1c79f67207e20f8c0edb0b0b49a37888c7a
Instruction Fuzzy Hash: 8A7237B16083419FD714CF18C880BABBBE1AFC4314F44892EF9899B392D779D944CB96

Function 00440D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

, xrefs: 00440DC3, 00440EAB
@Ukx, xrefs: 00440F53

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @Ukx$
API String ID: 2994545307-3636270652
Opcode ID: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction ID: 03a383fb22d51b403848371ba2a4540fe2b40c56cab5129fcdd4839ce92f9fe8
Opcode Fuzzy Hash: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction Fuzzy Hash: DDB17833B083104BE728CE28DCD22BBB792EBC5314F19C93DDA9657395DA399C458786

Function 00409780 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

1, xrefs: 00409A7B
A, xrefs: 00409922

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 1$A
API String ID: 0-719046165
Opcode ID: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction ID: e807b6bde7ca49dc404e07dafbff5fc9189e5662c362ff5d9520ac40bf6a6c7c
Opcode Fuzzy Hash: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction Fuzzy Hash: 41D1E4B55083508BD718DF24C8517ABBBE1FFC5318F08896DE4D99B382DB389906CB96

Function 00422830 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

C@, xrefs: 0042285E
_^]\, xrefs: 00422C05

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: C@$_^]\
API String ID: 0-1259475386
Opcode ID: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
Instruction ID: 97f681d162b0ce7800c7d58e7d4b110804466645679b58dd264a8ebd8314ce09
Opcode Fuzzy Hash: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
Instruction Fuzzy Hash: A2B149A1B083206BD714DF25995273BB3F1EFD1324F59892EE88697381E27CE941835A

Function 0041961B Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

&, xrefs: 004197D7
wt, xrefs: 004198CB

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &$wt
API String ID: 0-2890898390
Opcode ID: a198e4e5b31969e1657fb15166251ebea6e9b2c69bce2ee6393563c585985ca1
Instruction ID: 33efc2e568e4c4ab9d1c602329fbc31abe2710d64562779c5a451b8c47957380
Opcode Fuzzy Hash: a198e4e5b31969e1657fb15166251ebea6e9b2c69bce2ee6393563c585985ca1
Instruction Fuzzy Hash: C58134715083408BD325DF29C4616AB7BE1EFD6324F184A1DE4DA9B392D7388845C79A

Function 00404270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 004042EB
IEND, xrefs: 00404661

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 9b389eac3cd63f50139220b3903b822de0d9447c32af65996c9d5ab677047b79
Instruction ID: 6c19918090c1bfa240fcfde467fb325ae55e8405f3c35f7269d99fb777198184
Opcode Fuzzy Hash: 9b389eac3cd63f50139220b3903b822de0d9447c32af65996c9d5ab677047b79
Instruction Fuzzy Hash: D3D1C1B1A083449FD710CF14D84575FBBE0AB94308F14492EFA99AB3C1D779E908CB86

Function 00429739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

(. 7, xrefs: 0042977E
,7, xrefs: 00429786

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (. 7$,7
API String ID: 0-1315767106
Opcode ID: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction ID: aca24a6d404cff65d8132a2c5354bf9a6b34cab982d47b5a163a498561acaf8d
Opcode Fuzzy Hash: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction Fuzzy Hash: 73A1DFB190C3519FC714DF25D85262BBBE2EF86314F44892DF4D58B392E738A841CB5A

Function 0041B8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

EWC`, xrefs: 0041BD43

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: EWC`
API String ID: 0-1922773688
Opcode ID: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction ID: 3092ec9d695e803f581415aef64df2e1d782c7e4da9fd3e94958caedbaf0e785
Opcode Fuzzy Hash: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction Fuzzy Hash: 20D11F746047028BC3358F28C4A26A3BBF2EF96304F18542ED5C78BB91E739E846C794

Function 00435A4F Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00435B52

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 91fd84924a376b3f97a34e0fb65a65946905aa2505ab14000c767df79a96a229
Instruction ID: d9e5786956825e541ccac0ac26da5deab7ac295270d7ed7bd768e78e6dadd6b4
Opcode Fuzzy Hash: 91fd84924a376b3f97a34e0fb65a65946905aa2505ab14000c767df79a96a229
Instruction Fuzzy Hash: 4F817CB5A046558FCB08CF68C99179EBBF1BF49310F1482ADE859EB391C7399D01CB91

Function 0042D34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

><+, xrefs: 0042D353

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ><+
API String ID: 0-2918635699
Opcode ID: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction ID: 444f218a8ad5829191449d1546b31e79214a0b4c0f4cfb8ef7368535fe843fa0
Opcode Fuzzy Hash: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction Fuzzy Hash: 72C1E575A047418FD725CF2AD490762FBE2BF9A310F28859EC4DA8B752C739E806CB54

Function 0042B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042B458

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction ID: f2fd7e02527a425c6081b095c58e6bcd0ab65349b2e1505f4c1e2091d8d38838
Opcode Fuzzy Hash: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction Fuzzy Hash: 82C15872B043256BD711CE25E49076BB7D5EF84314F98892FE8958B382E738EC4487DA

Function 00429E80 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429F6C

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction ID: 56439e7850811f5116bb8c84f174b1b770b1ea540e4d3f3412480b83843e5581
Opcode Fuzzy Hash: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction Fuzzy Hash: B141C1B454C341CFD3109F20A98166BBBF4EB86718F10487DE5969B292D735E507CB8B

Function 00416F52 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

t, xrefs: 004170C9

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction ID: 1cd3e92b5432f2ec1c5279b22e8dfdc45cf82fdb07faf4288aa06f6d08a0fcad
Opcode Fuzzy Hash: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction Fuzzy Hash: 15B187B05093818BD3358F25C9A13EBBBE0EFDA304F04896DD9C94B391EB395546CB86

Function 004338D0 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

0, xrefs: 00433926

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2054f8302065642029e1af6278edc7b30e2d1fbefb2b39b3f2304d6cf4d7bd5e
Instruction ID: 792050af76c12169555d75139d7f57acea72ac4afb62a4cb900c120c6a316d90
Opcode Fuzzy Hash: 2054f8302065642029e1af6278edc7b30e2d1fbefb2b39b3f2304d6cf4d7bd5e
Instruction Fuzzy Hash: 7E912533A5999007C32C9D7C4C5126AB9834BD6331F3ED37AA9F59B3E5D9688E024385

Function 0041DF50 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0041E01B

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: f733fce0b6310a0eb4dc35e509785dee88392000b9019db0abd9f73f3d1f7ed5
Instruction ID: e2e43e6fe4f6cc3c933e44b0ed23ba0a46703963326480d57755a3c669c39f81
Opcode Fuzzy Hash: f733fce0b6310a0eb4dc35e509785dee88392000b9019db0abd9f73f3d1f7ed5
Instruction Fuzzy Hash: A1816A76A042614FC721CE29C84139FBBD1AB85324F19C67EECB99B392C2389C46D7C1

Function 00426910 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

Z1\3, xrefs: 00426C1A, 00426C29

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Z1\3
API String ID: 0-159632435
Opcode ID: 0374eb9296603ed8b945c9eaa04edb5edfad1967a4139b599c52965f3883a5eb
Instruction ID: a01f97801001940a922d9005d1da5d7bd6305901b022d216f6934f6bef4601d8
Opcode Fuzzy Hash: 0374eb9296603ed8b945c9eaa04edb5edfad1967a4139b599c52965f3883a5eb
Instruction Fuzzy Hash: 0F8168B2A083608BD304DF25D85136BBBE2FFD5314F19892DE4C58B385EB789905C786

Function 00405DC0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405EF6

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction ID: 798ff8fe18368bcd82688b629daff8b5abeed993d75e579aca2e624f51337d40
Opcode Fuzzy Hash: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction Fuzzy Hash: 0DB139711087819FD321DF18C88061BFBE1AFA9704F444A2DF5D997782D635EA18CBA7

Function 00427440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00427465

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction ID: 2cadfa6051f0cea8981a5c3a8346752ded914f405fdfafbc00b99242be117cb3
Opcode Fuzzy Hash: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction Fuzzy Hash: 1A714B75B0C3205BD7149B29EC9273BB7A1DF86318F58843EE58697382E23CDC45835A

Function 00425F1B Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00425F89

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction ID: 4542599af833d18a30e416191cc565c9845a3175e58f9edfc757ba35f46fda4c
Opcode Fuzzy Hash: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction Fuzzy Hash: 8F714775A0C3508BD324CF68D89166BB7E1EFC5304F59486DE8C597362EB789842CB8A

Function 0040C840 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

NO, xrefs: 0040C9EC

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: NO
API String ID: 0-3376426101
Opcode ID: 3a45ac2eeb5043f79cc32338f7f60b436e35e7483777ae535bece26c825c4072
Instruction ID: fc543f642e62e54196cd74c4afb6c1e7b2a5cc718474496b0387cadb34113c13
Opcode Fuzzy Hash: 3a45ac2eeb5043f79cc32338f7f60b436e35e7483777ae535bece26c825c4072
Instruction Fuzzy Hash: 8A61FE7525C301CBD318CF65C89166BB3E2EFD5314F08CA2DE4959B784E67C8905CB5A

Function 0042C53C Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

x|*H, xrefs: 0042CE93

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: 7f5aa381413c548ed844fbd7a602f1417d2f4c57b5482a0f7289e3f2df060206
Instruction ID: cc18bd2a974832ef5ec95eb7b84f08c6e8f11c533008b704141f0cd713c54539
Opcode Fuzzy Hash: 7f5aa381413c548ed844fbd7a602f1417d2f4c57b5482a0f7289e3f2df060206
Instruction Fuzzy Hash: F97111707047918FD3298F3AD4E0727BBE2AF56304F28C0AED4D78B796D63998068754

Function 0043CA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0043CC20

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction ID: 696eb795723ead0f6ba9be3735fd8be620dffa71c9a4400ef3d7ad22a9e3dc13
Opcode Fuzzy Hash: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction Fuzzy Hash: C2712871A043014FDB1CDF28CCE162FBB92EB8A710F19A63EE496E7395D6349C418789

Function 0042CD5E Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

x|*H, xrefs: 0042CE93

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: adc9464fcfb6411bbef0f9d4b21ac8c62000f71245fa1a37db9961d628f4925d
Instruction ID: 15159f2b9ece189a3f87136af19cf696929cb3b7845c96d6a3ec8102cda8c595
Opcode Fuzzy Hash: adc9464fcfb6411bbef0f9d4b21ac8c62000f71245fa1a37db9961d628f4925d
Instruction Fuzzy Hash: 666112706043918BD3298B3AD4E0727BBD2AF57309F28C0AED5D78B796D63998068754

Function 0040D021 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0040D455

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 74870e4ad33b8a35e667a8a5e731fbb60a85fce1574822a66bade7bc0104302a
Instruction ID: 2f29a475e6ab84a1a2467f5885c6ff865ba3bddf06fbc8afa579f2b9c55a41bc
Opcode Fuzzy Hash: 74870e4ad33b8a35e667a8a5e731fbb60a85fce1574822a66bade7bc0104302a
Instruction Fuzzy Hash: 07513574A452008FC724CF68D8D0A37B7E1EB56704B19883EC5DB937A2C235B81ACB49

Function 00439A80 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00439AE0, 00439B6B

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 422f5fe4da97e1b4d4b7281b5fb385b97c1da4d8515f072832995b6736609225
Instruction ID: b6ca65da45d211c13bd7d4552a10f0b21997a5074e173ef0b1d4d6d2720a84db
Opcode Fuzzy Hash: 422f5fe4da97e1b4d4b7281b5fb385b97c1da4d8515f072832995b6736609225
Instruction Fuzzy Hash: D2517976608201ABE304DF29DC41B2BB795EBC9304F1A953DE5DA87391D774EC42C78A

Function 0042C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction ID: 81471823a485b6705c349d61d83959a7e20011983708bf5e147628ffe1b1dd5e
Opcode Fuzzy Hash: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction Fuzzy Hash: DE51F625604B904BD729CB3A98513B7BBD3ABDB310B58969EC4D7C7786CA3CE4068B14

Function 0042CD4C Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

x|*H, xrefs: 0042CE93

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: x|*H
API String ID: 0-3309880273
Opcode ID: cf613fdd38d7837f5cd3df6d810bd3581cd7af61f2121b6fdf6102c96ef6c74f
Instruction ID: 8e0701fb42511a5dfbe966a5726a51181002060ac4eac839e7765a7f28dd7c8b
Opcode Fuzzy Hash: cf613fdd38d7837f5cd3df6d810bd3581cd7af61f2121b6fdf6102c96ef6c74f
Instruction Fuzzy Hash: 9751F2B0A043918FD3298F3AD4E0727BBD2AFA7305F28809DD5D68B796D63998068754

Function 0042C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction ID: e5864593d1339f498270878ef60363620a1941cd2fe9c21c7a7607c55bfa5eb6
Opcode Fuzzy Hash: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction Fuzzy Hash: B2512925604B904AD729CB3A98513B77BD3AF9B310F9C969DC4D7C7B86CA3C94028B15

Function 0040F3C0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,, xrefs: 0040F3E0

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ae20e63e3e63f013d1e047692b8e7aa7dc0bdcfc52b01fb117a10fbc2d5be1d0
Instruction ID: 7813001e24d65c38f8a3d801aac2b67ab957131e21b176f712fba2760ed53aef
Opcode Fuzzy Hash: ae20e63e3e63f013d1e047692b8e7aa7dc0bdcfc52b01fb117a10fbc2d5be1d0
Instruction Fuzzy Hash: 0661F83260C7908BC7209A3989513DFBBD19B96324F294B3EEDE5D73D2E2388505C746

Function 00441160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

@, xrefs: 0044123B

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction ID: 1aa89e2f6171c8b600b289c24d78a6f9a5b4d57d8403bbd31509dc912f19ad9e
Opcode Fuzzy Hash: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction Fuzzy Hash: 0D4123B19043109BE714CF54CC56B7BBBA1FFD5354F088A2DE5855B3A0E3799844C78A

Function 00441720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

=<32, xrefs: 0044176D

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: =<32
API String ID: 2994545307-852023076
Opcode ID: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction ID: 3b6fc7dbca8d43659897c6c89a338d9db0430b3797e073dd088a6240ba40644d
Opcode Fuzzy Hash: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction Fuzzy Hash: 7A314438608304ABF714AE159C91B3BB3A6EB85750F18852EE695573F1D738DC90878A

Function 0042C465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

AB@|, xrefs: 0042D9F4

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: AB@|
API String ID: 0-3627600888
Opcode ID: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction ID: 9d680adfff61346dbcddf561b221a097d06f6077c5c56bfff523f23a55ee5db6
Opcode Fuzzy Hash: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction Fuzzy Hash: 634106B15046928FD7228F39C850767FBE1BF97310B189699D0D28B796C738E845CB54

Function 0043C830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0$z, xrefs: 0043C915

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$z
API String ID: 0-542936926
Opcode ID: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction ID: 598e6e7b5ab3f32ace4510c997d5c2914f2054150b2e0cbc2781ed5d43e0899f
Opcode Fuzzy Hash: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction Fuzzy Hash: 7A3104B2A193114BD314DF24CC8471BBBD2EB89714F0A992DE484A7342D37A9C428BDA

Function 00428528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428545

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction ID: fa1734f8cecfd62dbfa6e1ffd5af071ca539f15cf05182bc01822064141da677
Opcode Fuzzy Hash: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction Fuzzy Hash: 9C21EC7470A2109BD71C8B34DC91B3F73A3FBC6314F69152ED193527A6CB399852468D

Function 00421A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

,-, xrefs: 00421A64

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,-
API String ID: 0-1027024164
Opcode ID: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction ID: 3df528e0a1c1aaf7ae1dd87ce3c0daf4cbce6c1de34562fe1b5624c5cc0b1623
Opcode Fuzzy Hash: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction Fuzzy Hash: E8216A61A153108BC7109F29CC52537B7B1EF92364F85861EE4828B361F778CD05C79B

Function 00440340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 004403AD

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction ID: 33784d5b8146ae1d6e83e41184c2528a054757f8bcb0ba64dcdd6e2a9e18c57c
Opcode Fuzzy Hash: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction Fuzzy Hash: 1831FF756083048BE314DF58D8C266FBBE4EBC5324F14892DEA9883390D739D858CB9A

Function 0042DE07 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction ID: c16a7131854b6aed293f14fd3f65d90cfdcd1604bceaaf5e70633509fa898857
Opcode Fuzzy Hash: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction Fuzzy Hash: AD110B645046528BEB168F359C55726BBF1AF33354F1892DCD0D1DF292D624C442CB28

Function 0042DDFF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction ID: 2b194369684db8568e4cc4b10858fb41ea2ffb87a76b3f2bea81f07ece6f04e6
Opcode Fuzzy Hash: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction Fuzzy Hash: 21014EA46446538BE7128F359C15726FBF1EF33350F18E2A8D091DF2A2D634C842CB18

Function 004289E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428A15

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction ID: a8dfba8dee4ad149da4611bc05b701b5a33fd88c903e8634cd43ba9cb2d750ed
Opcode Fuzzy Hash: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction Fuzzy Hash: ED01D6B0B0A32187D708CB15D49162FB7E2BBCA310F195A2ED0D623755C738E84287CE

Function 0042E180 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ff83c872175177d33e031517242ed1232e4181d9b7963465f535059b0da82e
Instruction ID: 510cf14dfc6810652eb912176acc6457c4b61f8a8a748e517c8f905a15069ebf
Opcode Fuzzy Hash: 77ff83c872175177d33e031517242ed1232e4181d9b7963465f535059b0da82e
Instruction Fuzzy Hash: A062C6F5911B019FD3A0CF29C881797BBE9EB89310F15892ED1ADD7311CBB465018FAA

Function 0043FA20 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction ID: 15bf1ea58ee97730c61fd6eda894784fa47516086410607d7a072294ae37ca60
Opcode Fuzzy Hash: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction Fuzzy Hash: DB22243AB54211CFDB08CF78D8A12AAB3E2FF8A314F1A857DC94697351D7389851CB85

Function 004065F0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099936b192553e21f2181c48b402bffe770473d4ce187f1baaadddd9ef43cd6f
Instruction ID: d5549c60727ea81db95c0a9739e51fe72a297675e3d87f8c754ff759df3f10bb
Opcode Fuzzy Hash: 099936b192553e21f2181c48b402bffe770473d4ce187f1baaadddd9ef43cd6f
Instruction Fuzzy Hash: 3552C4B0908B848FE735CB24C4843A7BBE1AB91314F16893FC5D716BC2C37DA995971A

Function 00402EB0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction ID: 4eb073694aac07531e4e37dd991e5aaa8cdb99ba0f72cd08d303837d400a2551
Opcode Fuzzy Hash: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction Fuzzy Hash: 3552F5715083458FCB15CF24C0906AABFE1BF89305F188A7EF8996B381D779D949CB89

Function 004073D0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: 6123c4b066af5df033588bdcadea87e91db6a899c9f8ce647c920f563282eda9
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: E322A472A087118BD725DF18D8806ABB3E1BFC4319F19893ED986A7385D738B811CB57

Function 004038C0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fa825412325216ac8cbc78d6b7fdfd076d0bd4aefd787e2045a5168297847d
Instruction ID: 815e969ba8de6abfef3ab50d4cb240a17b338c923eef1846e691c0526bdca6a5
Opcode Fuzzy Hash: a4fa825412325216ac8cbc78d6b7fdfd076d0bd4aefd787e2045a5168297847d
Instruction Fuzzy Hash: 74322370A14B118FC328CF29C68052ABBF5BF45711B604A2ED697A7F90D73AF945CB18

Function 0043FB10 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction ID: bc1c9a79bd48fbe04f38ca9b4e00e2ed040d16652403f2f97064ad5dbaff0f70
Opcode Fuzzy Hash: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction Fuzzy Hash: 9502483AB54211CFD708CF78D8E02AAB7A2FF8A314F1A857DC94693351D739A851CB85

Function 0043FB2A Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction ID: a1c715d08816259ade05fabf2ed31b4fea3a659fa95dcf98a80d69cb0f26fb97
Opcode Fuzzy Hash: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction Fuzzy Hash: 59F13939B54211CFD708CF78D8E02AAB3A2FF8A314F1A857DC94693351D735A851CB85

Function 0043FB28 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction ID: 7c816634e29e8635841472aa4442699fe105e1924a6df37b46faa06d9bb3fd90
Opcode Fuzzy Hash: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction Fuzzy Hash: 87F13939B54211CFDB08CF78D8E02AAB3A2FF8A314F19857DC94693351D739A851CB85

Function 0041D8AC Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction ID: 5e9d7e84427f8d5228b95ea90cb98d597139ae8c2cd507701152bf7f0d2aec8f
Opcode Fuzzy Hash: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction Fuzzy Hash: DBE117B1E00215CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB99

Function 0041D8D8 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction ID: 0a10cce7f6b7f4c9e5a99d8e2b4a5133f7361f2e21e3c94240870ffe1abc1756
Opcode Fuzzy Hash: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction Fuzzy Hash: FAE105B1E00615CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB98

Function 0043A5D4 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54321200634eeb017938ca97b02a580f2ec045d38f887201d3bbccb309d2fc5e
Instruction ID: 46d297c27612cc74d8920747c844cebf2053245c8b455536a5ef2517f04bf7c0
Opcode Fuzzy Hash: 54321200634eeb017938ca97b02a580f2ec045d38f887201d3bbccb309d2fc5e
Instruction Fuzzy Hash: 38D1323A128216DBCB148F38E852267B3F1FF4A741F5A997DC881872A0E739CD60D749

Function 00405900 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: b469d3f5349dda3103b6b46912c8c4d7a4645d84403f73c82c303b71c2787751
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: A0E19C712087418FD720DF29C880A6BBBE1EF99304F44882EF4D597791E279E948CB96

Function 0043FD70 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction ID: 0795aabbeeca3c289a54d5a983081f6cc9b815f424e4503ad834db78cbe5b8b0
Opcode Fuzzy Hash: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction Fuzzy Hash: 46B1FF39B04211CFCB08CF78E8902AAB7B2FF8A324F1985BDD94593351C775A861CB85

Function 0040E687 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf139d6076f74e88016107c3b2d5cd150ad1361beca4a8d31ce69c6420e6d53
Instruction ID: 436cdfabcdc2bc1f3b0c984888b76234570e3e3d12e5b379b418b909d18abe90
Opcode Fuzzy Hash: 7cf139d6076f74e88016107c3b2d5cd150ad1361beca4a8d31ce69c6420e6d53
Instruction Fuzzy Hash: 518149756407018BD3248B39CC926A7B7E2FF9A314F0CCABCD4865B383E67CA8128754

Function 0043FE00 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction ID: 8f12c1f11cf7dd9d5989c678c09bce864ea8bb7899150d07336210a81ccf9f3f
Opcode Fuzzy Hash: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction Fuzzy Hash: 2AB11E39A04205CFDB08CF78D8902AEB7B2FF8A314F19857DD94593391D735A922CB85

Function 0041E220 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b149a0bbab6782feafc00be1083e7a8165e3fb706a29e46740f55697911519c6
Instruction ID: 69234b85a46c5add8f98f44c0919eb11ace403bbb5928afa55a7caa75afc10ee
Opcode Fuzzy Hash: b149a0bbab6782feafc00be1083e7a8165e3fb706a29e46740f55697911519c6
Instruction Fuzzy Hash: E9B11879904201ABD7109F25CC42B5BBBE2BF88319F144A3EFC94933B1D73699588B46

Function 004409E0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e7bdc082f291f479ac6ea38cf1872b6485b45ee801d995599797230dee86865
Instruction ID: 086aaeb3fb778cffc103a4563c2787a1fab9d2bf013e0bbe125477b3c86dcf8e
Opcode Fuzzy Hash: 0e7bdc082f291f479ac6ea38cf1872b6485b45ee801d995599797230dee86865
Instruction Fuzzy Hash: 1C9127756083119FD724DF18C88062BB3E2EF95710F19C52DEA955B3A1D738EC60CB9A

Function 0042EE63 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae3d64327252f0695d2f7a4a9683f004aaaca5e5630162d27c718a5927896f5
Instruction ID: a60e2b574139921dc6c2a91e11df8c14258a891cc4a5ffad745695b33ca4164f
Opcode Fuzzy Hash: 0ae3d64327252f0695d2f7a4a9683f004aaaca5e5630162d27c718a5927896f5
Instruction Fuzzy Hash: 8FC13622609B808BD3258B79D8953E7BFD25BE6324F1DCA7DC4FA873C6D578A0058712

Function 004406F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction ID: bbaad09b7466ea8e443d8553dc44a5451933c837b4ca1b8c359bd5f9b3e4a5a9
Opcode Fuzzy Hash: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction Fuzzy Hash: 478115756083018BE714DF19C890A2BB7A2FFD5710F19852DEAC49B395EB38DC61CB86

Function 00406160 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction ID: e400c2ea4fcb9d05b264130c5d9b979a3b53ed43f0040f5070ba523f7c467aa9
Opcode Fuzzy Hash: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction Fuzzy Hash: 65C15BB29087418FC360CF28DC86BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 00431CF0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15825d2242f3d0caf47f399ff862251181c43f0c913d7599403b879d29d8c550
Instruction ID: 9537e6ea810ff224e66e6c5f92b4e87bf55ee40ff61a035c9a26ea9646533ffc
Opcode Fuzzy Hash: 15825d2242f3d0caf47f399ff862251181c43f0c913d7599403b879d29d8c550
Instruction Fuzzy Hash: 96917F33B59A9007D32C893D4C522A7B9830BD7230F2ED77E99F58B3E5C9A94C068385

Function 0042FE74 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fffda64b6289d7f34c21fe1a0c28253e3e57472ffb96d7d5ba192f4e386ca9d
Instruction ID: 4f9d4f0c186f13f67f18e6cc43704a11d8347ef931c035b5f291c5eb2b9854c2
Opcode Fuzzy Hash: 5fffda64b6289d7f34c21fe1a0c28253e3e57472ffb96d7d5ba192f4e386ca9d
Instruction Fuzzy Hash: B7B1276260AF808BE3159B38C8553A7BFE25B96314F1DC9BDC4EE87386D6386409C716

Function 004204C6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction ID: cbae7b17040a84125ba216ca1e071ac281e14ca80bdc54d56613533af8622d25
Opcode Fuzzy Hash: 00f7fababf904007dcff2eaf7c425e45d6a9557b00b629950081f529d2400e59
Instruction Fuzzy Hash: 8BB16132618FC18AD325CA3D8855397BED25B97334F1C8B9DA1FA8B3E2D674A102C715

Function 00440460 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54f82e31ec42db6e5a691cbffae974a543ab738ecaa57c3382bf5a3b0d3b825a
Instruction ID: 1b98dbfff1052fd83d30d2034a7a13d3d06e3ea98b2c3cf3c3b22ec833b66bdb
Opcode Fuzzy Hash: 54f82e31ec42db6e5a691cbffae974a543ab738ecaa57c3382bf5a3b0d3b825a
Instruction Fuzzy Hash: 0E6129356083019BE715DF18C85063FB7A2EFC5710F19852EEA858B391EB34DC61D78A

Function 0043C5A0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d0f8cd16a7ff66dbe3ea7de6924125ee922e71eb28e6111b45bde30ad31ca79
Instruction ID: c44764b03ef8f3b603924d4288212253421447f9bf8c012b68da20a88765eb80
Opcode Fuzzy Hash: 0d0f8cd16a7ff66dbe3ea7de6924125ee922e71eb28e6111b45bde30ad31ca79
Instruction Fuzzy Hash: E1516B75A083154BD728AF28C88163FB7D2ABD9310F19997EE8C5A7391E7359C018B89

Function 0041E630 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2e24862c447ac2890e1011478ca2091e38ae9802797d9ab4b1cf63fe714f4d
Instruction ID: 412eea3901430329c89d00e7462b7b4474c9b4e9baf5de6efa7f3dbc27b228ac
Opcode Fuzzy Hash: eb2e24862c447ac2890e1011478ca2091e38ae9802797d9ab4b1cf63fe714f4d
Instruction Fuzzy Hash: C561F63AA09A904BE328893D4C113A66E934BD7330F2DC7AEEDF5873E1D5694C46534A

Function 00428ABC Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb440328ed965aa383e4aae554cc536773058bbfd2354fff2e940dd9ff105fa
Instruction ID: 97edb61c09e04dbe2ac7e36bf83e4999828791a8825e11b69177391bcbbba0d9
Opcode Fuzzy Hash: 4fb440328ed965aa383e4aae554cc536773058bbfd2354fff2e940dd9ff105fa
Instruction Fuzzy Hash: AC512972B147254BC708CE2DD89122EB6D2ABC8340F5DC63DD9568B386EF74AC018785

Function 0041AEB0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700184ab0c9cd652b93aad8856fe960665dbb5f32316bd4662c50a674686afbe
Instruction ID: 32f1da0a59edb19b1f2415f6b20f68dac9bccdbe84344314cf70959379de7b75
Opcode Fuzzy Hash: 700184ab0c9cd652b93aad8856fe960665dbb5f32316bd4662c50a674686afbe
Instruction Fuzzy Hash: 8C513933759A904BD3288E7C4C902A77E834BD7330B3DC77AE6B5873E1D65949464386

Function 0041E960 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ba9d90d527d8665d7989c0a6aa9515d2728fc862da1d54fc15ac6ee7697944
Instruction ID: 598c896128068d853399e27d799e105a7cb792941de4049cd737257af7441d89
Opcode Fuzzy Hash: 80ba9d90d527d8665d7989c0a6aa9515d2728fc862da1d54fc15ac6ee7697944
Instruction Fuzzy Hash: 8B51253BB599804BD328C93D4C212E6BAC34BD7230B2DC7BAE9B6C73E5D5694C424349

Function 00438650 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction ID: d73dd64a676057f9bd243e824e461c03e88bafdaa8383f001caf54ca455f9171
Opcode Fuzzy Hash: a45266db1437416af79d9adcadb7b94d59e0e3cef13ad0bacd323e30fe01f4a8
Instruction Fuzzy Hash: 52515CB15087548FE314DF29D89435BFBE1BB88318F444A2EE5E587390E779D6088F86

Function 00433C10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8f78da9cdbf2cab87d35527b74ed355745416f0e94b96122d1b07ee1cadbd5
Instruction ID: 87017bbf97e7a3258eb3c6e14970e8f5731703c3bf7ef13de939731893a58187
Opcode Fuzzy Hash: 9d8f78da9cdbf2cab87d35527b74ed355745416f0e94b96122d1b07ee1cadbd5
Instruction Fuzzy Hash: 9E518E37A49A904BD3288D3D5C612B63A834BD7731F3E936FB6B24B3E1C9694E024345

Function 0042F377 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a74fb3ce269eca9cc76e692abf33b16041b4c9929d8a28331ac8556db6a1e6
Instruction ID: e66419adaa8501c2c0b8d0b8d5ca2c62e14b4cb62137d24cf810aa35a29ec1ec
Opcode Fuzzy Hash: 58a74fb3ce269eca9cc76e692abf33b16041b4c9929d8a28331ac8556db6a1e6
Instruction Fuzzy Hash: 46610972744B418FC728CE38C8913E6BBE29B95314F198A3DD4BBCB385EA78A4458745

Function 0043F18B Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1a59a1c334c3242cbcecee7576ffd1d392a050aa77113d17b8805ef502a23
Instruction ID: 9b04581ec06a75171a4067c8eb7c1b9be14d594861e88ccfa5737c6ace18bd04
Opcode Fuzzy Hash: ceb1a59a1c334c3242cbcecee7576ffd1d392a050aa77113d17b8805ef502a23
Instruction Fuzzy Hash: 99413B32B087518BD718CE38889117BFBD29BDA300F1D987ED8C3C7296D529ED0A8B45

Function 0042BF13 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction ID: 1ae5c22645a0c49bea9d6a70653e44e8157fd1e252da5b34c0afae31fd87a2fe
Opcode Fuzzy Hash: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction Fuzzy Hash: 314129A4204790CBE7328B3A98E0B737FE0EF27305F48198DE4E78B646D3299405CB59

Function 0041B57D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction ID: d8b4a6cdd0763d1df8515212ee66b27a55189a0bec8caba65ff171ec82452c36
Opcode Fuzzy Hash: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction Fuzzy Hash: D23138745047904BD7368B3584A17737FE09F2B308F58489ED1D387293D22A9549C796

Function 0040CC7A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 1780199113-0
Opcode ID: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction ID: 6b5d6437c4fa7b8805f8ed77d50acdad1f0dd5a7239fa4c95c8d74861a36b3c0
Opcode Fuzzy Hash: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction Fuzzy Hash: 0531E4EAF405405BE5057A232863A6F21674BD071CF48103EF84A272C3ED7DB916959F

Function 0043DA4D Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a037f31c719b3b9007ca86563dca327b149535f0b1aee28f9c8c140cbeaaff5
Instruction ID: 88b53e2cdb2d59a095d412c6063dca91b916b3dbfa53e0556f013687c9e036d0
Opcode Fuzzy Hash: 5a037f31c719b3b9007ca86563dca327b149535f0b1aee28f9c8c140cbeaaff5
Instruction Fuzzy Hash: 924158B6E5C3019BE708DF76AC5261FBAE2DBE6301F09C43DE48583362E9788509474A

Function 00420E6C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6bb347a5bf674c364783910cb0e97ffc32fae7ae5d11b6603b6b9af9d7c8f1
Instruction ID: 9a8688de7cab84d4b9cb6f1fd2df7a5a4057bd7e387ad8c7d0a5f49dbc4c5b6e
Opcode Fuzzy Hash: ad6bb347a5bf674c364783910cb0e97ffc32fae7ae5d11b6603b6b9af9d7c8f1
Instruction Fuzzy Hash: B9417C72755F408BD324CA3CCD95796BBD2AB89324F294B2DE1BAC73D1DA78A401C709

Function 00432070 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction ID: 1166d7d1cf2a9c2f689b228294c5ddb55241fb8fb130d34f92ce9a1e81a5b4f1
Opcode Fuzzy Hash: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction Fuzzy Hash: 0D814CB451A7808FE374DF05D59869FBBE0FB8A308F11891ED4984B350CBB86549CF9A

Function 0043A440 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction ID: e9a2afa0c3e9b44220c3a555e96f04b93686518c2918f41850349f51290115aa
Opcode Fuzzy Hash: 257f930fff8ac5571b740c804d3fe8f9527e358f99b749092fc537f7b3a7f2a5
Instruction Fuzzy Hash: D5312772A586044BC7199D3D4C9026BBA839BC9334F2DD73FEAB78B3C1DA788C514246

Function 00436210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 63507484b2069e2e8211a278e3cf8cd1c2c15e4e039033c761ca6b325ddcdd3c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 94112C336041D50ED3119D3C8500566BFD30AD7334F1BD3DAF4B8972D2D6268D8A8359

Function 0042AAC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction ID: a0f30dc86e724eb7f88f9efd602dd5de4cd53b28ec3d007000181f31979604c4
Opcode Fuzzy Hash: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction Fuzzy Hash: 67019EB1B0031197E6209E25A5C1B27B6A96F94708F18003EED0657342DB7DFC24C29B

Function 0043C990 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction ID: ef255d715ab18d882adc5ea52eeea8cbfa11f5837c70251ee56aeac1239934a6
Opcode Fuzzy Hash: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction Fuzzy Hash: 410126B5B052264BD720EE55ECC073F7756A7DE711F1EA07AD48077305D2348C419399

Function 0041C300 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction ID: 3b5a2521859e6f9e2b7c42681b895aeeefce9f58c49972f42ecf2407dd3de83c
Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction Fuzzy Hash: 91F03160104B914AD7328F3985643B3FFE09B13218F545A4DC9E357AD2D36AD14A8798

Function 0043EDC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction ID: 6759ef11ba54ebcff8aa8f6da36673660d6dd1d1c904dc71617b67ba0d321406
Opcode Fuzzy Hash: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction Fuzzy Hash: EC01B174E412688BCB24CF66E8912BEB7B1FF56305F186068E482FB380DB358C05CB59

Function 0042C850 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction ID: 934d56785e493b3be4b0c9c008a8aca41c7e0e8933f1bbf3a4c9d2d3fb154c99
Opcode Fuzzy Hash: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction Fuzzy Hash: 16F0F0244086938ADB059F2980A0776FBA1AF23345F2C41DEC4C0AB393CB2AC8068758

Function 0042E0DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction ID: 53e9e5a03a9e822e66d5819fe35fee1f40f302e6fc978103a9a9be73ad9cdb27
Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction Fuzzy Hash: C7F065105087F28ADB234B3E54606B3AFE09B63120B581BD6C8E19B3C7C3199497C36A

Function 0042D116 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction ID: e2807706931cebe5a4fd8447433720849932be0b4ea6b6dd525263aa63fc0ea0
Opcode Fuzzy Hash: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction Fuzzy Hash: 270149306042428BD344CF38CCA056BFBA1EB83324F08C79DC45687796C638C442C799

Function 0040C805 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction ID: 2cc704b116e4bd3b8fd511eeb7f6c98f4211d06ad42a95779158915a2f3845ef
Opcode Fuzzy Hash: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction Fuzzy Hash: C6C0123C583840DF83088F20EC08879B374BB0B202B006824E807E33A2CB22A511AA6E

Function 004237D6 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction ID: b006575f33bb30629b5eebf8556c7f8348362c77d274ae0a1f7cd2f0d910ddfd
Opcode Fuzzy Hash: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction Fuzzy Hash: 92B092B4A1C2018A87088F00E140039EAB4629F202F30A02E908A63215C225C1058A8E

Function 0043315D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004331A3

Strings

w, xrefs: 00433231
j, xrefs: 00433207
A, xrefs: 004331CB
K, xrefs: 004331FD
D, xrefs: 004331DF
y, xrefs: 004331D5
B, xrefs: 004331C1
B, xrefs: 004331E9
q, xrefs: 004331F3
M, xrefs: 00433221

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: A$B$B$D$K$M$j$q$w$y
API String ID: 1927566239-3160828158
Opcode ID: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction ID: 1c928e62d6be9c8abd40ab69893dd7e66488cb55e0e55af33186cf6b993705b4
Opcode Fuzzy Hash: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction Fuzzy Hash: 6241287050CBC18AD335DB38845879EBFD16BD2214F188A9DE2E94B3E2D7788145CB57

Function 0043240F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432482

Strings

c, xrefs: 0043242C
g, xrefs: 00432440
f, xrefs: 0043243B
e, xrefs: 00432436
a, xrefs: 00432422
0, xrefs: 0043270A

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 0$a$c$e$f$g
API String ID: 2525500382-100324306
Opcode ID: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction ID: 2beeffe621b162477516d1a3ffd6e32473519446922c4ca7b5322f15d7df1e3d
Opcode Fuzzy Hash: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction Fuzzy Hash: EB91812110DBC28DD3328A7C595879BBED16BA7234F484B9EE0E98B3E6D7704106C767

Function 00432A42 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432A4C
VariantInit.OLEAUT32 ref: 00432A5F

Strings

C, xrefs: 00432B2D
C, xrefs: 00432B0D
T, xrefs: 00432AFD
P, xrefs: 00432B1D

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: C$C$P$T
API String ID: 2610073882-3051599793
Opcode ID: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction ID: 97d45b2a61606388edab5b45fc9f71e82de55712b11621588c9e0c32b5ea6509
Opcode Fuzzy Hash: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction Fuzzy Hash: 0141E52000C7C18AD3728B38845979FBFE06B96324F488A9DD4ED8B3D2DB754149DB53

Function 0042D7EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

#v, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$#v
API String ID: 3664257935-1791543496
Opcode ID: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction ID: 6bca69879cb3e651ebc8ca0b13598fe737171d623fe99421924d523c2323336e
Opcode Fuzzy Hash: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction Fuzzy Hash: FF214B70A043928FDB218F25D850727BFE1AF4B301F68869AD4D28B396D6389842CB15

Function 004345DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043460B
GetSystemMetrics.USER32 ref: 0043461A

Strings

, xrefs: 004346C8

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction ID: a44d6496935459a921f5505b3ec94aa74778db30aba9446cb93c37adee0bb457
Opcode Fuzzy Hash: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction Fuzzy Hash: D0317DF49143149FDB00EFA8D98561EBBF4BB89704F11852EE898DB364D374A948CF86

Function 0042D893 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

#v, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$#v
API String ID: 3664257935-1791543496
Opcode ID: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction ID: 86d99b7f9b2e41fbf427bd52e774bdff68d06f883e7a09e1f2f077771d0b6d71
Opcode Fuzzy Hash: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction Fuzzy Hash: D6112BB1600602CFD7118F35EC5072BBBE2FF4B311F59C6A9D4968B392EA389842CB55

Function 0040B7B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
FreeLibrary.KERNEL32 ref: 0040B7D7

Strings

#v, xrefs: 0040B7B6, 0040B7D7

Memory Dump Source

Source File: 00000003.00000002.2419343041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction ID: 8d13b867a32c3a4b7460dc0ab53feb316509c0c4818bc205b844e3f8a964c7f0
Opcode Fuzzy Hash: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction Fuzzy Hash: 0DC002799914029FEF056FA1FE0E8593B22FB5630670401B6B90590632EA6B09B4AB5F

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rfWu0dUz6A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
rfWu0dUz6A.exe

Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351
threadCOMMON

Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Function 0040EF53 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 0040EC77 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Function 00437764 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON