Edit tour

Windows Analysis Report
WC2SD38tcf.exe

Overview

General Information

Sample name:	WC2SD38tcf.exe renamed because original name is a hash value
Original sample name:	46DD34531761BBC552766131C1AC05CA.exe
Analysis ID:	1582088
MD5:	46dd34531761bbc552766131c1ac05ca
SHA1:	77de42cebb838e1c33baf9e05dffcc72b193ec8e
SHA256:	bf142408e335b4fe9f03495b4eaf5629b30f8d9c7433c44b7532d42c67b4ad3f
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara signature match

Classification

Process Tree

System is w10x64

WC2SD38tcf.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\WC2SD38tcf.exe" MD5: 46DD34531761BBC552766131C1AC05CA)

BitLockerToGo.exe (PID: 7948 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

WerFault.exe (PID: 7216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1260 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.216.71.4/feed7c30357659ed.php", "Botnet": "meetvoov"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001C1A000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
00000000.00000002.1872729807.0000000001B68000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
00000000.00000002.1872729807.000000000193E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1872729807.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
Process Memory Space: WC2SD38tcf.exe PID: 7680	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: WC2SD38tcf.exe PID: 7680	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7948	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7948	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WC2SD38tcf.exe.1a78000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1a78000.1.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x327d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x32930:$str02: Azure\.IdentityService 0x32954:$str03: steam_tokens.txt 0x325e8:$str04: "encrypted_key":" 0x32710:$str05: prefs.js 0x32788:$str06: browser: FileZilla 0x3279c:$str07: profile: null 0x327ac:$str08: url: 0x327b4:$str09: login: 0x327bc:$str10: password:
0.2.WC2SD38tcf.exe.1902000.4.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1902000.4.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x327d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x32930:$str02: Azure\.IdentityService 0x32954:$str03: steam_tokens.txt 0x325e8:$str04: "encrypted_key":" 0x32710:$str05: prefs.js 0x32788:$str06: browser: FileZilla 0x3279c:$str07: profile: null 0x327ac:$str08: url: 0x327b4:$str09: login: 0x327bc:$str10: password:
0.2.WC2SD38tcf.exe.1ab4000.3.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1ab4000.3.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x327d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x32930:$str02: Azure\.IdentityService 0x32954:$str03: steam_tokens.txt 0x325e8:$str04: "encrypted_key":" 0x32710:$str05: prefs.js 0x32788:$str06: browser: FileZilla 0x3279c:$str07: profile: null 0x327ac:$str08: url: 0x327b4:$str09: login: 0x327bc:$str10: password:
0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
0.2.WC2SD38tcf.exe.1902000.4.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1902000.4.raw.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
0.2.WC2SD38tcf.exe.1a3c000.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.WC2SD38tcf.exe.1a3c000.2.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x327d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x32930:$str02: Azure\.IdentityService 0x32954:$str03: steam_tokens.txt 0x325e8:$str04: "encrypted_key":" 0x32710:$str05: prefs.js 0x32788:$str06: browser: FileZilla 0x3279c:$str07: profile: null 0x327ac:$str08: url: 0x327b4:$str09: login: 0x327bc:$str10: password:
2.2.BitLockerToGo.exe.430000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.BitLockerToGo.exe.430000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f30:$str02: Azure\.IdentityService 0x33f54:$str03: steam_tokens.txt 0x33be8:$str04: "encrypted_key":" 0x33d10:$str05: prefs.js 0x33d88:$str06: browser: FileZilla 0x33d9c:$str07: profile: null 0x33dac:$str08: url: 0x33db4:$str09: login: 0x33dbc:$str10: password:
Click to see the 13 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://185.216.71.4/feed7c30357659ed.php", "Botnet": "meetvoov"}

Multi AV Scanner detection for submitted file

Source: WC2SD38tcf.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WC2SD38tcf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 15
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 01
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 20
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 25
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: lstrcatA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: OpenEventA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateEventA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CloseHandle
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Sleep
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: VirtualFree
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: lstrlenA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ExitProcess
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: user32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateDCA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sscanf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HAL9TH
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: JohnDoe
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DISPLAY
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: http://185.216.71.4
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: /feed7c30357659ed.php
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: /01210a7d1761b27e/
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: meetvoov
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HeapFree
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetFileSize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GlobalSize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Process32Next
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Process32First
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: LocalFree
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: FindClose
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ReadFile
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: WriteFile
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateFileA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CopyFileA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetLastError
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GlobalFree
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: OpenProcess
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ole32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: wininet.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: shell32.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SelectObject
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BitBlt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DeleteObject
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GdipFree
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CoInitialize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetDC
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CloseWindow
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: wsprintfA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CharToOemW
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: wsprintfW
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: StrStrA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RmStartSession
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RmGetList
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: RmEndSession
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: encrypted_key
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PATH
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: NSS_Init
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: browser:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: profile:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: url:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: login:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: password:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Opera
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: OperaGX
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Network
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: cookies
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: .txt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: TRUE
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: FALSE
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: autofill
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: history
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: cc
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: name:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: month:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: year:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: card:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Cookies
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Login Data
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Web Data
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: History
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: logins.json
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: usernameField
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: guid
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: places.sqlite
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: plugins
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: IndexedDB
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Opera Stable
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: CURRENT
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Local State
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: profiles.ini
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: chrome
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: opera
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: firefox
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: wallets
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ProductName
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: x32
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: x64
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DisplayName
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Network Info:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: System Summary:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - HWID:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - OS:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Architecture:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - UserName:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Local Time:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - UTC:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Language:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Laptop:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Running Path:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - CPU:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Threads:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Cores:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - RAM:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: - GPU:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: User Agents:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: All Users:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Current User:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Process List:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: system_info.txt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: nss3.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Temp\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: .exe
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: runas
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: open
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: /c start
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: %RECENT%
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: *.lnk
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: files
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \discord\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: key_datas
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: map*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Telegram
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Tox
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: *.tox
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: *.ini
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Password
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 00000001
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 00000002
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 00000003
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: 00000004
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Pidgin
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \.purple\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: accounts.xml
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: token:
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: SteamPath
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \config\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ssfn*
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: config.vdf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Steam\
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: done
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: soft
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: https
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: POST
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: hwid
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: build
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: token
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: file_name
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: file
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: message
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	2_2_00434B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00436000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	2_2_00436000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	2_2_00437690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00454090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00454090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	2_2_00439BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00439B80

Source: WC2SD38tcf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WC2SD38tcf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: WC2SD38tcf.exe, 00000000.00000002.1872729807.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: WC2SD38tcf.exe, 00000000.00000002.1872729807.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.216.71.4/feed7c30357659ed.php

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.216.71.4Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.71.4
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.71.4
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.71.4
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.71.4
Source: unknown	TCP traffic detected without corresponding DNS query: 185.216.71.4

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004356C0 lstrcpy,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,memcpy,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_004356C0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.216.71.4Connection: Keep-AliveCache-Control: no-cache

Source: BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4/
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4/7
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4/Bw
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4/w8w
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.71.4W6
Source: WC2SD38tcf.exe	String found in binary or memory: http://www.the-sz.com/F

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00439876 CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

2_2_00439876

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.WC2SD38tcf.exe.1a78000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1902000.4.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1902000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0.2.WC2SD38tcf.exe.1a3c000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 2.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000000.00000002.1872729807.0000000001C1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000000.00000002.1872729807.0000000001B68000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000000.00000002.1872729807.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Users\user\Desktop\WC2SD38tcf.exe

Code function: 0_2_00EABD40 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,

0_2_00EABD40

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 00434980 appears 317 times

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1236

Source: WC2SD38tcf.exe, 00000000.00000002.1870391240.00000000012B7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBennett.exe vs WC2SD38tcf.exe
Source: WC2SD38tcf.exe, 00000000.00000002.1872729807.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs WC2SD38tcf.exe
Source: WC2SD38tcf.exe	Binary or memory string: OriginalFilenameBennett.exe vs WC2SD38tcf.exe

Source: WC2SD38tcf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.WC2SD38tcf.exe.1a78000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1902000.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1902000.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0.2.WC2SD38tcf.exe.1a3c000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 2.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000000.00000002.1872729807.0000000001C1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000000.00000002.1872729807.0000000001B68000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000000.00000002.1872729807.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/0@0/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004546C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

2_2_004546C0

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\29caf5cd-7b8b-486d-9128-5cb264b5cb0d

Jump to behavior

Source: WC2SD38tcf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WC2SD38tcf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WC2SD38tcf.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\WC2SD38tcf.exe "C:\Users\user\Desktop\WC2SD38tcf.exe"
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1236
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1260
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: WC2SD38tcf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WC2SD38tcf.exe

Static file information: File size 4450304 > 1048576

Source: WC2SD38tcf.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cce00
Source: WC2SD38tcf.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d1800

Source: WC2SD38tcf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: WC2SD38tcf.exe, 00000000.00000002.1872729807.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: WC2SD38tcf.exe, 00000000.00000002.1872729807.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00456710 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00456710

Source: WC2SD38tcf.exe

Static PE information: real checksum: 0x448c81 should be: 0x4456b4

Source: WC2SD38tcf.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_00456710

Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_2-5435

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007D4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WC2SD38tcf.exe, 00000000.00000002.1870690676.000000000137C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00434980 VirtualProtect 00000000,00000004,00000100,?

2_2_00434980

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

2_2_00456710

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004563C0 mov eax, dword ptr fs:[00000030h]

2_2_004563C0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00452A70 GetProcessHeap,HeapAlloc,GetComputerNameA,

2_2_00452A70

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: WC2SD38tcf.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7948, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\WC2SD38tcf.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\WC2SD38tcf.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004546C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

2_2_004546C0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 210008	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 431000	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45B000	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 467000	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 67A000	Jump to behavior

Source: C:\Users\user\Desktop\WC2SD38tcf.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WC2SD38tcf.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00453E10 lstrcpy,lstrcpy,GetSystemTime,

2_2_00453E10

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004529E0 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_004529E0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a78000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1902000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1ab4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1902000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a3c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.000000000193E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WC2SD38tcf.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a78000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1902000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1ab4000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1ab4000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a3c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a78000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1902000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WC2SD38tcf.exe.1a3c000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1872729807.000000000193E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WC2SD38tcf.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Create Account	411 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WC2SD38tcf.exe	55%	ReversingLabs	Win32.Spyware.Stealc
WC2SD38tcf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://185.216.71.4/Bw	0%	Avira URL Cloud	safe
http://www.the-sz.com/F	0%	Avira URL Cloud	safe
http://185.216.71.4	0%	Avira URL Cloud	safe
http://185.216.71.4W6	0%	Avira URL Cloud	safe
http://185.216.71.4/feed7c30357659ed.php	0%	Avira URL Cloud	safe
http://185.216.71.4/	0%	Avira URL Cloud	safe
http://185.216.71.4/w8w	0%	Avira URL Cloud	safe
http://185.216.71.4/7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.216.71.4/	true	Avira URL Cloud: safe	unknown
http://185.216.71.4/feed7c30357659ed.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.216.71.4/Bw	BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.216.71.4W6	BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.216.71.4/w8w	BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.216.71.4/7	BitLockerToGo.exe, 00000002.00000002.2213338623.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.the-sz.com/F	WC2SD38tcf.exe	false	Avira URL Cloud: safe	unknown
http://185.216.71.4	BitLockerToGo.exe, 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.216.71.4	unknown	Germany		43659	CLOUDCOMPUTINGDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582088
Start date and time:	2024-12-29 23:56:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WC2SD38tcf.exe renamed because original name is a hash value
Original Sample Name:	46DD34531761BBC552766131C1AC05CA.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/0@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 17 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WC2SD38tcf.exe, PID 7680 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: WC2SD38tcf.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.216.71.4	1111110789_stripped.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
185.216.71.4	Scanned_V11230111111PDF-clean.exe	Get hash	malicious	AsyncRAT, DcRat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDCOMPUTINGDE	hidakibest.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.216.71.152
	hidakibest.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.arm4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.216.71.152
	https://www.google.gr/url?url=https://pniuvlpkjqhdwff&exox=rvhqtix&eaydny=ysf&gzfds=lqrwiz&nci=qtwmzch&iccvb=yhwtsp&vtqs=avtajyu&oagvzgp=irlq&mvdoc=embwrj&yylmwei=tmn&mntt=qqcvuhkd&lkydbjfiod=izjcgyubqc&q=amp/anre6g6.j%c2%adh%c2%adhn%c2%adt%c2%addd%c2%adsm%c2%ado%c2%admcw%c2%adw%c2%adgu%c2%adno.com%e2%80%8b/99twfh3p8&gcyx=ncgobia&yfevoul=wtloixvv&hukl=qfkmtky&nlhwnbr=bwkoiopy&eqfw=bmcpntp&vlvegw=zdbpajeyq&ghrv=kcdfwrl&kyddme=myxsnvtxf&asco=mgumegd&dvvibf=hzfexefeg&osme=bdyguyp&njtjvd=bkelfwmxg&bxrb=ltpyjsv&girpat=lswjchrwc&qapj=wwwowde&vahefc=ghseyzgyf&ahaj=zfqmkuo&pfsfeu=ttucmtamu&sffs=oxaajjo&hbwhgy=mgfzglmmo&bdwl=oifsufx&befsmv=jskhtmnps&sfjy=powmsnr&zixjqp=jyttdwbmu&fzkp=hztiqjm&jmzuvc=ufyoeqgfi&zujr=jxtbdtg&plvxoh=fxumxxddw&nkin=ykbzrdh&lghzli=agvbttfta&suag=ioudcjc&zpptpx=dxacgdnox&hmfz=yueoymp&fnshpz=wgayslegy&gjtg=qcjjozv&rymask=thcxzfpca&zcgn=ywtonnx&kqrpog=kgfvcqswk&imwa=wlvocxf&ggqznt=budaflbgp&zjhr=zscgach&esrhmq=qjdngljnl&ppoz=nhwzlik&zejsqg=vnvpaymyl&dnqb=kjswpyt&kunwbg=pzauoqliz&bqlz=qabnsnu&dlfnsr=dakxdfzen&uffg=uwnswdr&ywjevz=bnvkfavcb&rrob=celdmvn&czdusr=sjfjazfqw&ipgr=exylggn&fltcvh=sdfsricvf&byfs=apntxot&javhwh=nyphchiee&owbh=haflpez&mbyvqw=pdzpxeedx&ejov=taakkyw&oylsfz=qnzuplrnz&hxrq=ovegslq&duqjcc=pjwdpyvec&uoec=pjouxrb&eiezwk=okbkttiao&knji=kcmfaqe&qmathj=vymnqrvxa&gajs=riewukz&czxhiu=uysriqpma&avwe=gssbenk&jnwgpb=iqkroelwx&sjyt=zhxfzpx&liqoqs=bbajxgpxm&dqqu=ztzooam&haagcu=gkijlwgjy&mnsq=uervedi&yckhpb=ngqrbrqpc&pkne=nwisdfz&eqsiqu=mlrhvpuav	Get hash	malicious	Unknown	Browse	85.31.47.165

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.15155936331238
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WC2SD38tcf.exe
File size:	4'450'304 bytes
MD5:	46dd34531761bbc552766131c1ac05ca
SHA1:	77de42cebb838e1c33baf9e05dffcc72b193ec8e
SHA256:	bf142408e335b4fe9f03495b4eaf5629b30f8d9c7433c44b7532d42c67b4ad3f
SHA512:	73f55f275b3d5220ccecb14fb2466a816ad14abfc863764b81be425b366f0681f693339fd15613761a997be1e6d78e2d72cea3282bb50dca54472ae5aac68f17
SSDEEP:	49152:ImwTL1n769zo6wqdvplsq9oLc9sf/sygrCqEVjOCszxGsbcKPkQxnK:gLJ96BOc9B4KcK8cn
TLSH:	02260501FE8788F5D80318306156623B9B315E058B35CBF7FAAC7A1AFB776954C3A609
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........<.........................0.........:...@...........................F.......D...@................................

File Icon


Icon Hash:	137165f1f1653317

Static PE Info

General

Entrypoint:	0x461830
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007F22810C0720h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F22810A1586h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 000013A0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F22810C2B84h
cld
call 00007F22810C1C0Eh
call 00007F22810C0849h
add esp, 08h
ret
jmp 00007F22810C2A30h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F22810C2A31h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dc000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f3000	0x757d9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3dd000	0x14e80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a02e0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ccd48	0x1cce00	70d6e4f0f5b43f3f5783162fe9f3cb5d	False	0.41040416497152155	data	6.046111209055693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1ce000	0x1d17b4	0x1d1800	b533bb4a6a6e73cfd778472f950c3d8c	False	0.47142846653464016	data	5.889921259296244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a0000	0x3b900	0x14e00	008d7d90a67864bb69f788ad0dc86ae4	False	0.4681184505988024	data	5.00042104052368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3dc000	0x44c	0x600	3daed61b4b512802c93b62b45519e6ed	False	0.3600260416666667	OpenPGP Public Key	3.874332394538109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3dd000	0x14e80	0x15000	4f23ac86a6e033945d7e3d0a5e4e5c42	False	0.5859258742559523	data	6.592882314258954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x3f2000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x3f3000	0x757d9	0x75800	d02f54899ee6c64c28d357b12c6a75ee	False	0.2248005319148936	data	4.159665070364544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3f45a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	German	Germany	0.2524390243902439
RT_ICON	0x3f4c08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	German	Germany	0.3817204301075269
RT_ICON	0x3f4ef0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	German	Germany	0.45081967213114754
RT_ICON	0x3f50d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	German	Germany	0.543918918918919
RT_ICON	0x3f5200	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	German	Germany	0.34461620469083154
RT_ICON	0x3f60a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.421028880866426
RT_ICON	0x3f6950	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.41013824884792627
RT_ICON	0x3f7018	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3540462427745665
RT_ICON	0x3f7580	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	German	Germany	0.05982409681332663
RT_ICON	0x4395a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	German	Germany	0.21991701244813278
RT_ICON	0x43bb50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.2903377110694184
RT_ICON	0x43cbf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.3717213114754098
RT_ICON	0x43d580	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.5115248226950354
RT_ICON	0x43d9e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.4515895953757225
RT_ICON	0x43df50	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.586405529953917
RT_ICON	0x43e618	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.6353790613718412
RT_ICON	0x43eec0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.5186170212765957
RT_ICON	0x43f328	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.43073770491803276
RT_ICON	0x43fcb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.3731238273921201
RT_ICON	0x440d58	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.6976534296028881
RT_ICON	0x441600	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.5086405529953917
RT_ICON	0x441cc8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3157514450867052
RT_ICON	0x442230	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.6822232645403377
RT_ICON	0x4432d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.7413934426229508
RT_ICON	0x443c60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.7960992907801419
RT_ICON	0x4440c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.7021660649819494
RT_ICON	0x444970	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.511520737327189
RT_ICON	0x445038	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3179190751445087
RT_ICON	0x4455a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.6812851782363978
RT_ICON	0x446648	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.7401639344262295
RT_ICON	0x446fd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.7943262411347518
RT_ICON	0x447438	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.7098375451263538
RT_ICON	0x447ce0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.7016129032258065
RT_ICON	0x4483a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.4848265895953757
RT_ICON	0x448910	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.5180581613508443
RT_ICON	0x4499b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.635655737704918
RT_ICON	0x44a340	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.6719858156028369
RT_ICON	0x44a7a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.6570397111913358
RT_ICON	0x44b050	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.7137096774193549
RT_ICON	0x44b718	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.45447976878612717
RT_ICON	0x44bc80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.4549718574108818
RT_ICON	0x44cd28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.5918032786885246
RT_ICON	0x44d6b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.5390070921985816
RT_ICON	0x44db18	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	German	Germany	0.36824324324324326
RT_ICON	0x44dc40	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	German	Germany	0.375
RT_ICON	0x44dd68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.3722924187725632
RT_ICON	0x44e610	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3511560693641618
RT_ICON	0x44eb78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.46669793621013134
RT_ICON	0x44fc20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.6675531914893617
RT_ICON	0x450088	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.2378158844765343
RT_ICON	0x450930	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.2413594470046083
RT_ICON	0x450ff8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.21242774566473988
RT_ICON	0x451560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.5098499061913696
RT_ICON	0x452608	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.5774590163934427
RT_ICON	0x452f90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.6781914893617021
RT_ICON	0x4533f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.7739169675090253
RT_ICON	0x453ca0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.815668202764977
RT_ICON	0x454368	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.6625722543352601
RT_ICON	0x4548d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.6402439024390244
RT_ICON	0x455978	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.7487704918032787
RT_ICON	0x456300	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.7872340425531915
RT_ICON	0x456768	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	German	Germany	0.45081967213114754
RT_ICON	0x456950	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	German	Germany	0.543918918918919
RT_ICON	0x456a78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.3425090252707581
RT_ICON	0x457320	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.41013824884792627
RT_ICON	0x4579e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3540462427745665
RT_ICON	0x457f50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.2903377110694184
RT_ICON	0x458ff8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.3717213114754098
RT_ICON	0x459980	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.5115248226950354
RT_ICON	0x459de8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.5573104693140795
RT_ICON	0x45a690	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.5455069124423964
RT_ICON	0x45ad58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.3699421965317919
RT_ICON	0x45b2c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.40619136960600377
RT_ICON	0x45c368	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.5790983606557377
RT_ICON	0x45ccf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.5815602836879432
RT_ICON	0x45d158	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	German	Germany	0.4166666666666667
RT_ICON	0x45d5c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	German	Germany	0.3076923076923077
RT_ICON	0x45e668	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	German	Germany	0.3528368794326241
RT_ICON	0x45ead0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	German	Germany	0.225140712945591
RT_ICON	0x45fb78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	German	Germany	0.37943262411347517
RT_ICON	0x45ffe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	German	Germany	0.19840525328330205
RT_ICON	0x461088	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.2527075812274368
RT_ICON	0x461930	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.326036866359447
RT_ICON	0x461ff8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.2514450867052023
RT_ICON	0x462560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.19817073170731708
RT_ICON	0x463608	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.3889344262295082
RT_ICON	0x463f90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.37145390070921985
RT_ICON	0x4643f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	German	Germany	0.6209386281588448
RT_ICON	0x464ca0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	German	Germany	0.6566820276497696
RT_ICON	0x465368	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	German	Germany	0.4429190751445087
RT_ICON	0x4658d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	German	Germany	0.4821763602251407
RT_ICON	0x466978	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	German	Germany	0.5836065573770491
RT_ICON	0x467300	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	German	Germany	0.6799645390070922
RT_GROUP_ICON	0x467768	0xbc	data	German	Germany	0.5904255319148937
RT_GROUP_ICON	0x467824	0x5a	data	German	Germany	0.7444444444444445
RT_GROUP_ICON	0x467880	0x5a	data	German	Germany	0.7555555555555555
RT_GROUP_ICON	0x4678dc	0x5a	data	German	Germany	0.7444444444444445
RT_GROUP_ICON	0x467938	0x5a	data	German	Germany	0.7555555555555555
RT_GROUP_ICON	0x467994	0x5a	data	German	Germany	0.7666666666666667
RT_GROUP_ICON	0x4679f0	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x467a04	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x467a18	0x3e	data	German	Germany	0.8387096774193549
RT_GROUP_ICON	0x467a58	0x5a	data	German	Germany	0.7666666666666667
RT_GROUP_ICON	0x467ab4	0x5a	data	German	Germany	0.7666666666666667
RT_GROUP_ICON	0x467b10	0x76	data	German	Germany	0.7203389830508474
RT_GROUP_ICON	0x467b88	0x5a	data	German	Germany	0.7666666666666667
RT_GROUP_ICON	0x467be4	0x22	data	German	Germany	1.0294117647058822
RT_GROUP_ICON	0x467c08	0x22	data	German	Germany	1.0294117647058822
RT_GROUP_ICON	0x467c2c	0x22	data	German	Germany	1.0294117647058822
RT_GROUP_ICON	0x467c50	0x5a	data	German	Germany	0.7666666666666667
RT_GROUP_ICON	0x467cac	0x5a	data	German	Germany	0.7666666666666667
RT_VERSION	0x467d08	0x3d0	data	German	Germany	0.4456967213114754
RT_MANIFEST	0x4680d8	0x701	XML 1.0 document, ASCII text, with CRLF line terminators	German	Germany	0.403792526491913

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 23:57:17.931885004 CET	49736	80	192.168.2.4	185.216.71.4
Dec 29, 2024 23:57:17.936727047 CET	80	49736	185.216.71.4	192.168.2.4
Dec 29, 2024 23:57:17.936805010 CET	49736	80	192.168.2.4	185.216.71.4
Dec 29, 2024 23:57:17.937006950 CET	49736	80	192.168.2.4	185.216.71.4
Dec 29, 2024 23:57:17.941797018 CET	80	49736	185.216.71.4	192.168.2.4
Dec 29, 2024 23:57:39.303431034 CET	80	49736	185.216.71.4	192.168.2.4
Dec 29, 2024 23:57:39.303508043 CET	49736	80	192.168.2.4	185.216.71.4
Dec 29, 2024 23:57:39.303812027 CET	49736	80	192.168.2.4	185.216.71.4
Dec 29, 2024 23:57:39.308614016 CET	80	49736	185.216.71.4	192.168.2.4

HTTP Request Dependency Graph

185.216.71.4

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	185.216.71.4	80	7948	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 23:57:17.937006950 CET	87	OUT	GET / HTTP/1.1 Host: 185.216.71.4 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	17:56:55
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\WC2SD38tcf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WC2SD38tcf.exe"
Imagebase:	0xe80000
File size:	4'450'304 bytes
MD5 hash:	46DD34531761BBC552766131C1AC05CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1872729807.0000000001C1A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: 00000000.00000002.1872729807.0000000001A3C000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: 00000000.00000002.1872729807.0000000001A78000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: 00000000.00000002.1872729807.0000000001AB4000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1872729807.0000000001B68000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: 00000000.00000002.1872729807.0000000001902000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1872729807.000000000193E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1872729807.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:57:15
Start date:	29/12/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x9a0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2213338623.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:57:50
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1236
Imagebase:	0x580000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:57:50
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1260
Imagebase:	0x580000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00EABD40 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869627660.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1869606143.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.000000000104E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.0000000001132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.0000000001136000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.000000000114F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.0000000001154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869808984.0000000001158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870111989.0000000001220000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870136214.0000000001221000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870156729.0000000001222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870179048.0000000001223000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870237151.000000000122C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870237151.000000000123C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870237151.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870237151.0000000001254000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870351978.000000000125C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870391240.000000000125D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870391240.0000000001273000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870391240.0000000001279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870391240.00000000012B7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_WC2SD38tcf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ffa1f1293cc410ea7c120c3c1e42eaca32f1f1c7c3ba42b2e5291a6983ea09
Instruction ID: 3d4b7fad7a1745a0afb6211e0fd48a1099b605ea415bd25fb1ac440ae5b03344
Opcode Fuzzy Hash: 42ffa1f1293cc410ea7c120c3c1e42eaca32f1f1c7c3ba42b2e5291a6983ea09
Instruction Fuzzy Hash: EE51F4B45083418FC314DF24E09875ABBF0BB89718F10996CE4989B3A2D776E945CF42

Analysis Process: BitLockerToGo.exePID: 7948, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.4%
Total number of Nodes:	1349
Total number of Limit Nodes:	40

Executed Functions

Function 00456710 Relevance: 256.2, APIs: 115, Strings: 31, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,0077D618), ref: 00456725
GetProcAddress.KERNEL32(74DD0000,0077D6D8), ref: 0045673D
GetProcAddress.KERNEL32(74DD0000,0077B078), ref: 00456756
GetProcAddress.KERNEL32(74DD0000,0077B090), ref: 0045676E
GetProcAddress.KERNEL32(74DD0000,0077B1C8), ref: 00456786
GetProcAddress.KERNEL32(74DD0000,0077B288), ref: 0045679F
GetProcAddress.KERNEL32(74DD0000,00780580), ref: 004567B7
GetProcAddress.KERNEL32(74DD0000,0077B270), ref: 004567CF
GetProcAddress.KERNEL32(74DD0000,0077B2D0), ref: 004567E8
GetProcAddress.KERNEL32(74DD0000,0077B1B0), ref: 00456800
GetProcAddress.KERNEL32(74DD0000,0077B300), ref: 00456818
GetProcAddress.KERNEL32(74DD0000,0077D798), ref: 00456831
GetProcAddress.KERNEL32(74DD0000,0077D7B8), ref: 00456849
GetProcAddress.KERNEL32(74DD0000,0077D578), ref: 00456861
GetProcAddress.KERNEL32(74DD0000,0077D6B8), ref: 0045687A
GetProcAddress.KERNEL32(74DD0000,0077B0D8), ref: 00456892
GetProcAddress.KERNEL32(74DD0000,0077B0F0), ref: 004568AA
GetProcAddress.KERNEL32(74DD0000,007805D0), ref: 004568C3
GetProcAddress.KERNEL32(74DD0000,0077D638), ref: 004568DB
GetProcAddress.KERNEL32(74DD0000,0077B108), ref: 004568F3
GetProcAddress.KERNEL32(74DD0000,0077B3D8), ref: 0045690C
GetProcAddress.KERNEL32(74DD0000,0077B390), ref: 00456924
GetProcAddress.KERNEL32(74DD0000,0077B378), ref: 0045693C
GetProcAddress.KERNEL32(74DD0000,0077D6F8), ref: 00456955
GetProcAddress.KERNEL32(74DD0000,0077B3C0), ref: 0045696D
GetProcAddress.KERNEL32(74DD0000,0077B3A8), ref: 00456985
GetProcAddress.KERNEL32(74DD0000,0077B318), ref: 0045699E
GetProcAddress.KERNEL32(74DD0000,0077B330), ref: 004569B6
GetProcAddress.KERNEL32(74DD0000,0077B360), ref: 004569CE
GetProcAddress.KERNEL32(74DD0000,0077B348), ref: 004569E7
GetProcAddress.KERNEL32(74DD0000,007852B0), ref: 004569FF
GetProcAddress.KERNEL32(74DD0000,00785118), ref: 00456A17
GetProcAddress.KERNEL32(74DD0000,00785238), ref: 00456A30
GetProcAddress.KERNEL32(74DD0000,00779838), ref: 00456A48
GetProcAddress.KERNEL32(74DD0000,00785268), ref: 00456A60
GetProcAddress.KERNEL32(74DD0000,00785160), ref: 00456A79
GetProcAddress.KERNEL32(74DD0000,0077D7D8), ref: 00456A91
GetProcAddress.KERNEL32(74DD0000,00785310), ref: 00456AA9
GetProcAddress.KERNEL32(74DD0000,0077D7F8), ref: 00456AC2
GetProcAddress.KERNEL32(74DD0000,00785178), ref: 00456ADA
GetProcAddress.KERNEL32(74DD0000,007851A8), ref: 00456AF2
GetProcAddress.KERNEL32(74DD0000,0077D518), ref: 00456B0B
GetProcAddress.KERNEL32(74DD0000,0077D838), ref: 00456B23
LoadLibraryA.KERNELBASE(007851C0,0045067A), ref: 00456B35
LoadLibraryA.KERNELBASE(007852C8), ref: 00456B46
LoadLibraryA.KERNELBASE(007852E0), ref: 00456B58
LoadLibraryA.KERNELBASE(00785088), ref: 00456B6A
LoadLibraryA.KERNELBASE(00785058), ref: 00456B7B
LoadLibraryA.KERNELBASE(00785190), ref: 00456B8D
LoadLibraryA.KERNELBASE(00785250), ref: 00456B9F
LoadLibraryA.KERNELBASE(00785328), ref: 00456BB0
GetProcAddress.KERNEL32(75290000,0077D598), ref: 00456BCC
GetProcAddress.KERNEL32(75290000,00785280), ref: 00456BE4
GetProcAddress.KERNEL32(75290000,00784DC0), ref: 00456BFD
GetProcAddress.KERNEL32(75290000,007850B8), ref: 00456C15
GetProcAddress.KERNEL32(75290000,0077D858), ref: 00456C2D
GetProcAddress.KERNEL32(73440000,007802D8), ref: 00456C4D
GetProcAddress.KERNEL32(73440000,0077D4B8), ref: 00456C65
GetProcAddress.KERNEL32(73440000,00780300), ref: 00456C7E
GetProcAddress.KERNEL32(73440000,00785298), ref: 00456C96
GetProcAddress.KERNEL32(73440000,007852F8), ref: 00456CAE
GetProcAddress.KERNEL32(73440000,0077D4D8), ref: 00456CC7
GetProcAddress.KERNEL32(73440000,0077D4F8), ref: 00456CDF
GetProcAddress.KERNEL32(73440000,00785340), ref: 00456CF7
GetProcAddress.KERNEL32(752C0000,0077D538), ref: 00456D13
GetProcAddress.KERNEL32(752C0000,0077D5B8), ref: 00456D2B
GetProcAddress.KERNEL32(752C0000,007851D8), ref: 00456D44
GetProcAddress.KERNEL32(752C0000,007851F0), ref: 00456D5C
GetProcAddress.KERNEL32(752C0000,0077D5D8), ref: 00456D74
GetProcAddress.KERNEL32(74EC0000,00780418), ref: 00456D94
GetProcAddress.KERNEL32(74EC0000,00780490), ref: 00456DAC
GetProcAddress.KERNEL32(74EC0000,00785208), ref: 00456DC5
GetProcAddress.KERNEL32(74EC0000,00785700), ref: 00456DDD
GetProcAddress.KERNEL32(74EC0000,00785480), ref: 00456DF5
GetProcAddress.KERNEL32(74EC0000,00780350), ref: 00456E0E
GetProcAddress.KERNEL32(75BD0000,00785070), ref: 00456E2E
GetProcAddress.KERNEL32(75BD0000,00785540), ref: 00456E46
GetProcAddress.KERNEL32(75BD0000,00784CC0), ref: 00456E5F
GetProcAddress.KERNEL32(75BD0000,007850A0), ref: 00456E77
GetProcAddress.KERNEL32(75BD0000,007850D0), ref: 00456E8F
GetProcAddress.KERNEL32(75BD0000,00785720), ref: 00456EA8
GetProcAddress.KERNEL32(75BD0000,00785740), ref: 00456EC0
GetProcAddress.KERNEL32(75BD0000,00785220), ref: 00456ED8
GetProcAddress.KERNEL32(75BD0000,007850E8), ref: 00456EF1
GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00456F07
GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00456F1E
GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00456F35
GetProcAddress.KERNEL32(75A70000,007857C0), ref: 00456F51
GetProcAddress.KERNEL32(75A70000,00785100), ref: 00456F69
GetProcAddress.KERNEL32(75A70000,00785130), ref: 00456F82
GetProcAddress.KERNEL32(75A70000,00785148), ref: 00456F9A
GetProcAddress.KERNEL32(75A70000,007853D0), ref: 00456FB2
GetProcAddress.KERNEL32(75450000,007857E0), ref: 00456FCE
GetProcAddress.KERNEL32(75450000,007854C0), ref: 00456FE6
GetProcAddress.KERNEL32(75DA0000,007857A0), ref: 00457002
GetProcAddress.KERNEL32(75DA0000,007853B8), ref: 0045701A
GetProcAddress.KERNEL32(6F070000,00785460), ref: 0045703A
GetProcAddress.KERNEL32(6F070000,00785520), ref: 00457052
GetProcAddress.KERNEL32(6F070000,007855C0), ref: 0045706B
GetProcAddress.KERNEL32(6F070000,00785418), ref: 00457083
GetProcAddress.KERNEL32(6F070000,00785760), ref: 0045709B
GetProcAddress.KERNEL32(6F070000,00785780), ref: 004570B4
GetProcAddress.KERNEL32(6F070000,00785800), ref: 004570CC
GetProcAddress.KERNEL32(6F070000,00785820), ref: 004570E4
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004570FB
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00457112
GetProcAddress.KERNEL32(75AF0000,007853E8), ref: 0045712E
GetProcAddress.KERNEL32(75AF0000,00784E10), ref: 00457146
GetProcAddress.KERNEL32(75AF0000,00785358), ref: 0045715F
GetProcAddress.KERNEL32(75AF0000,00785370), ref: 00457177
GetProcAddress.KERNEL32(75D90000,007855E0), ref: 00457193
GetProcAddress.KERNEL32(6C890000,00785388), ref: 004571AF
GetProcAddress.KERNEL32(6C890000,007854A0), ref: 004571C7
GetProcAddress.KERNEL32(6C890000,007853A0), ref: 004571E0
GetProcAddress.KERNEL32(6C890000,00785400), ref: 004571F8

Strings

Wx, xrefs: 00456E95
Ux, xrefs: 0045718B
Rx, xrefs: 00456B4C
`Qx, xrefs: 00456A66
xQx, xrefs: 00456AD3
pPx, xrefs: 00456E26
Rx, xrefs: 00456EC6
@Sx, xrefs: 00456CE5
hRx, xrefs: 00456A4E
HttpQueryInfoA, xrefs: 00457107
XPx, xrefs: 00456B75
Ux, xrefs: 00457040
Wx, xrefs: 00456FC6
OpenDesktopA, xrefs: 00456F13
pSx, xrefs: 00457170
CloseDesktop, xrefs: 00456F2A
0Qx, xrefs: 00456F6F
@Wx, xrefs: 00456EB9
Sx, xrefs: 00457126
`Wx, xrefs: 00457089
`Tx, xrefs: 00457032
HQx, xrefs: 00456F93
PRx, xrefs: 00456B93
CreateDesktopA, xrefs: 00456F01
Px, xrefs: 00456EDE
8Rx, xrefs: 00456A1D
XSx, xrefs: 0045714C
(Sx, xrefs: 00456BAA
Xx, xrefs: 004570D2
InternetSetOptionA, xrefs: 004570F0
@Ux, xrefs: 00456E34

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: Rx$ Ux$ Wx$ Xx$(Sx$0Qx$8Rx$@Sx$@Ux$@Wx$CloseDesktop$CreateDesktopA$HQx$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$PRx$XPx$XSx$`Qx$`Tx$`Wx$hRx$pPx$pSx$xQx$Px$Rx$Sx$Ux$Wx
API String ID: 2238633743-1523381997
Opcode ID: 7c3abb51a897597eac61b5ae117640cef264648494ea287a1ba750edb9b9c8c6
Instruction ID: 85a7507217240d6660cd2570c1b65a3777e12b47c0dd92a8e950fb54f2b9a64f
Opcode Fuzzy Hash: 7c3abb51a897597eac61b5ae117640cef264648494ea287a1ba750edb9b9c8c6
Instruction Fuzzy Hash: 1D623AB5618200AFD754DFB4EC88A263BBFF789345310AA1DED5683364DBB4A850DB70

Function 00434B80 Relevance: 119.8, APIs: 61, Strings: 7, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00434BAF
lstrcpy.KERNEL32(00000000,0045D014), ref: 00434C02
lstrcpy.KERNEL32(00000000,0045D014), ref: 00434C35
lstrcpy.KERNEL32(00000000,0045D014), ref: 00434C65
lstrcpy.KERNEL32(00000000,0045D014), ref: 00434CA3
lstrcpy.KERNEL32(00000000,0045D014), ref: 00434CD6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00434CE6

Strings

pNx, xrefs: 00434CEC
TPF, xrefs: 004350F8
TPF, xrefs: 004351E6
", xrefs: 00435154, 00435242
------, xrefs: 00434E0C, 00434E39, 004350BB, 004351AC
TPF, xrefs: 0043518E
cx, xrefs: 00435083

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPF$TPF$TPF$pNx$cx
API String ID: 2041821634-2282460670
Opcode ID: b99fca825cf93b7c30e5b2a4452b77c3ec5710449e983229eae0378075dcf3a6
Instruction ID: c2f41ebc033eab9966af4b1c8e85823a3958134ed20adff9708d6ce48345b939
Opcode Fuzzy Hash: b99fca825cf93b7c30e5b2a4452b77c3ec5710449e983229eae0378075dcf3a6
Instruction Fuzzy Hash: 24529271A006169FCB20EFB5CD45B9F77B9AF48304F15202AF904A7251DB78ED46CBA8

Function 004356C0 Relevance: 111.0, APIs: 51, Strings: 12, Instructions: 734
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004356EF
lstrlenA.KERNEL32(?), ref: 00435742
lstrcpy.KERNEL32(00000000,0045D014), ref: 00435784
lstrcpy.KERNEL32(00000000,0045D014), ref: 004357C3
lstrcpy.KERNEL32(00000000,0045D014), ref: 004357F3
lstrcpy.KERNEL32(00000000,0045D014), ref: 00435828

Strings

pNx, xrefs: 00435878
------, xrefs: 00435929, 00435956
TPF, xrefs: 00435D24
TPF, xrefs: 00435BDE
TPF, xrefs: 00435B48
--, xrefs: 0043598F, 004359B7
", xrefs: 00435BA4, 00435C92, 00435D80
------, xrefs: 00435B0B, 00435BFC, 00435CEA
~D, xrefs: 0043576C, 00435FEA, 00435E90
TPF, xrefs: 00435C36
TPF, xrefs: 00435CCC
cx, xrefs: 00435AD2

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ------$"$--$------$TPF$TPF$TPF$TPF$TPF$pNx$~D$cx
API String ID: 367037083-3301421569
Opcode ID: 55126ba8be6903a80ec11d1788a90b9e5860c90537b06f7b98b7a456d5e32209
Instruction ID: b7dc98dc2810379058bf150a13b991ef2f20bfc6ec922f4ffd4676e387dbce09
Opcode Fuzzy Hash: 55126ba8be6903a80ec11d1788a90b9e5860c90537b06f7b98b7a456d5e32209
Instruction Fuzzy Hash: 78429D71E006059FCB10EBB5CD45A9F77B9AF08314F15202AFA45A7252DB78ED068BE8

Function 004563C0 Relevance: 77.2, APIs: 32, Strings: 12, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,007732C8), ref: 00456419
GetProcAddress.KERNEL32(74DD0000,007732E0), ref: 00456432
GetProcAddress.KERNEL32(74DD0000,007732F8), ref: 0045644A
GetProcAddress.KERNEL32(74DD0000,00773310), ref: 00456462
GetProcAddress.KERNEL32(74DD0000,00773328), ref: 0045647B
GetProcAddress.KERNEL32(74DD0000,00774568), ref: 00456493
GetProcAddress.KERNEL32(74DD0000,00774588), ref: 004564AB
GetProcAddress.KERNEL32(74DD0000,00773338), ref: 004564C4
GetProcAddress.KERNEL32(74DD0000,007745A8), ref: 004564DC
GetProcAddress.KERNEL32(74DD0000,007745C0), ref: 004564F4
GetProcAddress.KERNEL32(74DD0000,007704B0), ref: 0045650D
GetProcAddress.KERNEL32(74DD0000,007704C8), ref: 00456525
GetProcAddress.KERNEL32(74DD0000,007776C8), ref: 0045653D
GetProcAddress.KERNEL32(74DD0000,00777620), ref: 00456556
GetProcAddress.KERNEL32(74DD0000,007704E8), ref: 0045656E
GetProcAddress.KERNEL32(74DD0000,00777638), ref: 00456586
GetProcAddress.KERNEL32(74DD0000,00777650), ref: 0045659F
GetProcAddress.KERNEL32(74DD0000,00770508), ref: 004565B7
GetProcAddress.KERNEL32(74DD0000,007776E0), ref: 004565CF
GetProcAddress.KERNEL32(74DD0000,00770528), ref: 004565E8
LoadLibraryA.KERNELBASE(007776F8,?,?,?,00451BE3), ref: 004565F9
LoadLibraryA.KERNELBASE(00777530,?,?,?,00451BE3), ref: 0045660B
LoadLibraryA.KERNEL32(00777668,?,?,?,00451BE3), ref: 0045661D
LoadLibraryA.KERNELBASE(00777680,?,?,?,00451BE3), ref: 0045662E
LoadLibraryA.KERNEL32(007775C0,?,?,?,00451BE3), ref: 00456640
GetProcAddress.KERNEL32(75A70000,00777590), ref: 0045665D
GetProcAddress.KERNEL32(75290000,00777698), ref: 00456679
GetProcAddress.KERNEL32(75290000,00777578), ref: 00456691
GetProcAddress.KERNEL32(75BD0000,007776B0), ref: 004566AD
GetProcAddress.KERNEL32(75450000,00770548), ref: 004566C9
GetProcAddress.KERNEL32(76E90000,00770568), ref: 004566E5
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004566FC

Strings

Pvw, xrefs: 0045658C
8vw, xrefs: 00456574
0uw, xrefs: 004565FF
2w, xrefs: 0045641F
xuw, xrefs: 0045667F
(3w, xrefs: 00456468
NtQueryInformationProcess, xrefs: 004566F1
hvw, xrefs: 00456611
hEw, xrefs: 0045648C
vw, xrefs: 00456543
vw, xrefs: 004565BD
83w, xrefs: 004564B1

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: vw$(3w$0uw$83w$8vw$NtQueryInformationProcess$Pvw$hEw$hvw$xuw$2w$vw
API String ID: 2238633743-2399189216
Opcode ID: d6d6cfc6c7a8a2cafdca0d36494484f8bca28a695a87dd9b105d8f857129bbb7
Instruction ID: e3c5269ce4f30b2ce9d6b71afbe18a01ed283ff0b3433f005d92056a124e32ac
Opcode Fuzzy Hash: d6d6cfc6c7a8a2cafdca0d36494484f8bca28a695a87dd9b105d8f857129bbb7
Instruction Fuzzy Hash: B4A15CB5A19240AFD754DFB4ED98A2637BFF789745300A61EED1683360DBB4A800DB70

Function 00434980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434994
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0043499B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349A2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349A9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349B0
GetProcessHeap.KERNEL32(00000000,?), ref: 004349BB
RtlAllocateHeap.NTDLL(00000000), ref: 004349C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349D9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349E0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349E7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349EE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004349F9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A00
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A07
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A0E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A15
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A2B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A32
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A39
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A40
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A47
strlen.MSVCRT ref: 00434A4F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A73
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A7A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A81
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A88
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A8F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434A9F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434AA6
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434AAD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434AB4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00434ABB
VirtualProtect.KERNELBASE(00000000,00000004,00000100,?), ref: 00434AD0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0043498F, 00434996, 0043499D, 004349A4, 004349AB, 004349CA, 004349D4, 004349DB, 004349E2, 004349E9, 004349F0, 004349FB, 00434A02, 00434A09, 00434A10, 00434A26, 00434A2D, 00434A34, 00434A3B, 00434A42, 00434A63, 00434A75, 00434A7C, 00434A83, 00434A8A, 00434A9A, 00434AA1, 00434AA8, 00434AAF, 00434AB6

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-3329630956
Opcode ID: 054f5e69b9fd1f078e8c67a3229e5285ebed34b3e23583ebb82847d6c949b112
Instruction ID: af8e8f6cd727043c6d124cc710d0dac4a9c45e7a142e4f14080ad7f0cfd45952
Opcode Fuzzy Hash: 054f5e69b9fd1f078e8c67a3229e5285ebed34b3e23583ebb82847d6c949b112
Instruction Fuzzy Hash: 8631F820F8033C7E8A246BA56D4AB5FBED4DFC7B61B308053F51856189E9E85404CEEB

Function 00452A70 Relevance: 4.5, APIs: 3, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00452A9F
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00452AA6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00452ABA

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 9bafd61cea8468b276adf9f28df88ee5b60fa7a0079d31094e8de99d1c81db5e
Instruction ID: 365d20b11ef11a4bdd8d2bc9c94a76392ac2ff3ef3643601b4dfebfde436e900
Opcode Fuzzy Hash: 9bafd61cea8468b276adf9f28df88ee5b60fa7a0079d31094e8de99d1c81db5e
Instruction Fuzzy Hash: B601D672A44618ABDB10CF99ED45BAAF7BCF744B21F00026BFD15D3780D7B8190486A1

Function 004529E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00452A0F
HeapAlloc.KERNEL32(00000000), ref: 00452A16
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00452A2A

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 510f72aadfba94aaf7a0f5761374721df1938f88e7e309923b22dad388ef9166
Instruction ID: b090b85d65431104e6ee3b8f4fd5a573d5052d71f078464c7f70d75807e125b6
Opcode Fuzzy Hash: 510f72aadfba94aaf7a0f5761374721df1938f88e7e309923b22dad388ef9166
Instruction Fuzzy Hash: 59F0B4B1A40204BFC700DF98DD49B9EBBBCFB44B25F10021AFD15E3280D7B4190487A1

Function 0044F300 Relevance: 109.7, APIs: 57, Strings: 5, Instructions: 1164stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0045D014,00000001,00000000,00000000), ref: 0044F32E
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F34C
lstrlenA.KERNEL32(0045D014), ref: 0044F357
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F371
lstrlenA.KERNEL32(0045D014), ref: 0044F37C
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F396
lstrcpy.KERNEL32(00000000,00465568), ref: 0044F3BE
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F3EC
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F422
lstrcpy.KERNEL32(00000000,0045D014), ref: 0044F454
lstrlenA.KERNEL32(0077D5F8), ref: 0044F476
lstrcpy.KERNEL32(00000000,?), ref: 0044F506
lstrcpy.KERNEL32(00000000,00000000), ref: 0044F52B
lstrcpy.KERNEL32(00000000,00000000), ref: 0044F5E2
StrCmpCA.SHLWAPI(?,ERROR), ref: 0044F894
lstrlenA.KERNEL32(00784CF0), ref: 0044F8C2
lstrcpy.KERNEL32(00000000,00784CF0), ref: 0044F8EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0044F912
lstrcpy.KERNEL32(00000000,?), ref: 0044F966
lstrcpy.KERNEL32(00000000,00784CF0), ref: 0044FA28
lstrcpy.KERNEL32(00000000,00784CD0), ref: 0044FA58
lstrcpy.KERNEL32(00000000,?), ref: 0044FAB7
StrCmpCA.SHLWAPI(?,ERROR), ref: 0044FBD5
lstrlenA.KERNEL32(00784D20), ref: 0044FC03
lstrcpy.KERNEL32(00000000,00784D20), ref: 0044FC30
lstrcpy.KERNEL32(00000000,00000000), ref: 0044FC53
lstrcpy.KERNEL32(00000000,?), ref: 0044FCA7

Strings

ERROR, xrefs: 0044F788, 0044F88E, 0044FB30, 0044FBCF, 0044FE70, 0044FF0F
Hw, xrefs: 0044F5F4, 004500C0
hw, xrefs: 0044F62E, 00450083
0Mx, xrefs: 0044F9F4, 00450057
Mx, xrefs: 0044FBFB, 0044FD3A

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: Mx$0Mx$ERROR$Hw$hw
API String ID: 367037083-4192720129
Opcode ID: 788f6d6130be4af97330da3e39f10c5e292c2e1141f5830ad90edc0e569626e5
Instruction ID: 7a029405106a910edb895be738f2421a5c8aa1a0bfbbf53c850caedadf27e801
Opcode Fuzzy Hash: 788f6d6130be4af97330da3e39f10c5e292c2e1141f5830ad90edc0e569626e5
Instruction Fuzzy Hash: 4AA26D70A017028FE724DF25C948A1BB7E5AF45304F28957EE849CB362DB79DC0ACB59

Function 00436B80 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00436BAF
lstrcpy.KERNEL32(00000000,0045D014), ref: 00436C02
InternetOpenA.WININET(0045D014,00000001,00000000,00000000,00000000), ref: 00436C15
StrCmpCA.SHLWAPI(?,00784E70), ref: 00436C2D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00436C55
HttpOpenRequestA.WININET(00000000,GET,?,007863E8,00000000,00000000,-00400100,00000000), ref: 00436C90
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00436CB7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00436CC6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00436CE5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00436D3F
lstrcpy.KERNEL32(00000000,?), ref: 00436D9B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00436DBD
InternetCloseHandle.WININET(00000000), ref: 00436DCE
InternetCloseHandle.WININET(?), ref: 00436DD8
InternetCloseHandle.WININET(00000000), ref: 00436DE2
lstrcpy.KERNEL32(00000000,00000000), ref: 00436E03

Strings

ERROR, xrefs: 00436CF2
pNx, xrefs: 00436C1B
GET, xrefs: 00436C8A
cx, xrefs: 00436C68

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET$pNx$cx
API String ID: 3687753495-2950988410
Opcode ID: 730c73fa37efddb8551791e9da4cbf075fc0f4dc1450efb8c61ffae4fe5d6656
Instruction ID: bafb257537027f8c77b59fe4ae1f36180c3c9472e798d3197de3e2c40aa66feb
Opcode Fuzzy Hash: 730c73fa37efddb8551791e9da4cbf075fc0f4dc1450efb8c61ffae4fe5d6656
Instruction Fuzzy Hash: 7F81A571A01216AFDB20DFA4DC45FAFB7B9AF48704F115159FD04E7290DBB4AD048BA8

Function 004526E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,0077B2A0), ref: 0045271B
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,0045A470,00000000,00000000,00000000,00000000,?,0077B2A0), ref: 0045274C
GetProcessHeap.KERNEL32(00000000,00000104,?,0077B2A0), ref: 004527AF
HeapAlloc.KERNEL32(00000000,?,0077B2A0), ref: 004527B6
wsprintfA.USER32 ref: 004527DB

Strings

:\, xrefs: 00452735
C, xrefs: 00452725
@]x, xrefs: 004527D3

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$@]x$C
API String ID: 1325379522-741086061
Opcode ID: decf7cce3ee897aeaf8b3d0ff9ea8bfa8d2b1ccf728213c500f576e9afcb829e
Instruction ID: 72c49e7ea9852e2e29fd79261d973124259335fc5aff76a7d7196bf5144c8d0c
Opcode Fuzzy Hash: decf7cce3ee897aeaf8b3d0ff9ea8bfa8d2b1ccf728213c500f576e9afcb829e
Instruction Fuzzy Hash: FE3183B19082099FCB14CFB89A859EFBFBCFF5D741F00016EE905E7251E2748A048BA5

Function 00452820 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00452835
HeapAlloc.KERNEL32(00000000), ref: 0045283C

Part of subcall function 004528B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004528C5
Part of subcall function 004528B0: HeapAlloc.KERNEL32(00000000), ref: 004528CC
Part of subcall function 004528B0: RegOpenKeyExA.KERNELBASE(80000002,007811A8,00000000,00020119,00452849), ref: 004528EB
Part of subcall function 004528B0: RegQueryValueExA.KERNELBASE(00452849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00452905
Part of subcall function 004528B0: RegCloseKey.ADVAPI32(00452849), ref: 0045290F

RegOpenKeyExA.KERNELBASE(80000002,007811A8,00000000,00020119,?), ref: 00452871
RegQueryValueExA.KERNELBASE(?,00785C68,00000000,00000000,00000000,000000FF), ref: 0045288C
RegCloseKey.ADVAPI32(?), ref: 00452896

Strings

h\x, xrefs: 00452885
Windows 11, xrefs: 00452850

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11$h\x
API String ID: 3466090806-270188567
Opcode ID: 96921e1bd0f325db4e34b28a8322b9aad01006147b029291ed800bf0ff642f82
Instruction ID: 6a061fdd5d25150d8484750cf700cb016cb73cd340b87837edc2d31723cdad42
Opcode Fuzzy Hash: 96921e1bd0f325db4e34b28a8322b9aad01006147b029291ed800bf0ff642f82
Instruction Fuzzy Hash: 5C01A271640208BFDB10ABB4ED49EAA776EEB44316F00425AFE08D3251EAF49D4487A4

Function 00435570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00435589
RtlAllocateHeap.NTDLL(00000000), ref: 00435590
InternetOpenA.WININET(0045D014,00000000,00000000,00000000,00000000), ref: 004355A6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004355C1
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004355EC
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00435611
InternetCloseHandle.WININET(?), ref: 0043562B
InternetCloseHandle.WININET(00000000), ref: 00435632

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID:
API String ID: 1337183907-0
Opcode ID: 7b24abdf749a2e6681fd79277e067d8b53e3e900d48125aa6b1211a03b6468e5
Instruction ID: 1429e57c53cbe0188c242031960b897ed5fdc72c72a5f9de2f604f2c0303a84a
Opcode Fuzzy Hash: 7b24abdf749a2e6681fd79277e067d8b53e3e900d48125aa6b1211a03b6468e5
Instruction Fuzzy Hash: 9641AF70A00204EFDB24CF54CC49F9AB7B9FF48314F2481AAE9089B390D7B59941CF98

Function 00451BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e1c0ce45e7d68ba44ae2ba985a9c4f4bb25a597e00a718af582eef83e82a8ad1
Instruction ID: d323fce483589d93f3d5e94df3a6c71e700f23d2a55b1daa824cdb83d57f5f72
Opcode Fuzzy Hash: e1c0ce45e7d68ba44ae2ba985a9c4f4bb25a597e00a718af582eef83e82a8ad1
Instruction Fuzzy Hash: 6A316031A006069BCB21BFB5CD8579F77AAAF04745F15112BE90197262EBB8EC098798

Function 00434AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,0077E168), ref: 00434B17
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00434B21
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00434B2B
lstrlenA.KERNEL32(?,00000000,?), ref: 00434B3F
InternetCrackUrlA.WININET(?,00000000), ref: 00434B47

Strings

<, xrefs: 00434B07

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 7d79dfcc94c23489c9ec4f2840e86d45d95760407cd38a8bfbebd8d522d79c2d
Instruction ID: 13537e3506206941062e2532582cbbb34a7d2de0ba687efa30889962415c9a44
Opcode Fuzzy Hash: 7d79dfcc94c23489c9ec4f2840e86d45d95760407cd38a8bfbebd8d522d79c2d
Instruction Fuzzy Hash: 8E01E971D00218AFDB14DFA9EC45B9EBBB9EB48364F00812AF954E7390EBB459058FD4

Function 004528B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004528C5
HeapAlloc.KERNEL32(00000000), ref: 004528CC
RegOpenKeyExA.KERNELBASE(80000002,007811A8,00000000,00020119,00452849), ref: 004528EB
RegQueryValueExA.KERNELBASE(00452849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00452905
RegCloseKey.ADVAPI32(00452849), ref: 0045290F

Strings

CurrentBuildNumber, xrefs: 004528FF

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 882e6b74894ca53474d0d5415b659c264666480bd255975276e72c5e66035363
Instruction ID: e867ecfba307e539f478f58fab58629351a4aa64012b767e212b694f9aea2ba6
Opcode Fuzzy Hash: 882e6b74894ca53474d0d5415b659c264666480bd255975276e72c5e66035363
Instruction Fuzzy Hash: 2401BCB5600218BFE710CBA0DD59EAB7BADEB49742F20019AFE45D7341EAB0590887A0

Function 0044EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0044F013
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0044F54D), ref: 0044F02E
lstrcpy.KERNEL32(00000000,ERROR), ref: 0044F08F

Strings

ERROR, xrefs: 0044F028, 0044F089

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 0723278c425aa61c7e7c84b1bdb9fb180503e95b4d4e8332d1dade02dff3c89d
Instruction ID: 54e09f1803d018b2445a021da9fe3f0c5fdf371a514046cf36c41aaf8d67e512
Opcode Fuzzy Hash: 0723278c425aa61c7e7c84b1bdb9fb180503e95b4d4e8332d1dade02dff3c89d
Instruction Fuzzy Hash: 762186707102069FDB24FF7ACD46B9F37A4AF08308F11552AB9C9DB222DA78DC058798

Function 0044EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0044EF62

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: ba9e2da1e6d0988f9b43608525736485085145dc2e0230de9c15da476799bb26
Instruction ID: b76bb9f94d291b7d5447c82afba9110297da2cc3df97b956f03fcfe1f58f06b5
Opcode Fuzzy Hash: ba9e2da1e6d0988f9b43608525736485085145dc2e0230de9c15da476799bb26
Instruction Fuzzy Hash: BC1148703101049BDB24FF3ADD42B9F37A4AF08304F81502DB9C88B262DA78EC058795

Non-executed Functions

Function 00436000 Relevance: 132.1, APIs: 68, Strings: 7, Instructions: 817stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0043602F
lstrcpy.KERNEL32(00000000,0045D014), ref: 00436082
lstrcpy.KERNEL32(00000000,0045D014), ref: 004360B5
lstrcpy.KERNEL32(00000000,0045D014), ref: 004360E5
lstrcpy.KERNEL32(00000000,0045D014), ref: 00436120
lstrcpy.KERNEL32(00000000,0045D014), ref: 00436153
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00436163

Strings

pNx, xrefs: 00436169
TPF, xrefs: 00436601
TPF, xrefs: 00436659
", xrefs: 004365C7, 004366B5
------, xrefs: 00436289, 004362B6, 0043652E, 0043661F
TPF, xrefs: 0043656B
cx, xrefs: 00436510

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$TPF$TPF$TPF$pNx$cx
API String ID: 2041821634-2282460670
Opcode ID: 26148170fbe89427b287d00f3270076af9c3522677aad0035c92ee4b2e46168f
Instruction ID: 229b6fc3273b03ba581fa5aecc35c7e3139d31656ebf13b10f80bb1d39702ef2
Opcode Fuzzy Hash: 26148170fbe89427b287d00f3270076af9c3522677aad0035c92ee4b2e46168f
Instruction Fuzzy Hash: 13528271E00616AFCB10AFB5DD49B9F77B9AF08304F15A12AF904A7251DB78DC05CBA8

Function 00439876 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 174stringsleepprocessCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(?), ref: 00439888
memset.MSVCRT ref: 004398A6
lstrcatA.KERNEL32(?,?), ref: 004398BB
lstrcatA.KERNEL32(?,?), ref: 004398CD
lstrcatA.KERNEL32(?,00465128), ref: 004398DD
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0043991A
lstrcpy.KERNEL32(00000000,?), ref: 00439950
StrStrA.SHLWAPI(?,00786280), ref: 00439965
lstrcpyn.KERNEL32(006693D0,?,00000000), ref: 00439982
lstrlenA.KERNEL32(?), ref: 00439996
wsprintfA.USER32 ref: 004399A6
lstrcpy.KERNEL32(?,?), ref: 004399BD
memset.MSVCRT ref: 004399D3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,00000000), ref: 00439A32
Sleep.KERNEL32(00001388), ref: 00439A41
CloseDesktop.USER32(?), ref: 00439A81

Strings

D, xrefs: 004399EA
%s%s, xrefs: 004399A0

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDesktoplstrcpymemset$CloseFolderPathProcessSleeplstrcpynlstrlenwsprintf
String ID: %s%s$D
API String ID: 3850938096-433275411
Opcode ID: a6c7a96c7a42c3849ad73aeb812acd6b6987676e1b090123542276fcf4777f30
Instruction ID: fd705f182cbd1bab056a11891010fb8b2fa6fe35f8ce33700d66ba06c0d2b798
Opcode Fuzzy Hash: a6c7a96c7a42c3849ad73aeb812acd6b6987676e1b090123542276fcf4777f30
Instruction Fuzzy Hash: 8D6160B1604340AFD720EF74DC45F9F77E9AF88704F10591EFA898B291DBB499048BA6

Function 004546C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004546D9
Process32First.KERNEL32(00000000,00000128), ref: 004546E9
Process32Next.KERNEL32(00000000,00000128), ref: 004546FB
StrCmpCA.SHLWAPI(?,?), ref: 0045470D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00454722
TerminateProcess.KERNEL32(00000000,00000000), ref: 00454731
CloseHandle.KERNEL32(00000000), ref: 00454738
Process32Next.KERNEL32(00000000,00000128), ref: 00454746
CloseHandle.KERNEL32(00000000), ref: 00454751

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: d9ecc4ac324f6e7f609c4db14a9eba4406e947378a3a61c341560ed928980982
Instruction ID: 1164943a64ce745c089c44a94c369ef23f9a7e1944cc41014f84a35f4dd72b14
Opcode Fuzzy Hash: d9ecc4ac324f6e7f609c4db14a9eba4406e947378a3a61c341560ed928980982
Instruction Fuzzy Hash: 3401AD31601114ABE7205B70EC88FFB377DAB89B42F001199FD05DA281EFB899888B74

Function 00437690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0043769E
HeapAlloc.KERNEL32(00000000), ref: 004376A5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004376CD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004376ED
LocalFree.KERNEL32(?), ref: 004376F7

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 2d2d288d40c6510c71c143a58fb9bdab208a6e53a29a82d84f0a3aaff3da296a
Instruction ID: 771aa138cd378c3788b2b1cd14c5ed79ac9a0aa261bc039ac5d71f7741158649
Opcode Fuzzy Hash: 2d2d288d40c6510c71c143a58fb9bdab208a6e53a29a82d84f0a3aaff3da296a
Instruction Fuzzy Hash: 2B01C075B40218BBEB10DBA49C4AFAA777DEB44B15F104155FE05AB2C0D6B1A9008BA4

Function 00453E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0045D014), ref: 00453E45
lstrcpy.KERNEL32(00000000,00779E38), ref: 00453E6F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00434D2A,?,00000014), ref: 00453E79

Strings

*MC, xrefs: 00453EEE, 00453EDD

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID: *MC
API String ID: 684065273-1620654918
Opcode ID: abad9ee80405078259a691631ae5a65e02d9698c88f4663ef63a29a9a48775e9
Instruction ID: 91cda76363eff293731b34c0e4f5a71725fea1271b8d8ac1c2b0ca60fcb5b2e2
Opcode Fuzzy Hash: abad9ee80405078259a691631ae5a65e02d9698c88f4663ef63a29a9a48775e9
Instruction Fuzzy Hash: 9041AE71A012058FDB24CF29C884666BBE5FF09356F1880AEEC45DB3A2C77ADD46CB54

Function 00454090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004540AD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004540BC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004540C3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004540F3

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 359bed91a60ab89599370cb552ef05a7f68d65992286bca3d297e82372d112a4
Instruction ID: daefd2cf4335f7a2741c03f0c1161d754ed67625ba45aac96ac58d7e0dc0786a
Opcode Fuzzy Hash: 359bed91a60ab89599370cb552ef05a7f68d65992286bca3d297e82372d112a4
Instruction Fuzzy Hash: 6F011E70600205BBDB109FB5EC45B6B7BADEF85715F108159FE0987340DA7199408B64

Function 00439BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00439BFF
LocalAlloc.KERNEL32(00000040,?), ref: 00439C13
memcpy.MSVCRT(00000000,?), ref: 00439C2A
LocalFree.KERNEL32(?), ref: 00439C37

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: f7ea62f7ef54d6651e8bbae49f2630da07bb58f40e46da107ff9a65f4f7de5ea
Instruction ID: 33449628f0688817ddb1cb8341c05a192ba19618e7ee0ecc459495480836427e
Opcode Fuzzy Hash: f7ea62f7ef54d6651e8bbae49f2630da07bb58f40e46da107ff9a65f4f7de5ea
Instruction Fuzzy Hash: 2401FB75A41309ABD7109BA4DC45BAEB779EB48B01F104155EE04AB380D7B49E00CBE4

Function 00439B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00439B9B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00439BAA
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00439BC1
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00439BD0

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: e78c0b603b84c466e8be6472cfcf917b98e48be133f153c459ecfa9772685a37
Instruction ID: 6761a3420a575937b26a9f7cd3fc9012e29ee91d20ce107effb3ba592d9b8d30
Opcode Fuzzy Hash: e78c0b603b84c466e8be6472cfcf917b98e48be133f153c459ecfa9772685a37
Instruction Fuzzy Hash: BEF0BD703443126BE7305F65AC49F57BBADEB05B51F241415FE49EA2C0D7F49C40CAA4

Function 00431070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043108A

Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00431015
Part of subcall function 00431000: HeapAlloc.KERNEL32(00000000), ref: 0043101C
Part of subcall function 00431000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00431039
Part of subcall function 00431000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00431053
Part of subcall function 00431000: RegCloseKey.ADVAPI32(?), ref: 0043105D

lstrcatA.KERNEL32(?,00000000), ref: 004310A0
lstrlenA.KERNEL32(?), ref: 004310AD
lstrcatA.KERNEL32(?,.keys), ref: 004310C8
lstrcpy.KERNEL32(00000000,0045D014), ref: 004310FF
lstrlenA.KERNEL32(00784F90), ref: 0043110D
lstrcpy.KERNEL32(00000000,?), ref: 00431131
lstrcatA.KERNEL32(00000000,00784F90), ref: 00431139
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00431144
lstrcpy.KERNEL32(00000000,00000000), ref: 00431168
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00431174
lstrcpy.KERNEL32(00000000,00000000), ref: 0043119A
lstrcpy.KERNEL32(00000000,0045D014), ref: 004311DF
lstrlenA.KERNEL32(00785EF0), ref: 004311EE
lstrcpy.KERNEL32(00000000,?), ref: 00431215
lstrcatA.KERNEL32(00000000,?), ref: 0043121D
lstrcpy.KERNEL32(00000000,00000000), ref: 00431258
lstrcatA.KERNEL32(00000000), ref: 00431265
lstrcpy.KERNEL32(00000000,00000000), ref: 0043128C
CopyFileA.KERNEL32(?,?,00000001), ref: 004312B5
lstrcpy.KERNEL32(00000000,?), ref: 004312E1
lstrcpy.KERNEL32(00000000,?), ref: 0043131D

Part of subcall function 0044EF30: lstrcpy.KERNEL32(00000000,?), ref: 0044EF62

DeleteFileA.KERNEL32(?), ref: 00431351
memset.MSVCRT ref: 0043136E

Strings

.keys, xrefs: 004310BC
\Monero\wallet.keys, xrefs: 0043113F, 0043116E

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: b2b1c5d6ed47a91fcce780565bdb8be51b2cbb8eea535cda52f43a2ab8b9cbc4
Instruction ID: 23dd367e18bd348507d94b39b63ee61720198f1f1ffa95cdef23ef8dce1d32cb
Opcode Fuzzy Hash: b2b1c5d6ed47a91fcce780565bdb8be51b2cbb8eea535cda52f43a2ab8b9cbc4
Instruction Fuzzy Hash: 71A19271A016059BCB20EFB5DD49B9FB7B9AF0C304F14212AF945E7261DB78DD018BA8

Function 00451800 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0045D014), ref: 0045182F
lstrlenA.KERNEL32(00773048,00000000,00000000,?,?,00451B61), ref: 00451840
lstrcpy.KERNEL32(00000000,00000000), ref: 00451867
lstrcatA.KERNEL32(00000000,00000000), ref: 00451872
lstrcpy.KERNEL32(00000000,00000000), ref: 004518A1
lstrlenA.KERNEL32(00465568,?,?,00451B61), ref: 004518B3
lstrcpy.KERNEL32(00000000,00000000), ref: 004518D4
lstrcatA.KERNEL32(00000000,00465568,?,?,00451B61), ref: 004518E0
lstrcpy.KERNEL32(00000000,00000000), ref: 0045190F
lstrlenA.KERNEL32(00774080,?,?,00451B61), ref: 00451925
lstrcpy.KERNEL32(00000000,00000000), ref: 0045194C
lstrcatA.KERNEL32(00000000,00000000), ref: 00451957
lstrcpy.KERNEL32(00000000,00000000), ref: 00451986
lstrlenA.KERNEL32(00465568,?,?,00451B61), ref: 00451998
lstrcpy.KERNEL32(00000000,00000000), ref: 004519B9
lstrcatA.KERNEL32(00000000,00465568,?,?,00451B61), ref: 004519C5
lstrcpy.KERNEL32(00000000,00000000), ref: 004519F4
lstrlenA.KERNEL32(00774090,?,?,00451B61), ref: 00451A0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00451A31
lstrcatA.KERNEL32(00000000,00000000), ref: 00451A3C
lstrcpy.KERNEL32(00000000,00000000), ref: 00451A6B
lstrlenA.KERNEL32(007740A0,?,?,00451B61), ref: 00451A81
lstrcpy.KERNEL32(00000000,00000000), ref: 00451AA8
lstrcatA.KERNEL32(00000000,00000000), ref: 00451AB3
lstrcpy.KERNEL32(00000000,00000000), ref: 00451AE2

Strings

H0w, xrefs: 00451835

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID: H0w
API String ID: 1049500425-2431637254
Opcode ID: 2066cab9ceb1ce207fb9974d5a907097f1294adc25b991d1ebb9f557dda693c8
Instruction ID: 5a93badc744979909f2ff1dbd76c4107b980b1cd2857351a58c1bf5bb1e2f0d6
Opcode Fuzzy Hash: 2066cab9ceb1ce207fb9974d5a907097f1294adc25b991d1ebb9f557dda693c8
Instruction Fuzzy Hash: 0A911FB06017029BD720AFB5CD88B17B7E9AF04345F14552AED85C3362DBB8DC45CB64

Function 004392E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004390F0: InternetOpenA.WININET(0045D014,00000001,00000000,00000000,00000000), ref: 0043910F
Part of subcall function 004390F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0043912C
Part of subcall function 004390F0: InternetCloseHandle.WININET(00000000), ref: 00439139
Part of subcall function 004390F0: strlen.MSVCRT ref: 00439155

strlen.MSVCRT ref: 00439311
strlen.MSVCRT ref: 0043932A

Part of subcall function 00447EB0: memchr.MSVCRT ref: 00447EEF
Part of subcall function 00447EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00447F09
Part of subcall function 00447EB0: memchr.MSVCRT ref: 00447F28

Part of subcall function 004389B0: std::_Xinvalid_argument.LIBCPMT ref: 004389C6

memset.MSVCRT ref: 00439371
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0043938C
lstrcatA.KERNEL32(?,00000000), ref: 004393A2
strlen.MSVCRT ref: 004393C9
strlen.MSVCRT ref: 00439416
memcmp.MSVCRT(?,0045D014,?), ref: 0043943B
memset.MSVCRT ref: 00439562
lstrcatA.KERNEL32(?,cookies), ref: 00439577
lstrcatA.KERNEL32(?,00461D5C), ref: 00439589
lstrcatA.KERNEL32(?,?), ref: 0043959A
lstrcatA.KERNEL32(?,00465160), ref: 004395AC
lstrcatA.KERNEL32(?,?), ref: 004395BD
lstrcatA.KERNEL32(?,.txt), ref: 004395CF
lstrlenA.KERNEL32(?), ref: 004395E6
lstrlenA.KERNEL32(?), ref: 0043960B
lstrcpy.KERNEL32(00000000,?), ref: 00439644
memset.MSVCRT ref: 0043968C

Strings

cookies, xrefs: 0043956B
/devtools, xrefs: 00439325, 00439330
.txt, xrefs: 004395C3
ws://localhost:9229, xrefs: 00439380
localhost, xrefs: 004392FA, 00439318

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2819545660-3542011879
Opcode ID: 91445381a8f1f58ec32cca356a048261c257e3150fc2dc2a2ff5f0e741456594
Instruction ID: cd29f3e00a1667f6d7fa468775c73929be31ad2be4605e62e66ffd4da4bbd84d
Opcode Fuzzy Hash: 91445381a8f1f58ec32cca356a048261c257e3150fc2dc2a2ff5f0e741456594
Instruction Fuzzy Hash: 94E12771E00218EFDF10DFA8C981ADEBBB5BF48304F10446AE949A7251DB789E45CF95

Function 00448D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,?,?,0045081F), ref: 00448D1A
ExitProcess.KERNEL32 ref: 00448D27
strtok_s.MSVCRT ref: 00448D39

Strings

block, xrefs: 00448D0B

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 0213264bc5350d64c011fa190c0cf845a868186931738da3ac497f0be997e741
Instruction ID: 1f278704d8d5292e79067d79e306eb82efa3f3a05585b26dd299252a879e01dc
Opcode Fuzzy Hash: 0213264bc5350d64c011fa190c0cf845a868186931738da3ac497f0be997e741
Instruction Fuzzy Hash: 1B517FB0604701DFDB209F79DC84A2FB7FAAB08704B10582FE492C2660DBBDD4458B6A

Function 0043A070 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00784D10,00669BD8,0000FFFF), ref: 0043A086
lstrcpy.KERNEL32(00000000,0045D014), ref: 0043A0B3
lstrlenA.KERNEL32(00669BD8), ref: 0043A0C0
lstrcpy.KERNEL32(00000000,00669BD8), ref: 0043A0EA
lstrlenA.KERNEL32(00465214), ref: 0043A0F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0043A112
lstrcatA.KERNEL32(00000000,00465214), ref: 0043A11E
lstrcpy.KERNEL32(00000000,00000000), ref: 0043A144
lstrcatA.KERNEL32(00000000,00000000), ref: 0043A14F
lstrcpy.KERNEL32(00000000,00000000), ref: 0043A174
SetEnvironmentVariableA.KERNEL32(00784D10,00000000), ref: 0043A18F
LoadLibraryA.KERNEL32(007854E0), ref: 0043A1A3

Strings

Tx, xrefs: 0043A19C
p]x, xrefs: 0043A1DE
H^x, xrefs: 0043A21E

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: H^x$p]x$Tx
API String ID: 2929475105-3771163451
Opcode ID: b09bbb5f6f25fdbb1480005879111a8cfdfd5c03900297e6acfd9bcfc552c666
Instruction ID: d4f7573c64c627005194a4abd03733b9b7b815d8d9d3e41c3137bc5e1dbf59dd
Opcode Fuzzy Hash: b09bbb5f6f25fdbb1480005879111a8cfdfd5c03900297e6acfd9bcfc552c666
Instruction Fuzzy Hash: 2191F671640A009FCB309FB4DC44A6737B6EB4D708F51225AE985873A1EFFACC418B96

Function 004390F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0045D014,00000001,00000000,00000000,00000000), ref: 0043910F
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0043912C
InternetCloseHandle.WININET(00000000), ref: 00439139
strlen.MSVCRT ref: 00439155
InternetReadFile.WININET(?,?,?,00000000), ref: 00439196
InternetReadFile.WININET(00000000,?,00001000,?), ref: 004391C7
InternetCloseHandle.WININET(00000000), ref: 004391D2
InternetCloseHandle.WININET(00000000), ref: 004391D9
strlen.MSVCRT ref: 004391EA
strlen.MSVCRT ref: 0043921D
strlen.MSVCRT ref: 0043925E

Part of subcall function 00447EB0: memchr.MSVCRT ref: 00447EEF
Part of subcall function 00447EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00447F09
Part of subcall function 00447EB0: memchr.MSVCRT ref: 00447F28

strlen.MSVCRT ref: 0043927C

Part of subcall function 004389B0: std::_Xinvalid_argument.LIBCPMT ref: 004389C6

Strings

"webSocketDebuggerUrl":, xrefs: 004391E5, 004391F0
http://localhost:9229/json, xrefs: 00439126
"ws://, xrefs: 00439259, 00439264

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: f0fce8998327063da73c3e88e72d274338ea02cd7ea570343b4a0b17c0e0387d
Instruction ID: 4ae5dab478e326fb003737944477cc2453b5c24490135caa353a153725085bf7
Opcode Fuzzy Hash: f0fce8998327063da73c3e88e72d274338ea02cd7ea570343b4a0b17c0e0387d
Instruction Fuzzy Hash: AC51E671A00205ABEB20DFA4DC45BDEFBB9DF48711F14016AF904A32C1DBF8A94587A9

Function 00437710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00437745
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0043778A
strlen.MSVCRT ref: 004377BE
StrStrA.SHLWAPI(?,Password), ref: 004377F8
strlen.MSVCRT ref: 0043788D

Part of subcall function 00437690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0043769E
Part of subcall function 00437690: HeapAlloc.KERNEL32(00000000), ref: 004376A5
Part of subcall function 00437690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004376CD
Part of subcall function 00437690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004376ED
Part of subcall function 00437690: LocalFree.KERNEL32(?), ref: 004376F7

strcpy_s.MSVCRT ref: 00437821
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0043782C
HeapFree.KERNEL32(00000000), ref: 00437833
strlen.MSVCRT ref: 00437840
strcpy_s.MSVCRT ref: 0043786A
strlen.MSVCRT ref: 004378B4
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00437975

Strings

Password, xrefs: 004377EC

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: a26908241d33aca0e7bb3187e8534fa95a280b8316cd761affb289e61442244b
Instruction ID: 1ed5a83821034beac9227d6d2f9972f300f4b3ce7fd59cf627c8f8018299a4cc
Opcode Fuzzy Hash: a26908241d33aca0e7bb3187e8534fa95a280b8316cd761affb289e61442244b
Instruction Fuzzy Hash: 60813DB1D0021DEFDB10DF95DC84ADEBBB9FF48300F10816AE509A7250EB359A85CBA5

Function 0044F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0044F134
lstrcpy.KERNEL32(00000000,?), ref: 0044F162
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F176
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F185
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F1A3
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F1D1
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F1E4
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F1F6
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0044F67A), ref: 0044F202
lstrcpy.KERNEL32(00000000,ERROR), ref: 0044F24F
lstrcpy.KERNEL32(00000000,ERROR), ref: 0044F28F

Strings

ERROR, xrefs: 0044F170, 0044F20F, 0044F249, 0044F289

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: eac128b9b8a01481538022ec69f778a4913285833d66112277eedddc5334c7f6
Instruction ID: b43f4839b37d82c7327179aad7c2fdedaf11d818ee18bf6bb83534cd4ceed954
Opcode Fuzzy Hash: eac128b9b8a01481538022ec69f778a4913285833d66112277eedddc5334c7f6
Instruction Fuzzy Hash: C5510134A002019FEB20AF75CD49B6F77A9AF44308F05516AFD85DB321DBB8DC068B99

Function 00436A10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00436A3F
InternetOpenA.WININET(0045D014,00000001,00000000,00000000,00000000), ref: 00436A6C
StrCmpCA.SHLWAPI(?,00784E70), ref: 00436A8A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00436AAA
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00436AC8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00436AE1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00436B06
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00436B30
CloseHandle.KERNEL32(00000000), ref: 00436B50
InternetCloseHandle.WININET(00000000), ref: 00436B57
InternetCloseHandle.WININET(?), ref: 00436B61

Strings

pNx, xrefs: 00436A7F

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID: pNx
API String ID: 2500263513-2610178759
Opcode ID: db581b9f24211849c04f34418adf2d98f8a477646817917ddbcc90614b7e4cd3
Instruction ID: 1a9bf177418976980685443b43498fb24ac09874b51affe771fdaf8027f990e2
Opcode Fuzzy Hash: db581b9f24211849c04f34418adf2d98f8a477646817917ddbcc90614b7e4cd3
Instruction Fuzzy Hash: 6D419171A00215BFDB20DF64DC49FAF7769AB48704F109559FA05E7280DFB4AD408BA8

Function 0043BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0045D014), ref: 0043BD0F
lstrlenA.KERNEL32(00000000), ref: 0043BD42
lstrcpy.KERNEL32(00000000,00000000), ref: 0043BD6C
lstrcatA.KERNEL32(00000000,00000000), ref: 0043BD74
lstrcpy.KERNEL32(00000000,00000000), ref: 0043BD9C
lstrlenA.KERNEL32(0046509C), ref: 0043BE13

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: d475e483f5bf2b73b7c51e9cd4cfc44a0482b604432b9fba547ef17cd7a5f943
Instruction ID: ccecfaefad8f813ae5268edaadfccf779ce33b282ed2107eef1b536312744b9d
Opcode Fuzzy Hash: d475e483f5bf2b73b7c51e9cd4cfc44a0482b604432b9fba547ef17cd7a5f943
Instruction Fuzzy Hash: 46A17070A012058FCB24DF29C949B9FB7B5EF48304F25A06EEA4997361DB79DC42CB94

Function 00448240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00448263
lstrlenA.KERNEL32(00000000), ref: 0044829C
lstrcpy.KERNEL32(00000000,00000000), ref: 004482D3
lstrlenA.KERNEL32(00000000), ref: 004482F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00448327
lstrlenA.KERNEL32(00000000), ref: 00448344
lstrcpy.KERNEL32(00000000,00000000), ref: 0044837B
lstrlenA.KERNEL32(00000000), ref: 00448398
lstrcpy.KERNEL32(00000000,00000000), ref: 004483C7
lstrlenA.KERNEL32(00000000), ref: 004483E1
lstrcpy.KERNEL32(00000000,00000000), ref: 00448410
strtok_s.MSVCRT ref: 0044842A

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: cdb1834d3755ca3192bd02b04d35dde04af3b8f1ac7027e6b5c970d074174d26
Instruction ID: b2a71dd744877abe991652a1fe097a0657f713a24a791b8b4cfbb3eef40d5c04
Opcode Fuzzy Hash: cdb1834d3755ca3192bd02b04d35dde04af3b8f1ac7027e6b5c970d074174d26
Instruction Fuzzy Hash: 6D515B716006129BEB14AF39D948A6FFBA8EF04340F11412AEC06DB345EB78ED51CBE4

Function 004480E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00448105
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0045093B), ref: 0044814B
lstrcpy.KERNEL32(00000000,00000000), ref: 0044817A
StrCmpCA.SHLWAPI(00000000,00465204,?,?,?,?,?,0045093B), ref: 00448192
lstrlenA.KERNEL32(00000000,?,?,?,?,?,0045093B), ref: 004481D0
lstrcpy.KERNEL32(00000000,00000000), ref: 004481FF
strtok_s.MSVCRT ref: 0044820F

Strings

fplugins, xrefs: 004480E6
;E, xrefs: 004480F1, 00448209, 004480FB, 0044820C

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID: ;E$fplugins
API String ID: 3280532728-2780886424
Opcode ID: 5f8ca72dc2c85fd2ba72ac0431b415c0539e924cace4f299be69d073b97c3263
Instruction ID: 47944212d5ec410861e67973958fba10fd35a3707afe1b31d9e1cadedef84239
Opcode Fuzzy Hash: 5f8ca72dc2c85fd2ba72ac0431b415c0539e924cace4f299be69d073b97c3263
Instruction Fuzzy Hash: 0641BD71600606DFEB20EF68D944BAFBBB4EF44700F11415EE859D7254EB78D941CB94

Function 004379A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00437710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00437745
Part of subcall function 00437710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0043778A
Part of subcall function 00437710: strlen.MSVCRT ref: 004377BE
Part of subcall function 00437710: StrStrA.SHLWAPI(?,Password), ref: 004377F8
Part of subcall function 00437710: strcpy_s.MSVCRT ref: 00437821
Part of subcall function 00437710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0043782C
Part of subcall function 00437710: HeapFree.KERNEL32(00000000), ref: 00437833
Part of subcall function 00437710: strlen.MSVCRT ref: 00437840

lstrcatA.KERNEL32(00000000,0046509C), ref: 004379D0
lstrcatA.KERNEL32(00000000,?), ref: 004379FD
lstrcatA.KERNEL32(00000000, : ), ref: 00437A0F
lstrcatA.KERNEL32(00000000,?), ref: 00437A30
wsprintfA.USER32 ref: 00437A50
lstrcpy.KERNEL32(00000000,?), ref: 00437A79
lstrcatA.KERNEL32(00000000,00000000), ref: 00437A87
lstrcatA.KERNEL32(00000000,0046509C), ref: 00437AA0

Strings

: , xrefs: 00437A09

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: 8c8bfa87c39802fc8459a0769197e744d1330708d036ed29c17de43712132156
Instruction ID: a6530a7621369871af83c073fa23dcec9cd960986e2371ad6001c063aeb5e466
Opcode Fuzzy Hash: 8c8bfa87c39802fc8459a0769197e744d1330708d036ed29c17de43712132156
Instruction Fuzzy Hash: 103199B2A04214DFCB20EB74DC44A6FB77AFB88310F24651AFA4593300DBB9E941D7A5

Function 00439E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00439E64
memcmp.MSVCRT(?,v10,00000003), ref: 00439EA2
memset.MSVCRT ref: 00439ECF
LocalAlloc.KERNEL32(00000040), ref: 00439F07

Part of subcall function 00457210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0045722E

lstrcpy.KERNEL32(00000000,00465210), ref: 0043A012

Strings

v20, xrefs: 00439E5E
v10, xrefs: 00439E9C
@, xrefs: 00439EE8

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: a706775e77a779eca552e22e681137413629fee2cc5ce64c2cec7a736a2df08c
Instruction ID: 8f0d64cd166a792e819783dc7a8153b182a7a07afb10822192ebc82baf61dd33
Opcode Fuzzy Hash: a706775e77a779eca552e22e681137413629fee2cc5ce64c2cec7a736a2df08c
Instruction Fuzzy Hash: 1851F471A002099BDB10EF65CC41B9F77B4AF08318F15516AFD88EB252D7B8DD058BD9

Function 00431000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00431015
HeapAlloc.KERNEL32(00000000), ref: 0043101C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00431039
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00431053
RegCloseKey.ADVAPI32(?), ref: 0043105D

Strings

SOFTWARE\monero-project\monero-core, xrefs: 0043102F
wallet_path, xrefs: 0043104D

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: d89f6d8c0d484a710791412b10e9a9442fbf45bc623bae427fb81203a54f021f
Instruction ID: 512b8a75151fee0da95c2bd0d95a479b7955b302943193765be6b18ca067377d
Opcode Fuzzy Hash: d89f6d8c0d484a710791412b10e9a9442fbf45bc623bae427fb81203a54f021f
Instruction Fuzzy Hash: 6BF09075640309BFD7009BA09D4EFAB7B3DEB04755F100155FE05E2291E6F06A4487A0

Function 00454760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00454779
Process32First.KERNEL32(00000000,00000128), ref: 00454789
Process32Next.KERNEL32(00000000,00000128), ref: 0045479B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004547BC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004547CB
CloseHandle.KERNEL32(00000000), ref: 004547D2
Process32Next.KERNEL32(00000000,00000128), ref: 004547E0
CloseHandle.KERNEL32(00000000), ref: 004547EB

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 757b8156209ce7ed14b63749a4ffb0b814b37d5df4a50af20263fb9819fa4a50
Instruction ID: e045fc6895f1a9bfced90c294f7f2ced458a89ea1d136b337cd5b8ded94dbc17
Opcode Fuzzy Hash: 757b8156209ce7ed14b63749a4ffb0b814b37d5df4a50af20263fb9819fa4a50
Instruction Fuzzy Hash: 2801F5316012146FE7205B309C88FEB777DEB48746F001286FD05D6282EFB48DD88B64

Function 00437130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0043717E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 004371B9
HeapAlloc.KERNEL32(00000000), ref: 004371C0
memcpy.MSVCRT(00000000,?), ref: 004371ED
GetProcessHeap.KERNEL32(00000000,?), ref: 00437203
HeapFree.KERNEL32(00000000), ref: 0043720A
GetProcAddress.KERNEL32(00000000,?), ref: 00437269

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: f9afc9fd3f7e65a53b4f9b87b0042cf295caef8782acfa78a07c34ea5e4a04b3
Instruction ID: 28ec7573b2ff5279ace3e3a7d1c67aa7559ef0fc7ebdf28a997d26cea9bab006
Opcode Fuzzy Hash: f9afc9fd3f7e65a53b4f9b87b0042cf295caef8782acfa78a07c34ea5e4a04b3
Instruction Fuzzy Hash: 75415EB17046059BDB20CFA9DC84BA7F3E9EB89315F1445AAEC99C7300E635E8108B64

Function 00439CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00439D08
LocalAlloc.KERNEL32(00000040,?), ref: 00439D3A
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00439D63
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00439D9C

Strings

"encrypted_key":", xrefs: 00439D5D
DPAPI, xrefs: 00439D96
, xrefs: 00439DC5

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: 2be850cd6d6f2fc41ceb1fc76329007d57ddcc8b2ee5c9ada4726dd7f23e73e9
Instruction ID: 1593f3745bc1f4358629697f06d0091f9df89a1cbda08c98f0f1a1067d53c882
Opcode Fuzzy Hash: 2be850cd6d6f2fc41ceb1fc76329007d57ddcc8b2ee5c9ada4726dd7f23e73e9
Instruction Fuzzy Hash: FC419071E0020A9BCB10EF65CD426EF77B4AF08304F05616BE955A7362DAB8ED05CB98

Function 00447F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00447F84
lstrlenA.KERNEL32(00000000), ref: 00447FB1
lstrcpy.KERNEL32(00000000,00000000), ref: 00447FE0
strtok_s.MSVCRT ref: 00447FF1
StrCmpCA.SHLWAPI(00000000,00465204), ref: 00448025
StrCmpCA.SHLWAPI(00000000,00465204), ref: 00448053
StrCmpCA.SHLWAPI(00000000,00465204), ref: 00448087

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: b79b516f06b02b10a4dbf7d2099506bd253456d1dbb4c27329c818fa5454f472
Instruction ID: e31276c9614ad54ab24d1b7ebd92dded6a9c734c0c292405eafa8cfef1a56d63
Opcode Fuzzy Hash: b79b516f06b02b10a4dbf7d2099506bd253456d1dbb4c27329c818fa5454f472
Instruction Fuzzy Hash: 2A41C23460410ADFEB10DF18D880EAE77B4FF44304F11409AE8059B351EB79EA6ACFA6

Function 00447DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00447DD8

Part of subcall function 0045A1F0: std::exception::exception.LIBCMT ref: 0045A205
Part of subcall function 0045A1F0: __CxxThrowException@8.LIBCMT ref: 0045A21A

std::_Xinvalid_argument.LIBCPMT ref: 00447DF6
std::_Xinvalid_argument.LIBCPMT ref: 00447E11
memcpy.MSVCRT(?,?,?,00000000,?,?,00447CFA,00000000,?,?,00000000,?,004391B6,?), ref: 00447E74

Strings

string too long, xrefs: 00447DF1, 00447E0C
invalid string position, xrefs: 00447DD3

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: 9f4640475e8a5d98345d904c4a922ecc18300bd5ea3f076184d55228264f43ee
Instruction ID: 71d31787e0f2192511781c3bf8d55ab1125079f49cae9a30e3b0bfb97d178cbf
Opcode Fuzzy Hash: 9f4640475e8a5d98345d904c4a922ecc18300bd5ea3f076184d55228264f43ee
Instruction Fuzzy Hash: ED21C5323047008BE7209E2CD880A2AB7E5EF91714F304B6FE4968B741D774DC0683A9

Function 00438880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004388B3

Part of subcall function 0045A1A3: std::exception::exception.LIBCMT ref: 0045A1B8
Part of subcall function 0045A1A3: __CxxThrowException@8.LIBCMT ref: 0045A1CD

Strings

yxxx, xrefs: 004388BD
vector<T> too long, xrefs: 004388AE
yxxx, xrefs: 0043890A
xC, xrefs: 004388EC, 004388EF
xC, xrefs: 00438954

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx$xC$xC
API String ID: 2884196479-1433540622
Opcode ID: 799483640bc27c9e8b8079bf63d80fac063fe3f165fcb6a59bb24ab856259b8e
Instruction ID: 67168d847ca37355f7354e5ab3b4af82884ad5aeca9348763aa13ee8c02cb863
Opcode Fuzzy Hash: 799483640bc27c9e8b8079bf63d80fac063fe3f165fcb6a59bb24ab856259b8e
Instruction Fuzzy Hash: 543177B5E005159BCB08DF58C8916AEBBB6EB88310F14826EF915EB345DB34E901CBD5

Function 00451B00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00451E28), ref: 00451B52

Part of subcall function 00451800: lstrcpy.KERNEL32(00000000,0045D014), ref: 0045182F
Part of subcall function 00451800: lstrlenA.KERNEL32(00773048,00000000,00000000,?,?,00451B61), ref: 00451840
Part of subcall function 00451800: lstrcpy.KERNEL32(00000000,00000000), ref: 00451867
Part of subcall function 00451800: lstrcatA.KERNEL32(00000000,00000000), ref: 00451872
Part of subcall function 00451800: lstrcpy.KERNEL32(00000000,00000000), ref: 004518A1
Part of subcall function 00451800: lstrlenA.KERNEL32(00465568,?,?,00451B61), ref: 004518B3
Part of subcall function 00451800: lstrcpy.KERNEL32(00000000,00000000), ref: 004518D4
Part of subcall function 00451800: lstrcatA.KERNEL32(00000000,00465568,?,?,00451B61), ref: 004518E0
Part of subcall function 00451800: lstrcpy.KERNEL32(00000000,00000000), ref: 0045190F

sscanf.NTDLL ref: 00451B7A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00451B96
SystemTimeToFileTime.KERNEL32(?,?), ref: 00451BA6
ExitProcess.KERNEL32 ref: 00451BC3

Strings

Huw, xrefs: 00451B6D

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID: Huw
API String ID: 3040284667-501312582
Opcode ID: 60e551940a8f3c0809a4fe73001a860cb264ce542811b28ec9afb3e2ca35ffa5
Instruction ID: 4c920b2cce8e8a4750ebbde789646207c48114f5fb4d87ede4799fffff9b9dda
Opcode Fuzzy Hash: 60e551940a8f3c0809a4fe73001a860cb264ce542811b28ec9afb3e2ca35ffa5
Instruction Fuzzy Hash: 762126B1508301AF8740DF65D88495FBBF9EFC8304F409A1EF9A9C3220E774E5088BA6

Function 00439AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004312EE), ref: 00439AFA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004312EE), ref: 00439B10
LocalAlloc.KERNEL32(00000040,?,?,?,?,004312EE), ref: 00439B27
ReadFile.KERNEL32(00000000,00000000,?,004312EE,00000000,?,?,?,004312EE), ref: 00439B40
LocalFree.KERNEL32(?,?,?,?,004312EE), ref: 00439B60
CloseHandle.KERNEL32(00000000,?,?,?,004312EE), ref: 00439B67

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: f825bffc65e4f5199f192dff6b29d401e58580a436d5000615cc70a70bcaddde
Instruction ID: 13322cf5b08a1d354c8246b53289e279db2a102604b4c557529325235d0e4855
Opcode Fuzzy Hash: f825bffc65e4f5199f192dff6b29d401e58580a436d5000615cc70a70bcaddde
Instruction Fuzzy Hash: 6E115171A00209AFE710DF65DD84ABFB36DFB08744F10115AF90497280DBB4BD40CBA8

Function 004389B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004389C6

Part of subcall function 0045A1F0: std::exception::exception.LIBCMT ref: 0045A205
Part of subcall function 0045A1F0: __CxxThrowException@8.LIBCMT ref: 0045A21A

std::_Xinvalid_argument.LIBCPMT ref: 004389FD

Part of subcall function 0045A1A3: std::exception::exception.LIBCMT ref: 0045A1B8
Part of subcall function 0045A1A3: __CxxThrowException@8.LIBCMT ref: 0045A1CD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,00438800,?,00000000,004377D7), ref: 00438A5B

Strings

string too long, xrefs: 004389F8
invalid string position, xrefs: 004389C1

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: 4cb8257bef1d580ebdfe43acd253e37710692ac8c030c9ca5ef943e5576374d3
Instruction ID: 4749d1a7b4be9c4538179c4ae659b4249f204cb5a8f892e3a296be3c56395e0d
Opcode Fuzzy Hash: 4cb8257bef1d580ebdfe43acd253e37710692ac8c030c9ca5ef943e5576374d3
Instruction Fuzzy Hash: 6521D6723047108BC721AA6DE840A6AF7A9DFA5761F20193FF191CB781DA79D841C3ED

Function 00438B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(004378EE,004388DD,03C3C3C3,00000401,004378EE,?,00000000,?,004378EE,80000001), ref: 00438B70
std::exception::exception.LIBCMT ref: 00438B8B
__CxxThrowException@8.LIBCMT ref: 00438BA0

Strings

xC, xrefs: 00438B7D, 00438B80
PF, xrefs: 00438B99

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PF$xC
API String ID: 3448701045-3715917059
Opcode ID: ff1c0c8da92737208d7d3782665c109752d88acfe2f4585d08049b393c7dc0d7
Instruction ID: 2b2fecb1852daa92a3f636194bf180594d1a1c8000884a0f6600616e21ecce66
Opcode Fuzzy Hash: ff1c0c8da92737208d7d3782665c109752d88acfe2f4585d08049b393c7dc0d7
Instruction Fuzzy Hash: DBF0A7B150430A97EB14E7E58C027BFF274AF04315F04856EF911D2341FB7CD619819A

Function 00438D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00438C9B,00000000,?,?,00000000), ref: 00438D92
std::exception::exception.LIBCMT ref: 00438DAD
__CxxThrowException@8.LIBCMT ref: 00438DC2

Strings

PF, xrefs: 00438DBB
PF, xrefs: 00438DB7, 00438DA3, 00438DBA

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: PF$PF
API String ID: 3448701045-4031463206
Opcode ID: 73f25b5d3d688cca420a8ae3b4073719a24a8c2cb40721b88c81682508cd2a1a
Instruction ID: 0abba186f4f2867a77166eb8f6265b9bbf8f04ea3e26b4f5a141654fd06628cb
Opcode Fuzzy Hash: 73f25b5d3d688cca420a8ae3b4073719a24a8c2cb40721b88c81682508cd2a1a
Instruction Fuzzy Hash: B0E02BB040030997CB14E7B59C016BFB2789F14315F00475FF925522C2EF78C508819E

Function 00436E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00436E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00436E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00436EB4
HeapAlloc.KERNEL32(00000000), ref: 00436EBB

Strings

@, xrefs: 00436E30

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: abcf7b12da2a8a0f6c64158f552db940c15154da7adca0a304029f7e952d9df8
Instruction ID: c77e5e8163186490f7ff91a3a9e9d7d5e1ae55812c912783ed0c2315a90a52c3
Opcode Fuzzy Hash: abcf7b12da2a8a0f6c64158f552db940c15154da7adca0a304029f7e952d9df8
Instruction Fuzzy Hash: 72116170600712ABDB208B61DD85BB777E8EB44701F059439EE46CB684FBB8D944C759

Function 00447CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00447D14
std::_Xinvalid_argument.LIBCPMT ref: 00447D2F
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004391B6,?,?,?,?,00000000,?,00001000,?), ref: 00447D84

Part of subcall function 00447DC0: std::_Xinvalid_argument.LIBCPMT ref: 00447DD8
Part of subcall function 00447DC0: std::_Xinvalid_argument.LIBCPMT ref: 00447DF6
Part of subcall function 00447DC0: std::_Xinvalid_argument.LIBCPMT ref: 00447E11
Part of subcall function 00447DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00447CFA,00000000,?,?,00000000,?,004391B6,?), ref: 00447E74

Strings

string too long, xrefs: 00447D0F, 00447D2A

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 3efb4ad8437dc237ae6fe289a4e156324492f10dbd49ead525d93c7cecebd585
Instruction ID: 65bf73d6643f71fc7c1aa9ab9d087c60c520d2af0d2ccfd850fdd6cb17af564e
Opcode Fuzzy Hash: 3efb4ad8437dc237ae6fe289a4e156324492f10dbd49ead525d93c7cecebd585
Instruction Fuzzy Hash: F631D5B27186104BF7209E6CE880A7BF7E9EF91754B204A2BF14187741D775984283ED

Function 00438740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00438767

Part of subcall function 0045A1A3: std::exception::exception.LIBCMT ref: 0045A1B8
Part of subcall function 0045A1A3: __CxxThrowException@8.LIBCMT ref: 0045A1CD

Strings

vector<T> too long, xrefs: 00438762
yxxx, xrefs: 00438771
yxxx, xrefs: 00438749

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: f9c15224bce49a1456cbac6242fbf6334215ea32a0a3dbf2f319e606da12f39e
Instruction ID: 33e8014b352a0ce89914cfac26d265b39a0befa42f23b82a291dba4bb029e4e9
Opcode Fuzzy Hash: f9c15224bce49a1456cbac6242fbf6334215ea32a0a3dbf2f319e606da12f39e
Instruction Fuzzy Hash: 25F0B427F101310B8314A43E8D8405FE94757E93A073AE72AF906EF349ED39EC8281D9

Function 004387B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0043880C
memcpy.MSVCRT(?,?,00000000,00000000,004377D7), ref: 00438852

Part of subcall function 004389B0: std::_Xinvalid_argument.LIBCPMT ref: 004389C6

Strings

string too long, xrefs: 00438807

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: d575418e56bffe1b92b1344774ed186d66d760a934a5b282ef7b58058a41b83e
Instruction ID: c38885a8c387ff9751951ae8e5ec7fc2c0d5cec97104c79af38e1664409ccc8c
Opcode Fuzzy Hash: d575418e56bffe1b92b1344774ed186d66d760a934a5b282ef7b58058a41b83e
Instruction Fuzzy Hash: 0C2192607047504BDB299A6C8980A2AE7E6EF89701F74191FF491C7781DFA9DC408799

Function 00438A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00438AA5

Part of subcall function 0045A1A3: std::exception::exception.LIBCMT ref: 0045A1B8
Part of subcall function 0045A1A3: __CxxThrowException@8.LIBCMT ref: 0045A1CD

memcpy.MSVCRT(?,?,?), ref: 00438AEF

Strings

string too long, xrefs: 00438AA0

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: 62872c68528120dfe96b1bec8294eac0be10b5fa71b87ce2b861df91edeb03e1
Instruction ID: c1be2a0aa929eea6c9a7dd7da6315b15f150e8ae7922a6ae65c03f905e190f65
Opcode Fuzzy Hash: 62872c68528120dfe96b1bec8294eac0be10b5fa71b87ce2b861df91edeb03e1
Instruction Fuzzy Hash: 6121D0726047045BE720DE6DD840A6EF7AAEBD9320F148A2FF895C3380DF74A9458698

Function 00438BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00438BBF

Part of subcall function 0045A1F0: std::exception::exception.LIBCMT ref: 0045A205
Part of subcall function 0045A1F0: __CxxThrowException@8.LIBCMT ref: 0045A21A

memmove.MSVCRT(?,?,?,?,?,004389E2,00000000,?,?,00438800,?,00000000,004377D7), ref: 00438BF5

Strings

invalid string position, xrefs: 00438BBA

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: be5fc026f45ee7ae9dad26999360babd37a6d8f6540dd6d00b10ae549b9ca883
Instruction ID: e6a224b6ec367e2b0a7231d8dc52396ab67256cb2ad6349641d7104c3decf265
Opcode Fuzzy Hash: be5fc026f45ee7ae9dad26999360babd37a6d8f6540dd6d00b10ae549b9ca883
Instruction Fuzzy Hash: 5501D8703047019BD3108E2CED9051AF2E6DB89704F24191DF191C7785DB78EC428399

Function 00451550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00451581
lstrcpy.KERNEL32(00000000,?), ref: 004515B9
lstrcpy.KERNEL32(00000000,?), ref: 004515F1
lstrcpy.KERNEL32(00000000,?), ref: 00451629

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 8d569154ac776e5308f04f625a4e5cf17ad0822e1713675f8091649641865d2c
Instruction ID: d19f379ebee4c2ef9b250400f5c79a7bca6c8228e37f278c01fb763e1d2cf76c
Opcode Fuzzy Hash: 8d569154ac776e5308f04f625a4e5cf17ad0822e1713675f8091649641865d2c
Instruction Fuzzy Hash: DB210FB0601B029BD724EF3AC554B17B7F5AF48301F144A1EE896C7B61EB78E804CBA4

Function 00431410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00431510: lstrcpy.KERNEL32(00000000), ref: 0043152D
Part of subcall function 00431510: lstrcpy.KERNEL32(00000000,?), ref: 0043154F
Part of subcall function 00431510: lstrcpy.KERNEL32(00000000,?), ref: 00431571
Part of subcall function 00431510: lstrcpy.KERNEL32(00000000,?), ref: 00431593

lstrcpy.KERNEL32(00000000,?), ref: 00431437
lstrcpy.KERNEL32(00000000,?), ref: 00431459
lstrcpy.KERNEL32(00000000,?), ref: 0043147B
lstrcpy.KERNEL32(00000000,?), ref: 004314DF

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: c32ddaf2f0da96529c3808f24a825d74fcfa5edf27dac7240448b67476410e8b
Instruction ID: 4beed86651e8d0b37fb031bf747b8caa65e1fb0767c84035a3c89ac0623104d0
Opcode Fuzzy Hash: c32ddaf2f0da96529c3808f24a825d74fcfa5edf27dac7240448b67476410e8b
Instruction Fuzzy Hash: F331A574A01B029FC728DF3AD588957BBE5BF49704B10592EE956C3B20DB74F811CB94

Function 00436E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00436E40
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00436E7C
GetProcessHeap.KERNEL32(00000008,?), ref: 00436EB4
HeapAlloc.KERNEL32(00000000), ref: 00436EBB

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 441224ffd6965d08b8ea6234c055560d665c7193048d8e91fe0b22be95bc724a
Instruction ID: 7fb33337d86262cd5aaa6b7f8267323a37a1cd56017c1740c79cb01c3919b421
Opcode Fuzzy Hash: 441224ffd6965d08b8ea6234c055560d665c7193048d8e91fe0b22be95bc724a
Instruction Fuzzy Hash: 922190B4600702ABDB248B21DC85BB773E8EB44705F44846DFA46CB684FB78E945C754

Function 00431510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0043152D
lstrcpy.KERNEL32(00000000,?), ref: 0043154F
lstrcpy.KERNEL32(00000000,?), ref: 00431571
lstrcpy.KERNEL32(00000000,?), ref: 00431593

Memory Dump Source

Source File: 00000002.00000002.2212757781.0000000000431000.00000020.00000400.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Associated: 00000002.00000002.2212741326.0000000000430000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212784587.000000000045B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000047B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000049E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004BE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004C6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000004FD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000537000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.000000000058D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.00000000005B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2212803416.0000000000668000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2213203097.000000000067A000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_430000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 50d78fb4f62eb9c7bca372e886d1e707b6d50bb64b143ab24f290363e316bfc3
Instruction ID: c8a285d04d2d1dd4fe5b5a6e5ad9214ef60016135da83c51479c66226afed0ce
Opcode Fuzzy Hash: 50d78fb4f62eb9c7bca372e886d1e707b6d50bb64b143ab24f290363e316bfc3
Instruction Fuzzy Hash: AD112474A01B02ABDB189F36D508927B7FCBF49301B14162EE857C3B50DB78E800CB54

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WC2SD38tcf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
WC2SD38tcf.exe

Function 00456710 Relevance: 256.2, APIs: 115, Strings: 31, Instructions: 696
libraryloaderCOMMON

Function 004356C0 Relevance: 111.0, APIs: 51, Strings: 12, Instructions: 734
stringCOMMON

Function 004563C0 Relevance: 77.2, APIs: 32, Strings: 12, Instructions: 218
libraryloaderCOMMON

Function 00434980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Function 00452A70 Relevance: 4.5, APIs: 3, Instructions: 44
memoryCOMMON

Function 00436B80 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 229
networkstringfileCOMMON

Function 004526E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93
memoryCOMMON

Function 00452820 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47
registrymemoryCOMMON

Function 00435570 Relevance: 12.1, APIs: 8, Instructions: 112
networkmemoryfileCOMMON

Function 00451BD0 Relevance: 12.1, APIs: 8, Instructions: 106
COMMON

Function 00434AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Function 004528B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
registrymemoryCOMMON

Function 0044EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON