Edit tour

Windows Analysis Report
Full-Setup.exe

Overview

General Information

Sample name:	Full-Setup.exe
Analysis ID:	1521582
MD5:	88a1c446d3d26bfdd2dde2029de24beb
SHA1:	ff8ffbbabdc7b4a9af03f9466656ec5167660fff
SHA256:	4f6c45165a60433a77d4fce2f5bf06216ef38af6ab7ab6c836aa9f8446de33ba
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Full-Setup.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\Full-Setup.exe" MD5: 88A1C446D3D26BFDD2DDE2029DE24BEB)

BitLockerToGo.exe (PID: 3152 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["vozmeatillu.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "gutterydhowi.shop", "trustterwowqm.shop", "reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop"], "Build id": "tLYMe5--111"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:19.735138+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49715	104.21.4.136	443	TCP
2024-09-29T00:49:20.843513+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49716	104.21.4.136	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:19.735138+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49715	104.21.4.136	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:20.843513+0200	2049812	1	A Network Trojan was detected	192.168.2.6	49716	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:19.574914+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.6	49715	104.21.4.136	443	TCP
2024-09-29T00:49:20.390732+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.6	49716	104.21.4.136	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:19.077754+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.6	60033	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trustterwowqm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:49:18.990662+0200	2056174	1	Domain Observed Used for C2 Detected	192.168.2.6	59324	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.BitLockerToGo.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["vozmeatillu.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "gutterydhowi.shop", "trustterwowqm.shop", "reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop"], "Build id": "tLYMe5--111"}

Multi AV Scanner detection for submitted file

Source: Full-Setup.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: trustterwowqm.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tLYMe5--111

Source: Full-Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49716 version: TLS 1.2

Source: Full-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 68677325h	2_2_00446C94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0040EFF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00449F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+edx*4]	2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h]	2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040E080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00448120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	2_2_004441D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, ecx	2_2_004141F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000878h]	2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], ax	2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [esp+40h]	2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042E20E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004232D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	2_2_00415292
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	2_2_00401295
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00445310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+58h]	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_004133E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044A3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_00431420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	2_2_004274C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_004214F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec ebx	2_2_0043F510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044A520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042F5E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0041260C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_0042D624
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then test eax, eax	2_2_0041E6E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	2_2_0044A690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push 00000000h	2_2_00403710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042C710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	2_2_004157D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004307F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, eax	2_2_00408780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043B8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004498A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_00413900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0042D9B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 44CAAEB6h	2_2_00427A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	2_2_0040DA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044AA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_0041FA83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00441A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00426B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0042EB0B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00449B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00404BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00412B9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_00412B9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0042EBA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], ax	2_2_00420C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00420C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0042FC31
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_0040DCC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+48h]	2_2_00413DE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00443D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_0041AF40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	2_2_00447F30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00443FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00430FB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:60033 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056174 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trustterwowqm .shop) : 192.168.2.6:59324 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49715 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 104.21.4.136:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: trustterwowqm.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop

Source: Joe Sandbox View

IP Address: 104.21.4.136 104.21.4.136

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=03XKCjmbDCyhHo5BktRxoxoyo3NZqMvaFNaDOl2gcK0-1727563759-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: gutterydhowi.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: trustterwowqm.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop

Source: Full-Setup.exe	String found in binary or memory: http://.css
Source: Full-Setup.exe	String found in binary or memory: http://.jpg
Source: Full-Setup.exe	String found in binary or memory: http://html4/loose.dtd
Source: Full-Setup.exe	String found in binary or memory: https://DwmFlushTlsAllocIsIconicIsZoomedPtInRectSetFocusdxgi.dll
Source: Full-Setup.exe, 00000000.00000002.2310510440.0000000002146000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2312557976.0000000002446000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: Full-Setup.exe, 00000000.00000002.2314493525.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureSizes
Source: Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureZ
Source: Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturexS
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/R
Source: BitLockerToGo.exe, 00000002.00000003.2315276259.0000000002F94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315276259.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/b
Source: Full-Setup.exe	String found in binary or memory: https://login.chinacloudapi.cn/non-pointer
Source: Full-Setup.exe	String found in binary or memory: https://management.azure.comnil
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49716 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00439240 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00439240

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00439240 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00439240

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004395AA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_004395AA

Source: Full-Setup.exe, 00000000.00000002.2308354197.0000000000E93000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: directInput8Create

memstr_63937bb8-2

Source: Full-Setup.exe, 00000000.00000002.2308354197.0000000000E93000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: exit hook invoked panicSplit called after Scanflate: internal error: pattern bits too long: gamepaddb: syntax errortoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classmultipart: NextPart: %wvarint integer overflowinvalid UTF-8 in stringmismatching cardinalityunsupported edition: %vinvalid escape sequenceunknown empty width arglatest balancer error: name resolver error: %vproduced zero addressesxml: unsupported type: expected element type <0123456789abcdefABCDEF_function %q not defined&CloseCurlyDoubleQuote;&DoubleContourIntegral;&FilledVerySmallSquare;&NegativeVeryThinSpace;&NotPrecedesSlantEqual;&NotRightTriangleEqual;&NotSucceedsSlantEqual;<a href="#fn:%s">%d</a> <meta charset="utf-8"rle symbol %d >= max %dX-Amz-Copy-Source-RangeP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curvebad %s slice length: %dinvalid UUID length: %dDwmGetColorizationColorDwmIsCompositionEnabledSetThreadExecutionStateRegisterRawInputDevicesglfw: invalid shape: %dunexpected operator: %sredeclared function: %sinvalid length of arrayinvalid length array %d%v is not a valid tokenunknown accessor: %v.%sinvalid Message.Get on invalid Message.Set on no SubConn is availablenon-existent entity #%dlast resolver error: %vgrpc-status-details-binfinished writing statusGrpc-Status-Details-BinDiacriticalDoubleAcute;NotSquareSupersetEqual;invalid scalar encodingmissing type constraintunbalanced label scopesobject already resolvedhtml/template:%s:%d: %s%q in unquoted attr: %qtimeseries: num < 0, %vAlpcGetMessageAttributeNtAlpcAcceptConnectPortImageList_GetImageCountImageList_SetImageCountDwmSetPresentParametersSetConsoleTextAttributeQueryPerformanceCounterGetClipboardFormatNameWaes7z: Read after Closebzip2: Read after Closedelta: Read after Closelzma2: Read after Closeccm: invalid nonce sizeunknown character widthwhile scanning an alias%s (and %d more errors)illegal byte order markinvalid column number: invalid radix point in unknown escape sequencebrotli: excessive inputSIMPLE_HUFFMAN_ALPHABETblock checksum mismatchno tree selectors givendata exceeds block sizelz4: invalid block sizelzma: wrong chunk state%w: got %x; expected %xfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeapplication/octet-streamgoogle.protobuf.DurationRequired flag %q not setCLI_TEMPLATE_ERROR_DEBUGCLI TEMPLATE ERROR: %#v

memstr_a02208bd-3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00410B44	2_2_00410B44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439040	2_2_00439040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B0D0	2_2_0040B0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BEE7	2_2_0042BEE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004490AC	2_2_004490AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00449190	2_2_00449190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004291A0	2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00428202	2_2_00428202
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042C2E0	2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401295	2_2_00401295
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040134C	2_2_0040134C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004323D0	2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00405380	2_2_00405380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004073B0	2_2_004073B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004494C0	2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004484C0	2_2_004484C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00447488	2_2_00447488
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E540	2_2_0040E540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B560	2_2_0040B560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A570	2_2_0040A570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004015FB	2_2_004015FB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004495A0	2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D624	2_2_0042D624
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E6E6	2_2_0041E6E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00403710	2_2_00403710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042C710	2_2_0042C710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408780	2_2_00408780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004117B0	2_2_004117B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004498A0	2_2_004498A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042B8B2	2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00444900	2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004489D0	2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D9B3	2_2_0042D9B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00427A60	2_2_00427A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044AA70	2_2_0044AA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040AA30	2_2_0040AA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041FA83	2_2_0041FA83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409B67	2_2_00409B67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00449B30	2_2_00449B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042ED7D	2_2_0042ED7D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00438D30	2_2_00438D30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407DE0	2_2_00407DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043ED90	2_2_0043ED90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040CE30	2_2_0040CE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BEE7	2_2_0042BEE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040FFA7	2_2_0040FFA7

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040EEE0 appears 173 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040CB10 appears 50 times

Source: Full-Setup.exe, 00000000.00000002.2309634937.00000000016B1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSoundpad.exe2 vs Full-Setup.exe
Source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Full-Setup.exe
Source: Full-Setup.exe	Binary or memory string: OriginalFilenameSoundpad.exe2 vs Full-Setup.exe

Source: Full-Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0043F920 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

2_2_0043F920

Source: Full-Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Full-Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Full-Setup.exe

ReversingLabs: Detection: 34%

Source: Full-Setup.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine (BADINDEX)%!(NOVERB)12207031256103515625ParseFloatcomplex128t.Kind == myhostname.localhostunixpacketwsarecvmsgwsasendmsgIP address netGo = local-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveequivalentHost: %s
Source: Full-Setup.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valuereflect.Value.unknown methodRegSetValueExW.WithoutCancel.WithDeadline(internal error.in-addr.arpa.unknown mode: MAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not AcceptableDkim-Signature"OUT_OF_RANGE"ALREADY_EXISTS(line %d:%d): invalid %v: %vreserved_rangefield_presence\.+*?()\|[]{}^$len of type %s^[a-f0-9]{64}$^[a-f0-9]{96}$RequestExpiredRequestTimeout^cn\-\w+\-\d+$cn-northwest-1us-isob-east-1cloud.adc-e.ukeu-isoe-west-1csp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4aws-iso-globalfips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2boringcrypto: bad record MACControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.godata truncated
Source: Full-Setup.exe	String found in binary or memory: net/addrselect.go
Source: Full-Setup.exe	String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
Source: Full-Setup.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Full-Setup.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Full-Setup.exe

File read: C:\Users\user\Desktop\Full-Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Full-Setup.exe "C:\Users\user\Desktop\Full-Setup.exe"
Source: C:\Users\user\Desktop\Full-Setup.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Full-Setup.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Full-Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Full-Setup.exe

Static file information: File size 16855552 > 1048576

Source: Full-Setup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6e1400
Source: Full-Setup.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6d6200
Source: Full-Setup.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x148400

Source: Full-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp

Source: Full-Setup.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4372

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Full-Setup.exe, 00000000.00000002.2310325254.0000000001A5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_2-19720

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00440400 LdrInitializeThunk,

2_2_00440400

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Full-Setup.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Full-Setup.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: trustterwowqm.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C00008	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44C000	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45E000	Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Users\user\Desktop\Full-Setup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	2 Virtualization/Sandbox Evasion	21 Input Capture	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	21 Input Capture	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Full-Setup.exe	34%	ReversingLabs	Win32.Spyware.Lummastealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gutterydhowi.shop	104.21.4.136	true	true		unknown
trustterwowqm.shop	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://gutterydhowi.shop/api	true	unknown
stogeneratmns.shop	true	unknown
reinforcenh.shop	true	unknown
fragnantbui.shop	true	unknown
gutterydhowi.shop	true	unknown
offensivedzvju.shop	true	unknown
drawzhotdog.shop	true	unknown
ghostreedmnu.shop	true	unknown
trustterwowqm.shop	true	unknown
vozmeatillu.shop	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://html4/loose.dtd	Full-Setup.exe	false	unknown
https://DwmFlushTlsAllocIsIconicIsZoomedPtInRectSetFocusdxgi.dll	Full-Setup.exe	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureZ	Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureSizes	Full-Setup.exe, 00000000.00000002.2314493525.0000000002580000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://login.chinacloudapi.cn/non-pointer	Full-Setup.exe	false	unknown
http://.css	Full-Setup.exe	false	unknown
https://gutterydhowi.shop/R	BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gutterydhowi.shop/b	BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature	Full-Setup.exe, 00000000.00000002.2310510440.0000000002146000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2312557976.0000000002446000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://gutterydhowi.shop/	BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://management.azure.comnil	Full-Setup.exe	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturexS	Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://.jpg	Full-Setup.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.4.136	gutterydhowi.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521582
Start date and time:	2024-09-29 00:48:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Full-Setup.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 87% Number of executed functions: 15 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Full-Setup.exe, PID 6564 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Full-Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
18:49:17	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.4.136	injector V2.4.exe	Get hash	malicious	LummaC	Browse
	FoS5cjKhd3.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	FoS5cjKhd3.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.21.4.136

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://ardam.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://krakennylog.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	https://dappnoderestore.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://nftpack83.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://coin-pro-base-login.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	http://nfthit7.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.18.18.237
	https://server.h74w.com/invite/84350172	Get hash	malicious	Unknown	Browse	104.21.52.99
	http://sellerthirteen.eur-tiktokshop.com/	Get hash	malicious	Unknown	Browse	172.67.169.55
	https://sellerfourth.eur-tiktokshop.com/	Get hash	malicious	Unknown	Browse	172.67.169.55
	https://sellerfifteen.eur-tiktokshop.com/	Get hash	malicious	Unknown	Browse	172.67.169.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	104.21.4.136
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	Website_Redesign_Project.xls	Get hash	malicious	Unknown	Browse	104.21.4.136

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.424819113229837
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Full-Setup.exe
File size:	16'855'552 bytes
MD5:	88a1c446d3d26bfdd2dde2029de24beb
SHA1:	ff8ffbbabdc7b4a9af03f9466656ec5167660fff
SHA256:	4f6c45165a60433a77d4fce2f5bf06216ef38af6ab7ab6c836aa9f8446de33ba
SHA512:	acfe518ce3936f417846d3b41ae6974ae70775cdbbb74acba4fc32d826508a0517063c6f4fa8bdfe084ceb3ba62ebef909191dcc9b7bf82f299714e562b7fb52
SSDEEP:	98304:cTR4ecSaE5IB4CDn/fp1b5t+KWaqZbutS/2UzMiMuS4Tfp21aUsvrZ27FSTSQLo9:DeXaEgT/xxqZbtQBu1rw1aUsvrsSmea
TLSH:	11074A41FAD740F9EA03583540ABB22F23345E098B29DBD7EB517E69F8772921C37249
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................n.........0.............@.......................................@................................

File Icon


Icon Hash:	1f2d59f9795b3630

Static PE Info

General

Entrypoint:	0x478830
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007FC3FD1AB840h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FC3FD186BD6h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FC3FD1ADCA4h
cld
call 00007FC3FD1ACD2Eh
call 00007FC3FD1AB969h
add esp, 08h
ret
jmp 00007FC3FD1ADB50h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FC3FD1ADB51h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xea2000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf01000	0x1483b7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea3000	0x5c494	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xdbbca0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6e1278	0x6e1400	c1589bd898347ae9fdf975824e9e62f7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6e3000	0x6d6050	0x6d6200	ccbc903fc254b12fb30584580c0b79c1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xdba000	0xe7e38	0xb6600	7c9b01e14a48067c49e8261e4f7f0b93	False	0.28818566869431117	DIY-Thermocam raw data (Lepton 2.x), scale -28625-256, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 2147550208.000000	6.006920045257039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xea2000	0x44c	0x600	81c29552de568a8c281117613be41c69	False	0.3587239583333333	OpenPGP Public Key	3.8717961577392512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xea3000	0x5c494	0x5c600	dee4f66de3053b73bd0ddb507290e054	False	0.5382273342354533	data	6.625384593206442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xf00000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xf01000	0x1483b7	0x148400	5c0a7688d4c1d45352a633f518d62e4c	False	0.2584171803598629	data	5.148589820359574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf06208	0x7249	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	German	Germany	1.000546877670301
RT_ICON	0xf0d454	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.24429460580912862
RT_ICON	0xf0f9fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.29901500938086306
RT_ICON	0xf10aa4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.35122950819672133
RT_ICON	0xf1142c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4175531914893617
RT_ICON	0xf11894	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.5310283687943262
RT_ICON	0xf11cfc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.30370544090056284
RT_ICON	0xf12da4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2121369294605809
RT_ICON	0xf1534c	0x817c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	German	Germany	0.9963497043562206
RT_ICON	0xf1d4c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23609958506224066
RT_ICON	0xf1fa70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.34310506566604126
RT_ICON	0xf20b18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3721311475409836
RT_ICON	0xf214a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.500886524822695
RT_ICON	0xf21908	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2037344398340249
RT_ICON	0xf23eb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2976078799249531
RT_ICON	0xf24f58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.33852459016393444
RT_ICON	0xf258e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.42109929078014185
RT_ICON	0xf25d48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.04823651452282158
RT_ICON	0xf282f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.07129455909943715
RT_ICON	0xf29398	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.09959016393442623
RT_ICON	0xf29d20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.1524822695035461
RT_ICON	0xf2a188	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.1787344398340249
RT_ICON	0xf2c730	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.18105065666041276
RT_ICON	0xf2d7d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.1918032786885246
RT_ICON	0xf2e160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2393617021276596
RT_ICON	0xf2e5c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22437759336099586
RT_ICON	0xf30b70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.20309568480300189
RT_ICON	0xf31c18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2266393442622951
RT_ICON	0xf325a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3342198581560284
RT_ICON	0xf32a08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2408713692946058
RT_ICON	0xf34fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.23639774859287055
RT_ICON	0xf36058	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2700819672131147
RT_ICON	0xf369e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3404255319148936
RT_ICON	0xf36e48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.11939834024896266
RT_ICON	0xf393f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.175422138836773
RT_ICON	0xf3a498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.23934426229508196
RT_ICON	0xf3ae20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3262411347517731
RT_ICON	0xf3b288	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.16524896265560166
RT_ICON	0xf3d830	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.18409943714821764
RT_ICON	0xf3e8d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3127049180327869
RT_ICON	0xf3f260	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.36524822695035464
RT_ICON	0xf3f6c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.25933609958506226
RT_ICON	0xf41c70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2450750469043152
RT_ICON	0xf42d18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.27049180327868855
RT_ICON	0xf436a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3971631205673759
RT_ICON	0xf43b08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.25
RT_ICON	0xf460b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.29831144465290804
RT_ICON	0xf47158	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.33975409836065573
RT_ICON	0xf47ae0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4299645390070922
RT_ICON	0xf47f48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2212655601659751
RT_ICON	0xf4a4f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.1850375234521576
RT_ICON	0xf4b598	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.19344262295081968
RT_ICON	0xf4bf20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2721631205673759
RT_ICON	0xf4c388	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.29553941908713693
RT_ICON	0xf4e930	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3651500938086304
RT_ICON	0xf4f9d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.40491803278688526
RT_ICON	0xf50360	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4015957446808511
RT_ICON	0xf507c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.10612033195020747
RT_ICON	0xf52d70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.1578330206378987
RT_ICON	0xf53e18	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.18975409836065574
RT_ICON	0xf547a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.27393617021276595
RT_ICON	0xf54c08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22987551867219916
RT_ICON	0xf571b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2861163227016886
RT_ICON	0xf58258	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.364344262295082
RT_ICON	0xf58be0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.45567375886524825
RT_ICON	0xf59048	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.26908713692946057
RT_ICON	0xf5b5f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23744813278008298
RT_ICON	0xf5db98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.20518672199170124
RT_ICON	0xf60140	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2521106941838649
RT_ICON	0xf611e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.27909836065573773
RT_ICON	0xf61b70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3067375886524823
RT_ICON	0xf61fd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.21939834024896265
RT_ICON	0xf64580	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2652439024390244
RT_ICON	0xf65628	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.30450819672131146
RT_ICON	0xf65fb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3395390070921986
RT_ICON	0xf66418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22354771784232366
RT_ICON	0xf689c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2830675422138837
RT_ICON	0xf69a68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.32581967213114754
RT_ICON	0xf6a3f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.35106382978723405
RT_ICON	0xf6a858	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2283195020746888
RT_ICON	0xf6ce00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.27650093808630394
RT_ICON	0xf6dea8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.32581967213114754
RT_ICON	0xf6e830	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3546099290780142
RT_ICON	0xf6ec98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2328838174273859
RT_ICON	0xf71240	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2929174484052533
RT_ICON	0xf722e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3430327868852459
RT_ICON	0xf72c70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3829787234042553
RT_ICON	0xf730d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2337136929460581
RT_ICON	0xf75680	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2978424015009381
RT_ICON	0xf76728	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.34262295081967215
RT_ICON	0xf770b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.38120567375886527
RT_ICON	0xf77518	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.19346473029045644
RT_ICON	0xf79ac0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.29713883677298314
RT_ICON	0xf7ab68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.36475409836065575
RT_ICON	0xf7b4f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4219858156028369
RT_ICON	0xf7b958	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.21410788381742737
RT_ICON	0xf7df00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.18667917448405252
RT_ICON	0xf7efa8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.20614754098360655
RT_ICON	0xf7f930	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2526595744680851
RT_ICON	0xf7fd98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23558091286307054
RT_ICON	0xf82340	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2052063789868668
RT_ICON	0xf833e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.25573770491803277
RT_ICON	0xf83d70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.324468085106383
RT_ICON	0xf841d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2187759336099585
RT_ICON	0xf86780	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.22021575984990618
RT_ICON	0xf87828	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.24795081967213115
RT_ICON	0xf881b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.300531914893617
RT_ICON	0xf88618	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.21804979253112033
RT_ICON	0xf8abc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.25093808630394
RT_ICON	0xf8bc68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2762295081967213
RT_ICON	0xf8c5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3262411347517731
RT_ICON	0xf8ca58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23827800829875517
RT_ICON	0xf8f000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.29174484052532834
RT_ICON	0xf900a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3319672131147541
RT_ICON	0xf90a30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4166666666666667
RT_ICON	0xf90e98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.27282157676348545
RT_ICON	0xf93440	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2929174484052533
RT_ICON	0xf944e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3442622950819672
RT_ICON	0xf94e70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4228723404255319
RT_ICON	0xf952d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2629668049792531
RT_ICON	0xf97880	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.30347091932457787
RT_ICON	0xf98928	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3377049180327869
RT_ICON	0xf992b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4592198581560284
RT_ICON	0xf99718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.26867219917012447
RT_ICON	0xf9bcc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3227016885553471
RT_ICON	0xf9cd68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3590163934426229
RT_ICON	0xf9d6f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.475177304964539
RT_ICON	0xf9db58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.26690871369294605
RT_ICON	0xfa0100	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3201219512195122
RT_ICON	0xfa11a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.35942622950819675
RT_ICON	0xfa1b30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4645390070921986
RT_ICON	0xfa1f98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2657676348547718
RT_ICON	0xfa4540	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.31308630393996245
RT_ICON	0xfa55e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3569672131147541
RT_ICON	0xfa5f70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4734042553191489
RT_ICON	0xfa63d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2950207468879668
RT_ICON	0xfa8980	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.33653846153846156
RT_ICON	0xfa9a28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.39467213114754096
RT_ICON	0xfaa3b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.425531914893617
RT_ICON	0xfaa818	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.29678423236514523
RT_ICON	0xfacdc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.32786116322701686
RT_ICON	0xfade68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.37131147540983606
RT_ICON	0xfae7f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.45478723404255317
RT_ICON	0xfaec58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.18724066390041494
RT_ICON	0xfb1200	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.25375234521575984
RT_ICON	0xfb22a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.28852459016393445
RT_ICON	0xfb2c30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3404255319148936
RT_ICON	0xfb3098	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23568464730290456
RT_ICON	0xfb5640	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.275328330206379
RT_ICON	0xfb66e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3155737704918033
RT_ICON	0xfb7070	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3820921985815603
RT_ICON	0xfb74d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.3
RT_ICON	0xfb9a80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.38320825515947465
RT_ICON	0xfbab28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.40737704918032785
RT_ICON	0xfbb4b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4601063829787234
RT_ICON	0xfbb918	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.28651452282157674
RT_ICON	0xfbdec0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.324577861163227
RT_ICON	0xfbef68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3897540983606557
RT_ICON	0xfbf8f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3980496453900709
RT_ICON	0xfbfd58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.24885892116182573
RT_ICON	0xfc2300	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.19301125703564728
RT_ICON	0xfc33a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.18401639344262294
RT_ICON	0xfc3d30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2553191489361702
RT_ICON	0xfc4198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.11390041493775933
RT_ICON	0xfc6740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.15900562851782363
RT_ICON	0xfc77e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2069672131147541
RT_ICON	0xfc8170	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.26684397163120566
RT_ICON	0xfc85d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.1607883817427386
RT_ICON	0xfcab80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2521106941838649
RT_ICON	0xfcbc28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.29262295081967216
RT_ICON	0xfcc5b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.41312056737588654
RT_ICON	0xfcca18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.1821576763485477
RT_ICON	0xfcefc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.24296435272045028
RT_ICON	0xfd0068	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.28647540983606556
RT_ICON	0xfd09f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.36347517730496454
RT_ICON	0xfd0e58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.14325726141078837
RT_ICON	0xfd3400	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.18339587242026267
RT_ICON	0xfd44a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.21024590163934426
RT_ICON	0xfd4e30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2721631205673759
RT_ICON	0xfd5298	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2533195020746888
RT_ICON	0xfd7840	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3348968105065666
RT_ICON	0xfd88e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3540983606557377
RT_ICON	0xfd9270	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.475177304964539
RT_ICON	0xfd96d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23827800829875517
RT_ICON	0xfdbc80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3133208255159475
RT_ICON	0xfdcd28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.30655737704918035
RT_ICON	0xfdd6b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.42730496453900707
RT_ICON	0xfddb18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.24927385892116183
RT_ICON	0xfe00c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.20333020637898686
RT_ICON	0xfe1168	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.19508196721311474
RT_ICON	0xfe1af0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.30230496453900707
RT_ICON	0xfe1f58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23734439834024895
RT_ICON	0xfe4500	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2732176360225141
RT_ICON	0xfe55a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.28688524590163933
RT_ICON	0xfe5f30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.34308510638297873
RT_ICON	0xfe6398	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.19398340248962656
RT_ICON	0xfe8940	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.20614446529080677
RT_ICON	0xfe99e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2610655737704918
RT_ICON	0xfea370	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2969858156028369
RT_ICON	0xfea7d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22313278008298756
RT_ICON	0xfecd80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.25140712945590993
RT_ICON	0xfede28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3155737704918033
RT_ICON	0xfee7b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.36436170212765956
RT_ICON	0xfeec18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2216804979253112
RT_ICON	0xff11c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.24413696060037524
RT_ICON	0xff2268	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.30040983606557375
RT_ICON	0xff2bf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.35726950354609927
RT_ICON	0xff3058	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.14948132780082987
RT_ICON	0xff5600	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.19301125703564728
RT_ICON	0xff66a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.21598360655737706
RT_ICON	0xff7030	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.2872340425531915
RT_ICON	0xff7498	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2316390041493776
RT_ICON	0xff9a40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.28353658536585363
RT_ICON	0xffaae8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3418032786885246
RT_ICON	0xffb470	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.40425531914893614
RT_ICON	0xffb8d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22603734439834025
RT_ICON	0xffde80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.33677298311444653
RT_ICON	0xffef28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.31024590163934423
RT_ICON	0xfff8b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4051418439716312
RT_ICON	0xfffd18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2200207468879668
RT_ICON	0x10022c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2603189493433396
RT_ICON	0x1003368	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.30778688524590164
RT_ICON	0x1003cf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.26595744680851063
RT_ICON	0x1004158	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.21950207468879668
RT_ICON	0x1006700	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.27157598499061913
RT_ICON	0x10077a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3155737704918033
RT_ICON	0x1008130	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.22872340425531915
RT_ICON	0x1008598	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23817427385892115
RT_ICON	0x100ab40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2521106941838649
RT_ICON	0x100bbe8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.29180327868852457
RT_ICON	0x100c570	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.39361702127659576
RT_ICON	0x100c9d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.3642116182572614
RT_ICON	0x100ef80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.39352720450281425
RT_ICON	0x1010028	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.48811475409836064
RT_ICON	0x10109b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.45656028368794327
RT_ICON	0x1010e18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2619294605809129
RT_ICON	0x10133c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.31308630393996245
RT_ICON	0x1014468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.37131147540983606
RT_ICON	0x1014df0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.40602836879432624
RT_ICON	0x1015258	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2149377593360996
RT_ICON	0x1017800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2150562851782364
RT_ICON	0x10188a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2647540983606557
RT_ICON	0x1019230	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.30407801418439717
RT_ICON	0x1019698	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22095435684647302
RT_ICON	0x101bc40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2856472795497186
RT_ICON	0x101cce8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.33524590163934426
RT_ICON	0x101d670	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.450354609929078
RT_ICON	0x101dad8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2008298755186722
RT_ICON	0x1020080	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2643058161350844
RT_ICON	0x1021128	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.31926229508196724
RT_ICON	0x1021ab0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4228723404255319
RT_ICON	0x1021f18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.24553941908713692
RT_ICON	0x10244c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3196529080675422
RT_ICON	0x1025568	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.37991803278688524
RT_ICON	0x1025ef0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4645390070921986
RT_ICON	0x1026358	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.22780082987551867
RT_ICON	0x1028900	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.2530487804878049
RT_ICON	0x10299a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.26721311475409837
RT_ICON	0x102a330	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3191489361702128
RT_ICON	0x102a798	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.26141078838174275
RT_ICON	0x102cd40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.31590056285178236
RT_ICON	0x102dde8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3274590163934426
RT_ICON	0x102e770	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.42730496453900707
RT_ICON	0x102ebd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23786307053941907
RT_ICON	0x1031180	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3173076923076923
RT_ICON	0x1032228	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3295081967213115
RT_ICON	0x1032bb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.46187943262411346
RT_ICON	0x1033018	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23184647302904565
RT_ICON	0x10355c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.31848030018761725
RT_ICON	0x1036668	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.33401639344262296
RT_ICON	0x1036ff0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.4530141843971631
RT_ICON	0x1037458	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.2142116182572614
RT_ICON	0x1039a00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.24624765478424016
RT_ICON	0x103aaa8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.2774590163934426
RT_ICON	0x103b430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.38120567375886527
RT_ICON	0x103b898	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.27645228215767637
RT_ICON	0x103de40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.32387429643527205
RT_ICON	0x103eee8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.38114754098360654
RT_ICON	0x103f870	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.3900709219858156
RT_ICON	0x103fcd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.23858921161825727
RT_ICON	0x1042280	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.3123827392120075
RT_ICON	0x1043328	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	German	Germany	0.3516393442622951
RT_ICON	0x1043cb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.48936170212765956
RT_ICON	0x1044118	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.16666666666666666
RT_ICON	0x1044400	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.375
RT_ICON	0x1044528	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4949421965317919
RT_ICON	0x1044a90	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.47297297297297297
RT_ICON	0x1044bb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4356936416184971
RT_ICON	0x1045120	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.34459459459459457
RT_ICON	0x1045248	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4653179190751445
RT_ICON	0x10457b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.38513513513513514
RT_ICON	0x10458d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4833815028901734
RT_ICON	0x1045e40	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.46283783783783783
RT_ICON	0x1045f68	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4638728323699422
RT_ICON	0x10464d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.38513513513513514
RT_ICON	0x10465f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4472543352601156
RT_ICON	0x1046b60	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42567567567567566
RT_ICON	0x1046c88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.45447976878612717
RT_ICON	0x10471f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.3885135135135135
RT_ICON	0x1047318	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4523121387283237
RT_ICON	0x1047880	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42567567567567566
RT_GROUP_ICON	0x10479a8	0x4c	data	German	Germany	0.7894736842105263
RT_GROUP_ICON	0x10479f4	0x3e	data	German	Germany	0.8548387096774194
RT_GROUP_ICON	0x1047a34	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047a74	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047ab4	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047af4	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047b34	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047b74	0x3e	data	German	Germany	0.8548387096774194
RT_GROUP_ICON	0x1047bb4	0x3e	data	German	Germany	0.8709677419354839
RT_GROUP_ICON	0x1047bf4	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047c34	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047c74	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047cb4	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047cf4	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047d34	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047d74	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047db4	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x1047dc8	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x1047ddc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047e1c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047e5c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047e9c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047edc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047f1c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047f5c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047f9c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1047fdc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104801c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104805c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104809c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10480dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104811c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104815c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104819c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10481dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104821c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104825c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104829c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10482dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104831c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104835c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104839c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10483dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104841c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104845c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104849c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10484dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104851c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104855c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104859c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10485dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104861c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104865c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104869c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10486dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104871c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104875c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104879c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10487dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104881c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104885c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104889c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x10488dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104891c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104895c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x104899c	0x3e	data	German	Germany	0.8387096774193549
RT_GROUP_ICON	0x10489dc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048a1c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048a5c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048a9c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048adc	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048b1c	0x3e	data	German	Germany	0.8870967741935484
RT_GROUP_ICON	0x1048b5c	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x1048b80	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048ba4	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048bc8	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048bec	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048c10	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048c34	0x22	data	English	United States	1.1176470588235294
RT_GROUP_ICON	0x1048c58	0x22	data	English	United States	1.1470588235294117
RT_GROUP_ICON	0x1048c7c	0x22	data	English	United States	1.1470588235294117
RT_VERSION	0x1048ca0	0x2bc	data	German	Germany	0.46285714285714286
RT_MANIFEST	0x1048f5c	0x45b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1055), with CRLF line terminators	English	United States	0.4896860986547085

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-29T00:49:18.990662+0200	2056174	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trustterwowqm .shop)	1	192.168.2.6	59324	1.1.1.1	53	UDP
2024-09-29T00:49:19.077754+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.6	60033	1.1.1.1	53	UDP
2024-09-29T00:49:19.574914+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.6	49715	104.21.4.136	443	TCP
2024-09-29T00:49:19.735138+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49715	104.21.4.136	443	TCP
2024-09-29T00:49:19.735138+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49715	104.21.4.136	443	TCP
2024-09-29T00:49:20.390732+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.6	49716	104.21.4.136	443	TCP
2024-09-29T00:49:20.843513+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49716	104.21.4.136	443	TCP
2024-09-29T00:49:20.843513+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49716	104.21.4.136	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:49:19.101253033 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.101289988 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.101361990 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.105370045 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.105386972 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.574814081 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.574913979 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.577107906 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.577116013 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.577362061 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.627166033 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.629627943 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.629627943 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.629751921 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735135078 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735162020 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735188961 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735196114 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735222101 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.735239029 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735266924 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.735268116 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.735407114 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.741184950 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.741184950 CEST	49715	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.741198063 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.741205931 CEST	443	49715	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.900655985 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.900686979 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:19.900772095 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.901303053 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:19.901314020 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.390269995 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.390732050 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.391925097 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.391949892 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.392200947 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.393471956 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.393471956 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.393562078 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.843524933 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.843619108 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.843679905 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.843884945 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.843907118 CEST	443	49716	104.21.4.136	192.168.2.6
Sep 29, 2024 00:49:20.843924046 CEST	49716	443	192.168.2.6	104.21.4.136
Sep 29, 2024 00:49:20.843930960 CEST	443	49716	104.21.4.136	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:49:18.990662098 CEST	59324	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:49:19.073124886 CEST	53	59324	1.1.1.1	192.168.2.6
Sep 29, 2024 00:49:19.077754021 CEST	60033	53	192.168.2.6	1.1.1.1
Sep 29, 2024 00:49:19.091968060 CEST	53	60033	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 00:49:18.990662098 CEST	192.168.2.6	1.1.1.1	0x885	Standard query (0)	trustterwowqm.shop	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:49:19.077754021 CEST	192.168.2.6	1.1.1.1	0xaf41	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 00:49:19.073124886 CEST	1.1.1.1	192.168.2.6	0x885	Name error (3)	trustterwowqm.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:49:19.091968060 CEST	1.1.1.1	192.168.2.6	0xaf41	No error (0)	gutterydhowi.shop		104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:49:19.091968060 CEST	1.1.1.1	192.168.2.6	0xaf41	No error (0)	gutterydhowi.shop		172.67.132.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gutterydhowi.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	104.21.4.136	443	3152	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:49:19 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-28 22:49:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-28 22:49:19 UTC	551	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 22:49:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NysoiYarc6if6azgSM10Krjar0ekL8rrg5OAl8iTzaPZzibQRYJZMbLuygyL3xPw0T1NvJbiu5Q5C2e3OahjUSLDFmP%2BCPGzxXkvuz%2F9nm7Ixn179FUwWPJVSvvcAaBsoQVedA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca7493a0eaf0f36-EWR
2024-09-28 22:49:19 UTC	818	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-28 22:49:19 UTC	1369	IN	Data Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
2024-09-28 22:49:19 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 30 33 58 4b 43 6a 6d 62 44 43 79 68 48 6f 35 42 6b 74 52 78 6f 78 6f 79 6f 33 4e 5a 71 4d 76 61 46 4e 61 44 4f 6c 32 67 63 4b 30 2d 31 37 32 37 35 36 33 37 35 39 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 Data Ascii: <input type="hidden" name="atok" value="03XKCjmbDCyhHo5BktRxoxoyo3NZqMvaFNaDOl2gcK0-1727563759-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" st
2024-09-28 22:49:19 UTC	849	IN	Data Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 Data Ascii: m:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a
2024-09-28 22:49:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	104.21.4.136	443	3152	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:49:20 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=03XKCjmbDCyhHo5BktRxoxoyo3NZqMvaFNaDOl2gcK0-1727563759-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: gutterydhowi.shop
2024-09-28 22:49:20 UTC	77	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 31 31 31 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63 Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--111&j=5c9b8674a630d9101b46733aa37f15ec
2024-09-28 22:49:20 UTC	780	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 22:49:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kjsqfhbij1tcqon5lg039uu597; expires=Wed, 22 Jan 2025 16:35:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rAU%2FNm1Qi8Gimd41MBsdH29g5wywXYj2HH0P0%2BA%2Fkt%2Bh21enEkKIdgjNuPyL6jB3cx8ZLPeh0LmqeyfmR2YTSIGSK2T94CvOUhg8Y%2BjGaTrZ6yjY3n7IZJWKEsQHnIJJZWj%2F7A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca7493edacc3300-EWR
2024-09-28 22:49:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-28 22:49:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:49:01
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\Full-Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Full-Setup.exe"
Imagebase:	0x7b0000
File size:	16'855'552 bytes
MD5 hash:	88A1C446D3D26BFDD2DDE2029DE24BEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:49:11
Start date:	28/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xba0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.9%
Total number of Nodes:	61
Total number of Limit Nodes:	9

Executed Functions

Function 0043F920 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 250
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044DCE0,00000000,00000001,0044DCD0,00000000), ref: 0043FA51

Strings

H)d/, xrefs: 0043FBD6
D%D+, xrefs: 0043FBCE
\, xrefs: 0043F9FF
p=g#, xrefs: 0043FBBE
,-, xrefs: 0043FA99

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID: ,-$D%D+$H)d/$\$p=g#
API String ID: 542301482-4230606281
Opcode ID: d7634da46563571d4bbcd264eead9b2926ecae5b96e897c6701ccd679e32ffad
Instruction ID: ddfdf1add1cb45c2628aa24072ec68c6d9e8a1f6b0661e62aa16555396fb0693
Opcode Fuzzy Hash: d7634da46563571d4bbcd264eead9b2926ecae5b96e897c6701ccd679e32ffad
Instruction Fuzzy Hash: 76A121B4508380AFE3209F15D898B4FBBF4FB8A356F50981DF6C98A2A1C7759844CF56

Function 00446C94 Relevance: 4.0, Strings: 3, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BABC, xrefs: 00446E83, 00446E8B
4`[b, xrefs: 00446B80
%sgh, xrefs: 00446D10

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %sgh$4`[b$BABC
API String ID: 0-4050636601
Opcode ID: 07915ea8e0860ac93debe0bfe2d696e4b95b8868cfb2f195cab889d9f85329ed
Instruction ID: 2af8d7e1ac9ddaf7c1d21e945e6a3da7c4421d9f317dddeedc9e7344ed05c86f
Opcode Fuzzy Hash: 07915ea8e0860ac93debe0bfe2d696e4b95b8868cfb2f195cab889d9f85329ed
Instruction Fuzzy Hash: 57916CB460C3419BE300EF15E891B2EBBF1EB96345F24882DE4C5872A2D339D855CB1B

Function 00449F80 Relevance: 1.4, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0044A045

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: bab76df2439f2c0ad88a3ffd6047dd1be00b22571e0663e666dcf5f8c562557d
Instruction ID: 834f68c21dc40eb92eb561472ae9366ad0f7292fd5d51a72215fd1b469951c33
Opcode Fuzzy Hash: bab76df2439f2c0ad88a3ffd6047dd1be00b22571e0663e666dcf5f8c562557d
Instruction Fuzzy Hash: 2241D0B15083008BE710DF28D881A2BB7E5EF95358F19892EE5858B3A1D339D954CB9B

Function 00410B44 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66592b145cfd978462b2adeebbde31516c9a1d80fa7114da71b6cc55fb64d651
Instruction ID: 3eb4b54a6ec7a7504fc8197a163cdc8539cd14c2b64a604bba0d4341ef6cdd44
Opcode Fuzzy Hash: 66592b145cfd978462b2adeebbde31516c9a1d80fa7114da71b6cc55fb64d651
Instruction Fuzzy Hash: CBA1C3B590021ADFDB008FA5DC80BAFBB75FF4A305F050429E811EB691D774E890CBA8

Function 0040EFF8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1723540a1846d94c24543d21c7a1a3b585f13b44ca8238c146dc6d012f0b697c
Instruction ID: d1ed6343221dbdaf49cf3f71c90134c1507b14ae20b7e27ad8571ba4e2701cf6
Opcode Fuzzy Hash: 1723540a1846d94c24543d21c7a1a3b585f13b44ca8238c146dc6d012f0b697c
Instruction Fuzzy Hash: 50316FB4C013159BCB10DFA5D9456AFBBB0FB05300F54091DE4A1B7381C7349519CBEA

Function 00440400 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c997e9fcdb3e664df9980b05ce190663be61c9be508d6ba062dde421a33ffa
Instruction ID: 13b5cee33060aa4eab2da2a67c1164b99467e6cea3e9b7cd31d112db5ae21788
Opcode Fuzzy Hash: e1c997e9fcdb3e664df9980b05ce190663be61c9be508d6ba062dde421a33ffa
Instruction Fuzzy Hash: F2214F3250C3545BE7159E38548027F77D2ABC5324F2A853FEF9A4B381D63D4C51938A

Function 004126DB Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(D7A5C987,00000104), ref: 00412B10

Strings

FD76BE2C4B1B777BBDD6063A4A9627B5, xrefs: 004126DB
@-?+, xrefs: 004129AB
L!C/, xrefs: 004129A0
gutterydhowi.shop, xrefs: 00412AD2
yk_', xrefs: 00412787
K%Q#, xrefs: 00412995
zhez, xrefs: 0041275B
>)67, xrefs: 004129B6
mqg+, xrefs: 0041279D
"!,k, xrefs: 00412792
armz, xrefs: 00412771
GD, xrefs: 004126E8
inzB, xrefs: 004127E7, 004127F6

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem
String ID: "!,k$>)67$@-?+$FD76BE2C4B1B777BBDD6063A4A9627B5$GD$K%Q#$L!C/$armz$gutterydhowi.shop$inzB$mqg+$yk_'$zhez
API String ID: 2188284642-3662502334
Opcode ID: 8125ab20e87f46db09dea38c5f0e28aeecb5d5c3220ec2ad2ecd7ee87dee3daf
Instruction ID: 51490b07aa94a7e1a485e77134198223a8736deb0038431e0c56064bc1b05983
Opcode Fuzzy Hash: 8125ab20e87f46db09dea38c5f0e28aeecb5d5c3220ec2ad2ecd7ee87dee3daf
Instruction Fuzzy Hash: 3CB18AB44083C18BD7B08F15C480BEBBBE5AF86748F14495ED8C89B252C7398589CB97

Function 0043FE15 Relevance: 12.3, APIs: 8, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 0043FDEE
VariantClear.OLEAUT32(?), ref: 0043FDFF
SysFreeString.OLEAUT32(?), ref: 0043FE51
SysFreeString.OLEAUT32(?), ref: 0043FE5A
SysFreeString.OLEAUT32(?), ref: 0043FE74
VariantInit.OLEAUT32(?), ref: 0043FE97
SysStringLen.OLEAUT32(?), ref: 0043FF61
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440123

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String$FreeVariant$Clear$InformationInitVolume
String ID:
API String ID: 1956327722-0
Opcode ID: 3c2a9c405ed0aa4b7aa6432edb9a8eb0149d605a80af309c53eb78664d2ba22e
Instruction ID: 4a0f29d693b739fa4b0e929523c40e4964dc27ac6c1497435228e08315b2fa50
Opcode Fuzzy Hash: 3c2a9c405ed0aa4b7aa6432edb9a8eb0149d605a80af309c53eb78664d2ba22e
Instruction Fuzzy Hash: D7A1CCB1A08300DFE714DF24D881B1ABBE1FF89346F14892EF985972A1D339D945CB5A

Function 0040D3A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D3B1
GetCurrentThreadId.KERNEL32 ref: 0040D3C6
GetCurrentProcessId.KERNEL32 ref: 0040D3CC
ExitProcess.KERNEL32 ref: 0040D580

Strings

=}K, xrefs: 0040D453, 0040D45B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: =}K
API String ID: 1029096631-809673801
Opcode ID: 80d9181c2281a1eaf41ff3bae2d2fc0d468e320a6679c103485be258cebbdd62
Instruction ID: 935df52b93a0a194b2b8bad5d549bbeeb632c0e0b9ae705284cf3b648634dfef
Opcode Fuzzy Hash: 80d9181c2281a1eaf41ff3bae2d2fc0d468e320a6679c103485be258cebbdd62
Instruction Fuzzy Hash: 4241387480C240ABD701BF99D544A1EFBE5AF56709F188C2DE5C4A7392D33AD818CB6B

Function 00445F16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(37B83947,00000000,00000800), ref: 00445F92

Strings

4I2G, xrefs: 00445F3C
0EBC, xrefs: 00445F44

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: 0EBC$4I2G
API String ID: 1029625771-3264664664
Opcode ID: 6b1583e07edebdc2078dc982c1d727ffde38e7c38aacb6c7d23c5cd6317d9e3c
Instruction ID: 2d40c61bae6aaca7a0720f5f4141c244ecd94e3e22f005b05162183df977b7e1
Opcode Fuzzy Hash: 6b1583e07edebdc2078dc982c1d727ffde38e7c38aacb6c7d23c5cd6317d9e3c
Instruction Fuzzy Hash: B8115A711083409FE700EF28D880A1EFBE5AB85345F658C2DE1D497352D734DA85CF5A

Function 004138C8 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004138DA
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,Function_000138E0), ref: 004138F2

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 77e3c2ca095abd9bb4e487f12be5fc49362275886ea189103d1ef1ed3fc49959
Instruction ID: dca1209fd882ea2c30daa536e7d88e03d5b0ded06f02802dba2d32a9e6dbeb7f
Opcode Fuzzy Hash: 77e3c2ca095abd9bb4e487f12be5fc49362275886ea189103d1ef1ed3fc49959
Instruction Fuzzy Hash: C7E009393C9311BAF6B51BA5AC1BF182624A706F3AF340B64B3657C1E58AE076418A1D

Function 00443A92 Relevance: 1.6, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00443B61

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d12f10f9088e31b3f17c1b5b652731d0fb891f306d3b66cd352df1875465ef47
Instruction ID: 6d54e647c1e834c63cfb70667c16857a09461c0db4ac310fa50ac98d6548fd70
Opcode Fuzzy Hash: d12f10f9088e31b3f17c1b5b652731d0fb891f306d3b66cd352df1875465ef47
Instruction Fuzzy Hash: D911E434609341ABE3019F18E951A1ABBF1EB86B46F118C6DF8C597222C739ED50DB1A

Function 00443A10 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00443A73

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bf0355abf37be71dd5e09aaaa23c9608dec97cdaa7e72b3b779351900deba867
Instruction ID: fb346d09377f6e8d0a6c8ad2f8c8f350226b3b24a0c10248792d6ef97a9a97f6
Opcode Fuzzy Hash: bf0355abf37be71dd5e09aaaa23c9608dec97cdaa7e72b3b779351900deba867
Instruction Fuzzy Hash: 7BF0493050D2409BE301EF58E944A0EFBE4EF96B01F14882CF4C49B262C336D814CBAB

Function 00446A50 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(004126C9,?,00000001,?), ref: 00446A7E

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 004125E0 Relevance: 1.3, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004125F1

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5e1ae7bd08a1ae2eb3936d7baa43b240c9e27f8eb36e85f0878ba259c4a8be1a
Instruction ID: c7857bf22242331c2f2b437fee4c59ca82a8ac02caa364dd229372247d18a1de
Opcode Fuzzy Hash: 5e1ae7bd08a1ae2eb3936d7baa43b240c9e27f8eb36e85f0878ba259c4a8be1a
Instruction Fuzzy Hash: 0AC080341152157BD30037395C1BF17355CD347761F400334BD62815D1F5206510C1FD

Non-executed Functions

Function 00412B9E Relevance: 35.3, APIs: 1, Strings: 22, Instructions: 808COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00412EE8

Strings

eW*Q, xrefs: 004135A4
D, xrefs: 00413756
S'M!, xrefs: 00413544
|_oY, xrefs: 004135B7
4HBj, xrefs: 00413012
A/Y), xrefs: 00413554
"T8b, xrefs: 00412FFC
if*r, xrefs: 00413057, 00413066
gutterydhowi.shop, xrefs: 00413350
8G-A, xrefs: 00413584
[7N1, xrefs: 00413564
R, xrefs: 00412EFD
~8A, xrefs: 004133DE
4KjU, xrefs: 0041359C
FkJu, xrefs: 004135EE
pSo], xrefs: 004135AC
7C-M, xrefs: 0041358C
%\! , xrefs: 00412FE6
=O1I, xrefs: 00413594
_X.P, xrefs: 00412FDB
.[+e, xrefs: 004135C2
GD, xrefs: 00412F5A

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID: "T8b$%\! $.[+e$4HBj$4KjU$7C-M$8G-A$=O1I$A/Y)$D$FkJu$GD$R$S'M!$[7N1$_X.P$eW*Q$gutterydhowi.shop$if*r$pSo]$|_oY$~8A
API String ID: 3861434553-603053953
Opcode ID: 765efd1d3bd601d9134aa48ef38f897ae4587008bea059e0f647b94d77fd41bb
Instruction ID: 168a13f1e19ae6d2b210e0d4310acf60bd90078fdb24f986eec146a25e6058f8
Opcode Fuzzy Hash: 765efd1d3bd601d9134aa48ef38f897ae4587008bea059e0f647b94d77fd41bb
Instruction Fuzzy Hash: D762BDB44083809BD3B09F21D8517DFBBE5AF86709F04482DE4C89B382DB799549CB5B

Function 004323D0 Relevance: 23.8, APIs: 4, Strings: 8, Instructions: 2766COMMON

Download Yara Rule

Strings

';/8, xrefs: 00434312
nLv:, xrefs: 004331EA
~PF3, xrefs: 00433BB5
xl&o, xrefs: 00433CBB
YZYQ, xrefs: 00432B58
>C, xrefs: 00433DF9
LR(, xrefs: 0043422E
GD, xrefs: 0043246B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: >C$';/8$GD$LR($YZYQ$nLv:$xl&o$~PF3
API String ID: 0-680855572
Opcode ID: 927d39e6bcfe8858cb14c64dc3b2a8fe1ed79f6561c88eb8be888fa039bd2c3c
Instruction ID: 98c22d93839423100b65652acd379743d0cf5e5847e159820dcbbb44c6cfc041
Opcode Fuzzy Hash: 927d39e6bcfe8858cb14c64dc3b2a8fe1ed79f6561c88eb8be888fa039bd2c3c
Instruction Fuzzy Hash: 0E23AC70404B808BE7318F35C490BA3BBE1AF1B309F18199ED4EB8B692D779B545CB59

Function 004291A0 Relevance: 21.0, Strings: 16, Instructions: 1018COMMON

Download Yara Rule

Strings

/$, xrefs: 00429949
31, xrefs: 004298D0
{8}, xrefs: 00429B57
LO, xrefs: 00429FE4
8K>M, xrefs: 00429B83
xK"M, xrefs: 00429FD9
|}, xrefs: 00429717
4`[b, xrefs: 00429F80
&+, xrefs: 00429954
u}, xrefs: 004295E3
~?l!, xrefs: 004293D6
4`[b, xrefs: 0042A580
\_, xrefs: 00429BBA
*, xrefs: 0042995F
d7e9, xrefs: 004293C0
s3b5, xrefs: 004293B5

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: {8}$&+$*$/$$4`[b$4`[b$8K>M$LO$\_$d7e9$s3b5$u}$xK"M$|}$~?l!$31
API String ID: 0-1063741193
Opcode ID: 35ccbd6d3950b926157f95e5e9afc4958ccbf62df1d35d7dce8d4d5238d8438e
Instruction ID: 9289a6f14ecc30de8dc0db08bd352fb0a7a8a58d6584ed5cd1e3808d7fe9c27b
Opcode Fuzzy Hash: 35ccbd6d3950b926157f95e5e9afc4958ccbf62df1d35d7dce8d4d5238d8438e
Instruction Fuzzy Hash: 85A23CB4508381CBE330DF24E484B9BBBE1FB85304F50892DE5D99B251DB748985CB97

Function 0042C710 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042D0F0
=u({, xrefs: 0042CEAF
7#v, xrefs: 0042D39E
a9D7, xrefs: 0042D023, 0042D02B
<EBC, xrefs: 0042CFFD
1i2o, xrefs: 0042CE97
03, xrefs: 0042D223
Q1:O, xrefs: 0042CFE5
0e<k, xrefs: 0042CE8F
7q>w, xrefs: 0042CEA7

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 03$0e<k$1i2o$4`[b$7q>w$<EBC$=u({$Q1:O$a9D7$7#v
API String ID: 0-2126314546
Opcode ID: f8c9d21ab45b1c1ae02dbf6348da07ca90a87e78ccdbce9fe7f31849cfb05644
Instruction ID: e593442dbae6b15918b7f83f6931d4fd5ef55608cbdeddf4db8802701d18aa54
Opcode Fuzzy Hash: f8c9d21ab45b1c1ae02dbf6348da07ca90a87e78ccdbce9fe7f31849cfb05644
Instruction Fuzzy Hash: E1E1ECB5508340DBE310AF65E881A2FBBF4EF8A309F54092DF2C597262D379D850CB5A

Function 0040DCC0 Relevance: 16.5, Strings: 13, Instructions: 289COMMON

Download Yara Rule

Strings

@DN, xrefs: 0040DD1B
"LHC, xrefs: 0040DD39, 0040DD59, 0040DD50, 0040DEBD
*#1/, xrefs: 0040DDFB
XTJR, xrefs: 0040DE2B
"LHC, xrefs: 0040DDA4, 0040DDAD
9&!:, xrefs: 0040DDE3
kwm{, xrefs: 0040DE53
JS, xrefs: 0040DD26
&%9, xrefs: 0040DDEB
VPNj, xrefs: 0040DE43
K_I\, xrefs: 0040DE13
uwSR, xrefs: 0040DFF4
YWW\, xrefs: 0040DE0B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "LHC$"LHC$&%9$*#1/$9&!:$JS$K_I\$VPNj$XTJR$YWW\$kwm{$uwSR$@DN
API String ID: 0-255386557
Opcode ID: 3cf692da58030e4c4643129ff8edaa309ceafd6f4efad0db9198382b9384e1fc
Instruction ID: f114aee845b60174f2e8f6839ff444147f7be65b901f554828115d267bae5542
Opcode Fuzzy Hash: 3cf692da58030e4c4643129ff8edaa309ceafd6f4efad0db9198382b9384e1fc
Instruction Fuzzy Hash: 94A146B45083909FD721CF1AC49062BFBE1AF96314F14896DE4E99B392C7398909CF97

Function 0041E6E6 Relevance: 16.3, Strings: 12, Instructions: 1329COMMON

Download Yara Rule

Strings

`abc, xrefs: 0041F04B
,/.), xrefs: 0041EE3B
<?>9, xrefs: 0041EE13
{, xrefs: 0041E7F5
<=>?, xrefs: 0041F073
8;:5, xrefs: 0041EE1D
(+*%, xrefs: 0041EE45
~d, xrefs: 0041E7E1
4761, xrefs: 0041EE27
IJKT, xrefs: 0041EE31
defg, xrefs: 0041F041
]^_X, xrefs: 0041EE4F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (+*%$,/.)$4761$8;:5$<=>?$<?>9$IJKT$]^_X$`abc$defg${$~d
API String ID: 0-940626759
Opcode ID: 95a779bf15a6493f29bc26897529c8a0f5cf015bc3b14fb702ec0d5dd567008e
Instruction ID: 26f8fe591303e8990c845311b2f9926569366999e9b42b6386bfbce9d91456fc
Opcode Fuzzy Hash: 95a779bf15a6493f29bc26897529c8a0f5cf015bc3b14fb702ec0d5dd567008e
Instruction Fuzzy Hash: BFB29BB4600B009FD760DF25C881BE7B7E2BF45304F54482EE5EA9B291DB39B885CB59

Function 00439240 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439250
GetWindowLongW.USER32 ref: 0043927D
GetClipboardData.USER32 ref: 0043928F
CloseClipboard.USER32 ref: 004393AB

Strings

!, xrefs: 0043930F
W, xrefs: 00439323

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: !$W
API String ID: 1647500905-3257520180
Opcode ID: 245d4eabe0e29d95f4eaf33a61b4d2af326822ff5d3756d0540b1f90bf903f25
Instruction ID: 7d191405d6d2be99e237cd964664e06e39f21a9ebe49f28891bcbad048578220
Opcode Fuzzy Hash: 245d4eabe0e29d95f4eaf33a61b4d2af326822ff5d3756d0540b1f90bf903f25
Instruction Fuzzy Hash: 0641607100C782CED310AF7D944476FBFE0AB9A324F145E6EE8E6862C1C2B88949D757

Function 00401000 Relevance: 11.8, Strings: 8, Instructions: 1830COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401F00
gfff, xrefs: 00401F15
gfff, xrefs: 00401F76
0123456789abcdefxp, xrefs: 00401535, 004015A4
@, xrefs: 00402F65
gfff, xrefs: 00401FC4
-, xrefs: 00401EAE
0123456789ABCDEFXP, xrefs: 00401527, 00401597

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff$gfff
API String ID: 0-3817530714
Opcode ID: eecfadbc3dd44c1c1988cd8f427b5997e81374dbceba94025e70e87a165e6548
Instruction ID: 3e75273a225b4ee2b2d955962ea0ee81924f4cc219ea13a812ea84d2314c41a9
Opcode Fuzzy Hash: eecfadbc3dd44c1c1988cd8f427b5997e81374dbceba94025e70e87a165e6548
Instruction Fuzzy Hash: 84D2C1716083518FD714CE28C48466BBBE1AF89314F188A3EF895AB3D1D778DE45CB86

Function 0042B8B2 Relevance: 11.7, Strings: 9, Instructions: 401COMMON

Download Yara Rule

Strings

L!P#, xrefs: 0042BA34, 0042BA3D
!Y)[, xrefs: 0042B8C2
a%a', xrefs: 0042B8BA
7E9G, xrefs: 0042B8FA
9Q>S, xrefs: 0042B8D2
5M0O, xrefs: 0042B8EA
4`[b, xrefs: 0042BE30
(],_, xrefs: 0042B8CA
4`[b, xrefs: 0042BD60

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !Y)[$(],_$4`[b$4`[b$5M0O$7E9G$9Q>S$L!P#$a%a'
API String ID: 0-2010590211
Opcode ID: 31519a682702341fdd90ad05b980f312f5d24af38d8702937bf2ebeff385def1
Instruction ID: f52b9d5d6d8c16d2b3e750f68139345165a3ccb28bff46d0fb3f13a6fbeda457
Opcode Fuzzy Hash: 31519a682702341fdd90ad05b980f312f5d24af38d8702937bf2ebeff385def1
Instruction Fuzzy Hash: 65E189B5508340EFE3249F15E881B6BB7F5FB86305F54892EE5C58B2A2D778D800CB5A

Function 00420C60 Relevance: 10.7, Strings: 8, Instructions: 701COMMON

Download Yara Rule

Strings

xy, xrefs: 00420ECB
su, xrefs: 0042136F
@L, xrefs: 00421215
wy, xrefs: 00421377
KX, xrefs: 00421205
(+, xrefs: 00420E43
`c, xrefs: 0042138F
OV, xrefs: 0042120D

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (+$@L$KX$OV$`c$xy$su$wy
API String ID: 0-2844685729
Opcode ID: 39ecd642eeef917e0dccb719401dddac168993a8da47d35ffb6d33fbd903dd08
Instruction ID: 9fc506c3712f2512ae1bf9f47f50162f254d8f85ad1b1fd7028464c245a2f904
Opcode Fuzzy Hash: 39ecd642eeef917e0dccb719401dddac168993a8da47d35ffb6d33fbd903dd08
Instruction Fuzzy Hash: E52288B55083509BC310AF15E881A2FBBF1EFA5348F88891DF4C48B362D379D954CB9A

Function 0042D9B3 Relevance: 9.2, Strings: 7, Instructions: 422COMMON

Download Yara Rule

Strings

3<<3, xrefs: 0042D9F8
$TG2, xrefs: 0042D9E8
/T,^, xrefs: 0042D9D0
&PiD, xrefs: 0042D9E0
4`[b, xrefs: 0042DB40
wdML, xrefs: 0042D9F0
cK_+, xrefs: 0042D9D8

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $TG2$&PiD$/T,^$3<<3$4`[b$cK_+$wdML
API String ID: 0-649118298
Opcode ID: b066425d03e55441fa22898a86003422314e02ac83849ebafd1297b4b6f602a6
Instruction ID: 473a4b0849483d9361cbae160725e23d68a84184e453fd012e045444df189b53
Opcode Fuzzy Hash: b066425d03e55441fa22898a86003422314e02ac83849ebafd1297b4b6f602a6
Instruction Fuzzy Hash: C4D15C72A087518BC714CF29E85162FB7E2ABC9305F598A3DE996DB382DB34DC04C785

Function 004015FB Relevance: 7.9, Strings: 6, Instructions: 427COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401D5F
0123456789abcdefxp, xrefs: 00401605
gfff, xrefs: 00401CF9
+, xrefs: 0040151B
gfff, xrefs: 00401D0E
0123456789ABCDEFXP, xrefs: 004015FB

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-925659942
Opcode ID: 63b0c98ada276a7db8ca2de78e9f11cfab34110acfd8c1d97c294382a892ea81
Instruction ID: 1f20886c7fe622dd91454dc918cf5afdf2d28ca061c413c5dda02c56848c16f2
Opcode Fuzzy Hash: 63b0c98ada276a7db8ca2de78e9f11cfab34110acfd8c1d97c294382a892ea81
Instruction Fuzzy Hash: 1EF1B33160C3918FC718CE28C58466BBBE1AFC5304F088A7EE8D9A73D1D679DD458B86

Function 0040134C Relevance: 7.8, Strings: 6, Instructions: 349COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401D5F
0123456789abcdefxp, xrefs: 00401356
-, xrefs: 00401CC4
gfff, xrefs: 00401CF9
gfff, xrefs: 00401D0E
0123456789ABCDEFXP, xrefs: 0040134C

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-854689426
Opcode ID: de151a076f353158c2153ad0f6e7e27ffe6824baaffa39dc400b827ed9249482
Instruction ID: edee618adb98484859ce012df97bcd3699ce2ae956030f8cfee9ea2a131d6434
Opcode Fuzzy Hash: de151a076f353158c2153ad0f6e7e27ffe6824baaffa39dc400b827ed9249482
Instruction Fuzzy Hash: 1BD1BF3160C3918FC714CE29C58465BBBE1AFC9304F088A7EE8D9E7392D678DD458B96

Function 0040DA70 Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

lpBB, xrefs: 0040DB33
}|@F, xrefs: 0040DBD3, 0040DBDB
", xrefs: 0040DB83
J, xrefs: 0040DA86
?=, xrefs: 0040DA7F
l, xrefs: 0040DBA3

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ?=$J$l$lpBB$}|@F$"
API String ID: 0-573265808
Opcode ID: 9ecf212705089a33629cd1bfaa517a960d4d0e74f46b5c1cc5c4f6b21975b4f2
Instruction ID: 8796181359eaa17eab589a78513dc83630c0ce1183e890f43ba2b7b8ba6cb367
Opcode Fuzzy Hash: 9ecf212705089a33629cd1bfaa517a960d4d0e74f46b5c1cc5c4f6b21975b4f2
Instruction Fuzzy Hash: 565138B450C3818ED301CF69D594A2BBFE2AF97745F08489DE4D16B391C37A8909CB6B

Function 00401295 Relevance: 7.2, Strings: 5, Instructions: 947COMMON

Download Yara Rule

Strings

0, xrefs: 00402201
0, xrefs: 00402530
0, xrefs: 004022D0
@, xrefs: 00403693
i, xrefs: 004029B4

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 71f936c1c39428500c794c4ef3b822847572016946d7faa5528ebec6b5b1bd4e
Instruction ID: e41789e3dda43c5542db7e56a0a1afca13d639ff9df5f266a5d4e0b72afa8006
Opcode Fuzzy Hash: 71f936c1c39428500c794c4ef3b822847572016946d7faa5528ebec6b5b1bd4e
Instruction Fuzzy Hash: 7372C271A083519FC718CE28C68472BBBE1ABC9314F14896EE8D9A73D1D778DD05CB86

Function 004494C0 Relevance: 6.9, Strings: 5, Instructions: 610COMMON

Download Yara Rule

Strings

s, xrefs: 00449743, 0044974B
8IVW, xrefs: 004494F3, 004494FB
s, xrefs: 00449A53, 00449A5B
s, xrefs: 00449A1F
s, xrefs: 00449A7F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 8IVW$s$s$s$s
API String ID: 0-3333437331
Opcode ID: a8948eb919361d90e2c06e974510396d3c065f88dab6c3eb0af4d983021925eb
Instruction ID: d2499f734e26951dc360e9979eebf6583f3e1446674375738af4417e3fd94e49
Opcode Fuzzy Hash: a8948eb919361d90e2c06e974510396d3c065f88dab6c3eb0af4d983021925eb
Instruction Fuzzy Hash: 6312DC71A08251CFD704CF68D8A0A6BBBF1FB8A319F09846EE4859B352C734DD50DB99

Function 0040E080 Relevance: 6.6, Strings: 5, Instructions: 344COMMON

Download Yara Rule

Strings

@X^3, xrefs: 0040E173, 0040E17B
FD76BE2C4B1B777BBDD6063A4A9627B5, xrefs: 0040E13C
p, xrefs: 0040E21C
XY, xrefs: 0040E4B7
l, xrefs: 0040E2D1

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @X^3$FD76BE2C4B1B777BBDD6063A4A9627B5$XY$l$p
API String ID: 0-1386881881
Opcode ID: ff4b74dc10e88c56f0450d73b386830d6ee06fa04c14c121741a931507cb42b2
Instruction ID: d5cf47144278000f6806d471129db9ce31c0699c047b7c63ee8e0661a33a18ed
Opcode Fuzzy Hash: ff4b74dc10e88c56f0450d73b386830d6ee06fa04c14c121741a931507cb42b2
Instruction Fuzzy Hash: 27C102B050C3809BE311EF56D480A1FBBF8AB96708F144D2DE5D59B292C379D914CBA7

Function 0041FA83 Relevance: 5.7, Strings: 4, Instructions: 670COMMON

Download Yara Rule

Strings

wvu, xrefs: 0041FC9C
wu, xrefs: 0041FF85
4`[b, xrefs: 004203D0
os7, xrefs: 00420096

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$os7$wvu$wu
API String ID: 0-128268441
Opcode ID: 07fcbbe9929cdd2841344f93ad7c0cf553ea6fc670c46a7d78be97ee27edad95
Instruction ID: 4b19b2eace2cc04b8936860c4d0a847f2ef68b4be23fb5af22183a1ee2d1d7d7
Opcode Fuzzy Hash: 07fcbbe9929cdd2841344f93ad7c0cf553ea6fc670c46a7d78be97ee27edad95
Instruction Fuzzy Hash: 9142CAB0600B01DFC724CF25D492B96BBF1BF45304F148A2DE59A8BB52D739E896CB94

Function 004495A0 Relevance: 5.6, Strings: 4, Instructions: 601COMMON

Download Yara Rule

Strings

s, xrefs: 00449743, 0044974B
s, xrefs: 00449A53, 00449A5B
s, xrefs: 00449A1F
s, xrefs: 00449A7F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: s$s$s$s
API String ID: 0-3523052760
Opcode ID: 973062cf9eaa28dca48778c5200a7d247711c22fe94321ba81afc45950472d5c
Instruction ID: 3f3999f25e9c5bb6a547de8da815c85414752641433e660e50136bcab0db9f8d
Opcode Fuzzy Hash: 973062cf9eaa28dca48778c5200a7d247711c22fe94321ba81afc45950472d5c
Instruction Fuzzy Hash: D412CD71A18250CFDB04CF28D8A166FBBF1EB8A315F49846EE8859B352C734DD40DB99

Function 004395AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004395F8
GetSystemMetrics.USER32 ref: 00439607

Strings

, xrefs: 004396DB

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: cf7031a656b8c87d03b745ca0e6078ccd6f05a724346707f3d6125389d96333d
Instruction ID: 243e74cfbcb7baf8ff10c528f2d53d1dc501b7d5f8bd483659958941c92e1d20
Opcode Fuzzy Hash: cf7031a656b8c87d03b745ca0e6078ccd6f05a724346707f3d6125389d96333d
Instruction Fuzzy Hash: E15162B4E142048FDB40EFADD98169DBBF0BB48310F118569E898E7350D774A944CF96

Function 00408780 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 004087FC
), xrefs: 00408806
IEND, xrefs: 00408BE0

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: e205e7a2d740ad0bb87cc1d324815abb38c3adde5f033f1931c432bae9eae45e
Instruction ID: 75489c7ae867341c364687a3339a38eeb7d17585f703578f116f22a4b4b1bb43
Opcode Fuzzy Hash: e205e7a2d740ad0bb87cc1d324815abb38c3adde5f033f1931c432bae9eae45e
Instruction Fuzzy Hash: 8AE1B2B1A087019FE310DF25D88171ABBE0BB94314F144A3EE998A73C1D779E915CBD6

Function 004498A0 Relevance: 4.1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

Strings

s, xrefs: 00449A53, 00449A5B
s, xrefs: 00449A1F
s, xrefs: 00449A7F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: s$s$s
API String ID: 0-1083010603
Opcode ID: f7fe5b9aa1ebdefc806501125f6ad1680ab37a97e176e1e015d31072d32d5d6f
Instruction ID: 7da4fba8ec512e6a20b5c60970798f8f5e5374048b60e24747ec988597cea826
Opcode Fuzzy Hash: f7fe5b9aa1ebdefc806501125f6ad1680ab37a97e176e1e015d31072d32d5d6f
Instruction Fuzzy Hash: 91C1E071A042A5CFDB04CF68D8A16AFBBF1FB8A315F498069E4959B352C734DD40CB98

Function 0042ED7D Relevance: 4.1, Strings: 3, Instructions: 323COMMON

Download Yara Rule

Strings

[[_L, xrefs: 0042EE09
* *), xrefs: 0042EE02
"("!, xrefs: 0042EDF4

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "("!$* *)$[[_L
API String ID: 0-1313357729
Opcode ID: b9225df54c807827178ac486d18e7a576a5ffcb40111060254a423ee9c154843
Instruction ID: 362139ed5ba404d3872c2bfc52b8e08708db99788d5252469b2e0dc11d56c441
Opcode Fuzzy Hash: b9225df54c807827178ac486d18e7a576a5ffcb40111060254a423ee9c154843
Instruction Fuzzy Hash: A8B106B1E00215CFCB14CFA5D8916AEBBB1EF0A304F58456EE855AB392D738AD01CB95

Function 00413DE2 Relevance: 3.0, Strings: 2, Instructions: 489COMMON

Download Yara Rule

Strings

A, xrefs: 004146F0
B, xrefs: 0041476E

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: B$A
API String ID: 0-3619539632
Opcode ID: 9c76a97e7d4da5e0f5edc430e71023b396e1818128f4884a07fca3213893baf1
Instruction ID: 5d5b54787eb2e6219503a7fb4deac47ac0c281a4e576d512fd7338e0e18c2803
Opcode Fuzzy Hash: 9c76a97e7d4da5e0f5edc430e71023b396e1818128f4884a07fca3213893baf1
Instruction Fuzzy Hash: D71227B14083409BD300DF18D985A5FFBF5AF8A748F54491EF5C897262E33AD984CB5A

Function 00403710 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

NaN, xrefs: 0040376E
Inf, xrefs: 00403767

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: d1e8de232098ce98696b4f72abf5cc548168827a54492e45fb772f81bf6f92ed
Instruction ID: 476db4706ad8f58b77e91ca53bc6bb25b8269daa7354853cb64fc5c37cd50a4a
Opcode Fuzzy Hash: d1e8de232098ce98696b4f72abf5cc548168827a54492e45fb772f81bf6f92ed
Instruction Fuzzy Hash: 42F1A572B083019BC704CF29C88165ABBE6EBC8750F158A3EF899E7390D774DD458B86

Function 004214F0 Relevance: 2.9, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

Jkji, xrefs: 00421893, 0042189B
$%, xrefs: 004215CA

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $%$Jkji
API String ID: 0-3739818489
Opcode ID: 541095edb205ab3ec1428b336c974d1a03a08d4c572d67d76ad7a47b8a051bbb
Instruction ID: fe5df750f6dce56a68d381e4f87ea425800db3f6d766eda5e93d72df082e5462
Opcode Fuzzy Hash: 541095edb205ab3ec1428b336c974d1a03a08d4c572d67d76ad7a47b8a051bbb
Instruction Fuzzy Hash: 0DA1BF745083119BC710EF18D891B6BB7F1EFA5394F98890DE8C58B3A1E339D944CB9A

Function 00409B67 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

8, xrefs: 00409C73
0, xrefs: 00409C7B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 8a3073a85017b25d4eacbace4d2dd3963c415d0626a4c3ba28c74df4c92395a7
Instruction ID: 2abc89fec703ce214c345034e74b3c6e1ac8a5ed0fc613b796602d3d26278aba
Opcode Fuzzy Hash: 8a3073a85017b25d4eacbace4d2dd3963c415d0626a4c3ba28c74df4c92395a7
Instruction Fuzzy Hash: 53911335609380DFC714CF28D444B8BBBE1AF9A350F45886DE888973A2C775D959CFA2

Function 0041260C Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041269B
4`[b, xrefs: 0041260B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b
API String ID: 2994545307-3640500014
Opcode ID: 939723bb97dca4cbaac459931abc940ec207de3c625d5056ec77b17c2418a182
Instruction ID: 4f6b0cce6d85ceeb9d867041b59a6c3a524408c6c70871184a36e1e39ef9be3c
Opcode Fuzzy Hash: 939723bb97dca4cbaac459931abc940ec207de3c625d5056ec77b17c2418a182
Instruction Fuzzy Hash: 652136314183409BD324FF14CA60ABEB3E1FF55309F54882EE0C897292DB34E9A1CB4A

Function 00444900 Relevance: 1.8, Strings: 1, Instructions: 565COMMON

Download Yara Rule

Strings

f, xrefs: 00444AC8

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 04f981f5a9b67f449d26c8e1f25987ec09231783d65f0db023783ba146a1673e
Instruction ID: 72f3f7b4b24e9e63d226881b4f14ff91ec2e8f51f82c52f9c4d085f077eb9829
Opcode Fuzzy Hash: 04f981f5a9b67f449d26c8e1f25987ec09231783d65f0db023783ba146a1673e
Instruction Fuzzy Hash: E8229C715083409FE715CF18D890B2BBBE5BBC9314F188A2EF49597391D739E904CB9A

Function 00405380 Relevance: 1.8, Strings: 1, Instructions: 553COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 0040562F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 11e72acd1a081ba64869f79cfbf906270d23ef5b807026980191e14521c75790
Instruction ID: adeb3299133604f7f3edd988431c43479dd124ff4901b3ff26fc007e2880375d
Opcode Fuzzy Hash: 11e72acd1a081ba64869f79cfbf906270d23ef5b807026980191e14521c75790
Instruction Fuzzy Hash: 6912B3B1608B41CBE7158E598480327BBE2EFA1314F19857ED8896B3D1E779DC09CF4A

Function 00426B70 Relevance: 1.8, APIs: 1, Instructions: 292comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044DB80,00000000,00000001,0044DB70), ref: 00426B99

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f2ab5d2167fad3272f3f3889c0693acf97b2973b3141699d225513df077c0ee8
Instruction ID: 3d1ba28d9b4c96bf160605c19f5fd5d7db7cf9fa6b530f7c5b3552df7489f07c
Opcode Fuzzy Hash: f2ab5d2167fad3272f3f3889c0693acf97b2973b3141699d225513df077c0ee8
Instruction Fuzzy Hash: A2710FB1B002159BDB20AF24DC92B7773A5EF85354F49452DF98ACB390E779E804C729

Function 004489D0 Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

P, xrefs: 00448B77

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: c31b4e1f53d1c770e22bc9529131542f949b60ea961295dda6eac34d010be904
Instruction ID: 40fe23d0a74e16451ed76fc05543fd94185673bb7744c4985dcdb01b3c7fbd45
Opcode Fuzzy Hash: c31b4e1f53d1c770e22bc9529131542f949b60ea961295dda6eac34d010be904
Instruction Fuzzy Hash: 4FD107729082704FE725CE18D89072FB6E1EB85718F15863DE8A6AB381CB79DC06C7D5

Function 00447488 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

bxD, xrefs: 00447812

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: bxD
API String ID: 0-574992427
Opcode ID: 07b59c510a11e0c2ea2ab99d69d63400edf3d181ce6f7a8ee5b820fd07ae45b7
Instruction ID: 358600aac9798af01eccf85f3abfb009553acfa6acac8ad3aa4a62938a933ad1
Opcode Fuzzy Hash: 07b59c510a11e0c2ea2ab99d69d63400edf3d181ce6f7a8ee5b820fd07ae45b7
Instruction Fuzzy Hash: FAE13536A04251CFCB14CF68E8901AEB7B2BF89316B19427DD851AB392D335ED41CB94

Function 004157D7 Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

j, xrefs: 00415B71

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: 2b4f7046e93cf4d16b0be0b08c64d040bdc5259ee3ae8f8f7441aab51e7ce772
Instruction ID: ce8ef48c7fd4ae9bfe0d26af9dfe1163e029deb6e788d3b12b2adf43fa04188c
Opcode Fuzzy Hash: 2b4f7046e93cf4d16b0be0b08c64d040bdc5259ee3ae8f8f7441aab51e7ce772
Instruction Fuzzy Hash: 0DD1ACB5508300DFD704DF28E890A9FBBF5AFC6345F04482DE98593292E739E994CB5A

Function 0040CE30 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

-, xrefs: 0040CF55

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: f473a29dcd3862d8d9934da59af0952f356f8e4c99db5708be78d68db9c0c2c6
Instruction ID: bb9a080d74681e008f69220e176364fe582ae8decdff2ef83218dc3371c22b40
Opcode Fuzzy Hash: f473a29dcd3862d8d9934da59af0952f356f8e4c99db5708be78d68db9c0c2c6
Instruction Fuzzy Hash: 82D12871A083454BC7188E69D8D026BBBE2ABC1324F18C73EE4A5573D5D63C9D0A8B86

Function 00430FB0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

", xrefs: 00431298

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 20fbdcfd2d6fe1da5449b24ddca540347235c37c1820cb549701539391c6e93f
Instruction ID: 8e74f7eb9a15b0747f2dde9d746f62c1f3ac8f4e3d52df096a1909e8abaaaabd
Opcode Fuzzy Hash: 20fbdcfd2d6fe1da5449b24ddca540347235c37c1820cb549701539391c6e93f
Instruction Fuzzy Hash: 4BC14AB1A083009BD714CF25C49076BB7E96F8C354F189A6FE89987391D738DC45C796

Function 00448120 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448330

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 3aae18162f02f82d7d8ae9db18bab57009b98cbdee6eedac22f7b549da0b5ef7
Instruction ID: 5619542fca46ceebb120d05eff81b2419b7453a344e5f3301f2d3bbe8b878cb4
Opcode Fuzzy Hash: 3aae18162f02f82d7d8ae9db18bab57009b98cbdee6eedac22f7b549da0b5ef7
Instruction Fuzzy Hash: A291CF71608301ABF720DF14D851BAFB7E1EB85354F54482EF98593351EB38E941CB9A

Function 0042BEE7 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

P, xrefs: 0042C24B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 0db38416f44e2d58d8164efc444be3fa4153d3513bd40590893fd85113ee0c84
Instruction ID: 5fec4ac7fd5575b6afc17b4a021526abc57a519ad98260d92a698f36b2913999
Opcode Fuzzy Hash: 0db38416f44e2d58d8164efc444be3fa4153d3513bd40590893fd85113ee0c84
Instruction Fuzzy Hash: 1EA12572A083608FD7049B54E8D076FB7E1EB95354F4A896EE8955B382D778CC00CBDA

Function 004141F6 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

ey, xrefs: 0041494B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ey
API String ID: 0-1888109701
Opcode ID: 7e9852d8dc85b29c0d88cdf4de9643a9d745947ae87d2c8adc38e9fd2febf548
Instruction ID: 05809ba15e4878c02b50c9794c91002d93c451507bda6c48f598afdd973b3d88
Opcode Fuzzy Hash: 7e9852d8dc85b29c0d88cdf4de9643a9d745947ae87d2c8adc38e9fd2febf548
Instruction Fuzzy Hash: 1C91E1B59083408BD714EF28D8816AFB7F5AFC6354F15092EF58593391E739E884CB8A

Function 0040AA30 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040AB66

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: d841433db4824595e50970b7f088a35fd000f808e9afe825daa6f1bb2d1d0e1e
Instruction ID: 4a6c79562faa4bfe21f0375b7dd8f7cecd802cd0d7544ae326046e64f3108c82
Opcode Fuzzy Hash: d841433db4824595e50970b7f088a35fd000f808e9afe825daa6f1bb2d1d0e1e
Instruction Fuzzy Hash: 8EB137712083819FD321CF18C98461BFBE1AFA9704F484E2EE5D997782D635E918CB67

Function 00431420 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0043161E

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 54cd2345e50a870b8ba49db6937c3f53262b0eed8f59967641118c5b905f069e
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: C4710632A083555BD714CE6CC98031FB7E2ABCD750F29E52EE4948B3B1D239DC458B8A

Function 00447F30 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004480E0

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 7dd8ec179231ae766dbf70c09c56039bea14c78df0fb98d07ce2c6d284402de7
Instruction ID: d20fcbfbfce42fdba56c3a4fd57172c05cc51854bc353b3a3ca6c9cdee8b8537
Opcode Fuzzy Hash: 7dd8ec179231ae766dbf70c09c56039bea14c78df0fb98d07ce2c6d284402de7
Instruction Fuzzy Hash: D75119316082009BE714AF08DC91B3FB7E2EF89715F198A2DE9D557392C735EC05875A

Function 00413900 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041269B

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 4a181a8ba54938dcfab96794cd2149ee60142d32294774a7ee142e45cdaf63d5
Instruction ID: 0139efa594f4316d2f8440da14a72f89608ede9921ed4265ebae546127ab026d
Opcode Fuzzy Hash: 4a181a8ba54938dcfab96794cd2149ee60142d32294774a7ee142e45cdaf63d5
Instruction Fuzzy Hash: 7251DD71518340ABD310EF28D950AAFBBF5EF86305F04882EE0C8872A2D739D950CB5B

Function 0044A690 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

@, xrefs: 0044A6E0

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 120832cc7c3a1be6d040a5668914e6d817bbfed381a23af2459afbc162f1e0ac
Instruction ID: bfaeeba4143c870eacf42a814fa3d072e24a1d7a643ad0f5201eaf4d4f881df3
Opcode Fuzzy Hash: 120832cc7c3a1be6d040a5668914e6d817bbfed381a23af2459afbc162f1e0ac
Instruction Fuzzy Hash: 983167745093009BE320EF15D880A2FBBF9FF9A354F14892EE5C897251D339D9148BAB

Function 0042FC31 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

^P]R, xrefs: 0042FC8A

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ^P]R
API String ID: 0-3965360892
Opcode ID: 9d075cd7299fd284542800039ee064922cf0b660c15d1cf799e478cf0043bdd9
Instruction ID: 066c69ec9a076aa51131574ad83e4e9dc79708ccc840554c44c4580e255030d4
Opcode Fuzzy Hash: 9d075cd7299fd284542800039ee064922cf0b660c15d1cf799e478cf0043bdd9
Instruction Fuzzy Hash: A921C130A0456A8BCB01CB55D64027EFBB1FF06B01FA4416AD851B7361C3659A15CBEA

Function 0042E20E Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042E3A0

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 857042449200f6e5b7d73b0cf206499d2cd691856c0187151f03ee20648b6334
Instruction ID: 5578fa6f53a0fba689a98ee3438f10c1d2a3dff36d3e4deb1e54bcd21b96c756
Opcode Fuzzy Hash: 857042449200f6e5b7d73b0cf206499d2cd691856c0187151f03ee20648b6334
Instruction Fuzzy Hash: 25115C71608310CBD700DF15E59092EB7F1EB8A316F98492DE885A7362D335E851CB9B

Function 004133E4 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 004133F0

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: b104160ec4795bc23314458df163dce613dbfd880cae4e54145e8062d120f426
Instruction ID: a72cf39690bb13046203349737830b2225212a2f856d7e5ea8ff4a72156b73b8
Opcode Fuzzy Hash: b104160ec4795bc23314458df163dce613dbfd880cae4e54145e8062d120f426
Instruction Fuzzy Hash: CEC08CF88082059FE2019F30BC05036B2B5EF4B326F102438E116620A2E624C1408A0E

Function 0040C070 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840c5a426c82c9e323bb36cdb3d811705a4642a17664625e4635be9f26f71492
Instruction ID: b96f5ee633f27ea76f25ecd010f311b106511cb211d7715f2fadb82b0e8afc1a
Opcode Fuzzy Hash: 840c5a426c82c9e323bb36cdb3d811705a4642a17664625e4635be9f26f71492
Instruction Fuzzy Hash: 5D42AF31608711CBC7259F68D8C027BB3E1FFD4315F258A3ED986A72D1E738A8558B4A

Function 00427A60 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419747066c544f70e61b34a66988fe856ef02ac95acc54e6233fb588b9e14bdc
Instruction ID: 35a168483c9fd6ef8ad1e833464ca6254c683a1f11ce28cc503733bdcae05e69
Opcode Fuzzy Hash: 419747066c544f70e61b34a66988fe856ef02ac95acc54e6233fb588b9e14bdc
Instruction Fuzzy Hash: AB32DE71A0422ACFDB14CFA8EC917AEB7B1FF49301F5944A9D842AB391EB349D41CB54

Function 004073B0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e9142ee963eedb3cb87bd59ac15990ce2036751ceac0fa6bae3c3cd7608335
Instruction ID: 242288483fb92eed8e19647918d2604b4ed395ed4d2a1a43c1e9a2b5178add23
Opcode Fuzzy Hash: 38e9142ee963eedb3cb87bd59ac15990ce2036751ceac0fa6bae3c3cd7608335
Instruction Fuzzy Hash: F752D37190C3458FCB15CF28C0906AABBE1FF84314F19897EE89967381D779E945CB86

Function 0040B560 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c19b03a2091c8dfe2ce9829f1adda57ee881fffd5cff4dbdc9a49027d63952b
Instruction ID: f6f74706e16185de70c7d534e819a7dfd5bfff91346db5c64032a7770115b388
Opcode Fuzzy Hash: 1c19b03a2091c8dfe2ce9829f1adda57ee881fffd5cff4dbdc9a49027d63952b
Instruction Fuzzy Hash: 1C5291B09087848FE7358B24C4847A7BBE1EB91314F14897EC5EA56BC2C37DA885C79D

Function 00407DE0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c295b2590bbb7acddb490a21cdc07f558af6040c7a6d79778f9a1c511bd7fce3
Instruction ID: 2be2f2ca93193b72bb8e7c09f2ef30bf8983c4816fa1a1512ae2ba415bdc12f9
Opcode Fuzzy Hash: c295b2590bbb7acddb490a21cdc07f558af6040c7a6d79778f9a1c511bd7fce3
Instruction Fuzzy Hash: 46321370915B118FC328CF29C69052ABBF1BF95710B604A2ED6D797F90DB3AB845CB18

Function 0040A570 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76cc7ed6bf1a06a8c2460984e45ad9cc7ebb420d2f64c0f94dc0daaf150e643
Instruction ID: 05990068f371ba427fd5fbfeb6ad98241dd9a47c1c85df8b296430c9c318c770
Opcode Fuzzy Hash: c76cc7ed6bf1a06a8c2460984e45ad9cc7ebb420d2f64c0f94dc0daaf150e643
Instruction Fuzzy Hash: F6E17A71208341CFC720DF29C880A2BBBE1EF99304F448D2EE4D597791E279E959CB96

Function 0042C2E0 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9ab8e5dc88f378edeba0ee9d6be6e4974b883c13f82f78a7735cd915a0215c3
Instruction ID: 35371bf08e94771a708c631b9a2d0ad5f468b099d1ba6952b95789a40331d7e3
Opcode Fuzzy Hash: e9ab8e5dc88f378edeba0ee9d6be6e4974b883c13f82f78a7735cd915a0215c3
Instruction Fuzzy Hash: 44B122706083208BD704EF14E891A3FB7E2AF95354F58492EE5C59B391E739E904CB9A

Function 00415292 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff73ed4ccb2d8b75a5fbd66c47155857b4d772e54f1ccdb64e5ba2683b95cde
Instruction ID: 3fb942c185704de5352426567620ff353ae9b97f3d325925a1e315cb59503a94
Opcode Fuzzy Hash: 8ff73ed4ccb2d8b75a5fbd66c47155857b4d772e54f1ccdb64e5ba2683b95cde
Instruction Fuzzy Hash: A0C12772908711CBC710EF24D8816AAB3F1EFD5315F190A3EE49697391E739E990C78A

Function 004484C0 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a06e9fa42834ca1afcf3569f5ddf978c2d64a04556f611aee67cc580008820
Instruction ID: 2416fefb3e9b9cb34b2b856c9335412716b2196aeb3aeb23090fd9beb24f04d1
Opcode Fuzzy Hash: b0a06e9fa42834ca1afcf3569f5ddf978c2d64a04556f611aee67cc580008820
Instruction Fuzzy Hash: 6CB10772A083408BE714EB29DC5176FB7E6EBC4318F19492EE855D7381EE38DC05879A

Function 0040B0D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1afc0040044c7943f8e1395da7f53c23f974b2d13de7f5d98ad76f0f359def
Instruction ID: 8d9ca2ffe76e72a2b54b9a9b8e37089ac2131f16a8cd3509a04f539d09016570
Opcode Fuzzy Hash: cc1afc0040044c7943f8e1395da7f53c23f974b2d13de7f5d98ad76f0f359def
Instruction Fuzzy Hash: 00C15AB29487418FC320CF28DC86BABB7E1EF85318F08492DD1D9D6342E778A155CB4A

Function 0042D624 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252e0bd6ebec960a858a45917fb82bdc24872b86bb6e78af503e6fea5f191215
Instruction ID: e1b093123abe9eb8222f9763e6f590ea1885cf7e5012aaf1a6147ad4d7c46cab
Opcode Fuzzy Hash: 252e0bd6ebec960a858a45917fb82bdc24872b86bb6e78af503e6fea5f191215
Instruction Fuzzy Hash: 36A10535A08391CFD7148F28EC9035A7BA2BF8A311F5486BEE8D5472D2D3B5D944CB49

Function 004490AC Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea8d390c7b41216719eb0333768c114fd13bea102474db68c5ceecc49002a2f
Instruction ID: 5bfeccab38c2dcc030ed5a7d05018b35967d944f0813ffece84492e614b684aa
Opcode Fuzzy Hash: 7ea8d390c7b41216719eb0333768c114fd13bea102474db68c5ceecc49002a2f
Instruction Fuzzy Hash: AFA1BA39518341CFE700EF68E99062EB7F1FB8A31AF594869E4849B352C334ED90DB56

Function 00438D30 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fb95dd656fb38aeeb52b3dd99613b203069e56c85675cfa99e06a7418c992e
Instruction ID: 4649a52745d8d8f680cdb4e27cdf668cf3ed428e9c0f72870405661025311a3a
Opcode Fuzzy Hash: 83fb95dd656fb38aeeb52b3dd99613b203069e56c85675cfa99e06a7418c992e
Instruction Fuzzy Hash: 41913737A55A504BC3189A7C4C422AAE6535BDA330F3DD37BE9B1CB3E4C93C48024355

Function 00449190 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715100641acd9171efbc00f7f5dc10c0be7c9ccd6372fd04fe8c61cecda20fba
Instruction ID: f02379e3a699c48a09144c13ec288378891d51d63c9671e0f66b0e71dcabc5e3
Opcode Fuzzy Hash: 715100641acd9171efbc00f7f5dc10c0be7c9ccd6372fd04fe8c61cecda20fba
Instruction Fuzzy Hash: A9817739918241DFE700AF68E990A2EB7F1FB8A70AF15486DE48897352C334EC50DB56

Function 0044AA70 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b187bbdc6c3409bc74f663cf3c7ff3c46978f57e3e5202a44cd0e7d74b56a412
Instruction ID: ff6ca0ca4909975500a6dae02685c912de05ce8678b11bb6960356053cb0f06c
Opcode Fuzzy Hash: b187bbdc6c3409bc74f663cf3c7ff3c46978f57e3e5202a44cd0e7d74b56a412
Instruction Fuzzy Hash: C181DF746487018BE724DF28D890A2BB3E1FF89744F05892DE986DB351E735EC60CB5A

Function 004274C0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9763364f72f725057ddd76937ad7471b6b15be55d6253a7c8842d90d3d913e02
Instruction ID: 3b0c9b45c32abf6a0e285a9905b6d6781bdf3b07d6169927e54336dadcaacaa6
Opcode Fuzzy Hash: 9763364f72f725057ddd76937ad7471b6b15be55d6253a7c8842d90d3d913e02
Instruction Fuzzy Hash: F151E1B16046108BCB249F28ECA2677B3F4FF95364B48462DE886CB795F738E944C365

Function 00445310 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622dfe3c7bad702f8822d4cc6ae02a959df1c472f5e505591eedf8d004bf0acf
Instruction ID: 20b578fb44782e9cbb27c20720df7153ea39f202ba52ceca0415251cbc83a1a6
Opcode Fuzzy Hash: 622dfe3c7bad702f8822d4cc6ae02a959df1c472f5e505591eedf8d004bf0acf
Instruction Fuzzy Hash: 6261F231608701AFEB11DF14C880B2BBBE2AF85305F18892EF4D58B352D779E841CB5A

Function 00428202 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204fa4690f12add3ab1589564599d39bc9596e449c20781f0f87061e71bb567e
Instruction ID: a88e89246c37e7f37e899fead5ab7a793ecc08258b217f519a746bd5aed74f86
Opcode Fuzzy Hash: 204fa4690f12add3ab1589564599d39bc9596e449c20781f0f87061e71bb567e
Instruction Fuzzy Hash: 9161B271A01216CBEB08CF68EC617BEB3B2FB48311F5984B9D902A72A1DB35DC51CB54

Function 0042EB0B Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fc74abb6948433ac310de4d6c7f31935f63fc015297f42b1b36e2244364467
Instruction ID: bf28f41bc9116cf03e6429a6917dc4021cff71addabcc6d6e473c50653d6c410
Opcode Fuzzy Hash: c8fc74abb6948433ac310de4d6c7f31935f63fc015297f42b1b36e2244364467
Instruction Fuzzy Hash: D5519C79E00315CBCB20CF99E8817AEB7F1FF45304F54859AE848AB351E739AA41CB55

Function 0040FFA7 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7637c0e4648c2ad0c57ddb4e578dfe89efe5035792d3a4d588bb0f0f2710d50d
Instruction ID: fd5a4f873d1add55ca47da51ba38548d2c400ac62a933c7d49b65120dd7c20f6
Opcode Fuzzy Hash: 7637c0e4648c2ad0c57ddb4e578dfe89efe5035792d3a4d588bb0f0f2710d50d
Instruction Fuzzy Hash: 70514579200701DFE3208F25E880B16BBF5FF8A302F148979E89687A61D774E854CB68

Function 0043ED90 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a63adcc01f51a8e0689099253f509df49ee44bfeab751bffd44707f859587d6
Instruction ID: 1edb4407df6ead3698bc17e2a90f01d61fecde54092aad1d3c134665efd44e0b
Opcode Fuzzy Hash: 8a63adcc01f51a8e0689099253f509df49ee44bfeab751bffd44707f859587d6
Instruction Fuzzy Hash: D3515BB15097548FE314DF29D49475BBBE1BB88318F044E2EE5E987390E379DA088F86

Function 00449B30 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b798695b6a62333c45494d7cbc03703c5cdd50205fef1ab28ad5f6a78f19c1cf
Instruction ID: 395d1cb9a54da71ae4b5b1ee37ebdc4b5a6fc09e777ab4ba5d3341e98cdef2a4
Opcode Fuzzy Hash: b798695b6a62333c45494d7cbc03703c5cdd50205fef1ab28ad5f6a78f19c1cf
Instruction Fuzzy Hash: 4D51C07111C290CBD7049F25E4A466BBBF1EB8A34AF89886EE4C54B352C739CC50DB59

Function 00439040 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9131b43dda350215948ae43ca985155a40e29f3f1b0155248c16b539be7898a
Instruction ID: a76c8e47bf329525fb2518fc10c67dc932cd72ac36833043db8261ccc8c054b5
Opcode Fuzzy Hash: d9131b43dda350215948ae43ca985155a40e29f3f1b0155248c16b539be7898a
Instruction Fuzzy Hash: 15510337A0A9C14BD7145E3C4C552AAAB531BEB334F3E93A7D8B54B3D1C5AA8C034356

Function 00443FC0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd65f1c84199182c4cae32c76aa12f8cffe395e64ccf35c191b1c908571f5d9d
Instruction ID: b7ff14bf57eaf1cdd4a48445fb9ba01728ca6d84d7f14bf17e4631ee976be22c
Opcode Fuzzy Hash: fd65f1c84199182c4cae32c76aa12f8cffe395e64ccf35c191b1c908571f5d9d
Instruction Fuzzy Hash: A25191716083419BE704DF18D894B2FBBE6EBD5345F24882DF58587362D339D850CB5A

Function 0042EBA0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702e8d1eb97fceedbe012dcd1d1545ac27dd2994e95fbe9ad8de983222512fcc
Instruction ID: 6a134ced9e0f225d7b1ff73da5ec1c93455ea431e7a810e534fb8e908a2e6633
Opcode Fuzzy Hash: 702e8d1eb97fceedbe012dcd1d1545ac27dd2994e95fbe9ad8de983222512fcc
Instruction Fuzzy Hash: EC51BE78E00215CFCB20CF95E8816AEB7F0FF06305F54446AE944AB391E739AA11CB59

Function 004441D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571cdf5b34d628592fba676671ed0bbffc5cda39c021cafb35b5c8dbef28f427
Instruction ID: 48d24bf4e20630f7a0ad0d0f0d9b8a4c85e3c55ea68d9ad34fa3a68914599aec
Opcode Fuzzy Hash: 571cdf5b34d628592fba676671ed0bbffc5cda39c021cafb35b5c8dbef28f427
Instruction Fuzzy Hash: BA51AC306082009BE724DF54E990B2BBBE5EFD6744F14882EE8C997352D379DC10CB6A

Function 00405C00 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84a9ee1bb3191b8419405aa882d227fe8add42e094a4094557e67bd87944ce4
Instruction ID: 2b34357cc050dae697aab8c20bcef27ff360831558baf573e1e8819353029123
Opcode Fuzzy Hash: f84a9ee1bb3191b8419405aa882d227fe8add42e094a4094557e67bd87944ce4
Instruction Fuzzy Hash: 5051D474A047019FC714EF18C884927B7A1FF85324F19867EE895AB392D635EC42CF9A

Function 0040E540 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e8bf1a8dfbf309aa2704a187875364e6825f426002c674addfbae97ff983cb
Instruction ID: 946e22686713ffb89c80568d0bd861725a648e0653ca7876b05aa5e9ee937bfb
Opcode Fuzzy Hash: f0e8bf1a8dfbf309aa2704a187875364e6825f426002c674addfbae97ff983cb
Instruction Fuzzy Hash: A9413927A095A14BC7115E7E2C602796A160BB3334B7E8F77ECF5673D1C12A4C32939A

Function 0044A3A0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac97bc53b866c013a7b20be15e30629af75e8c628710c8566ba6b4e911e00fe
Instruction ID: 73d2cb79d1cf73827fef7d24ee42fe707334323465c2c15eab7b30a8f535ddce
Opcode Fuzzy Hash: 2ac97bc53b866c013a7b20be15e30629af75e8c628710c8566ba6b4e911e00fe
Instruction Fuzzy Hash: 4741D134248300ABF714AF15D995F2FB7A5EB85714F24882EF58997291C379EC20CB5B

Function 0044A520 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdd4316b468c05074cee88a30fc60780713ef8fe063a93deccb68505f7fda65
Instruction ID: 4e5c7ada005c608a1b72f2e48c3a477abb1f3d7ef40308193452ec5189d588fe
Opcode Fuzzy Hash: cfdd4316b468c05074cee88a30fc60780713ef8fe063a93deccb68505f7fda65
Instruction Fuzzy Hash: 8641A038248300ABE710AF15D991F2FB7E6EB85714F29882DF5C997251D339EC208B5B

Function 004232D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9d2257b554649ee41b9b09c91c77b127f6c0b772bb120f197f5eb07b1c55f8
Instruction ID: 4ad717ff276a7d2dd95f75abdca51d7c68ed5f16040c821817346e123de3731c
Opcode Fuzzy Hash: ed9d2257b554649ee41b9b09c91c77b127f6c0b772bb120f197f5eb07b1c55f8
Instruction Fuzzy Hash: A031D675608304EFD300EF55E881B1BB7F8EB85355F40492AF99483291D739EA058B6B

Function 004117B0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction ID: a28ea87b4cdf23c49cdf0a34350879734f6f043490e1e18d2308fcd0ed39d755
Opcode Fuzzy Hash: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction Fuzzy Hash: 9D412472B1C3A10FD318DE3A889016ABBD2ABC2210F19C73EF1E587394E678C946D755

Function 00443D90 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d72f01362018ad371eefd8a524d9e36182b7538809fee267f20dad26a43ed1a
Instruction ID: eeb947225e77f8508b0646d19ff5d7abf6a8b6d8e15c9fea3c96c9e6945ae047
Opcode Fuzzy Hash: 4d72f01362018ad371eefd8a524d9e36182b7538809fee267f20dad26a43ed1a
Instruction Fuzzy Hash: 20313970509340ABE301DF15D584B1FBBE2EF85B19F24C86DE0888B251D37ADE09DB9A

Function 0043F510 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381fc0e58d431632e31046f02403169205f446621c394491b165389b8b7ba854
Instruction ID: 3bce176757ef80e491d547bd4d322477483af3c25bf236976f99a59fbd47cce6
Opcode Fuzzy Hash: 381fc0e58d431632e31046f02403169205f446621c394491b165389b8b7ba854
Instruction Fuzzy Hash: 8D213732D082146BC3249F19C48053BF7E4EB9E704F46962FE8C497395E3399C2887E5

Function 00404BC0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7021dfcba022c7c25580cd96da602261b1d025491482a130772f10e277436ddd
Instruction ID: c3a11dea21b93880c2bec0f3fccfcb0e7c0b1a976f9849203437204c26301c92
Opcode Fuzzy Hash: 7021dfcba022c7c25580cd96da602261b1d025491482a130772f10e277436ddd
Instruction Fuzzy Hash: F431ECB060D2009BE7149F19D980627B7E1EFC4319F19493EEA9AAB3D1D339DC42C74A

Function 0042F5E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f0b12cb33696002d6a537a347f99650f8a1caeb8ca5ab4dcd4fbba958a8fa1
Instruction ID: 74112649e7d93137a0cb14cc095c8dc1235c87363cb483240c27c9a1451a6a02
Opcode Fuzzy Hash: 31f0b12cb33696002d6a537a347f99650f8a1caeb8ca5ab4dcd4fbba958a8fa1
Instruction Fuzzy Hash: 6621AF74A00215DBCF00CF94D9D19AFB7B1FF0A314B904169E941AB3A1E3389D45CB69

Function 0043B8C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: dde22403d6744a3900b34784c932ed46ac96bc62e90eb16de623c369c45dfb0c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 44110673A041D80EC3168D3C8440765BFA34E97234F2953DAE5F89B2D6D7278D8A93A9

Function 004307F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e4373c64a15e30cbc499ebfbe72e16d3e6d674ecb473181a36f4cad195d695
Instruction ID: 36e758956a55f9c5c11ebb7b96d557d00800cba918f7ae786cde8b7d7bb32b08
Opcode Fuzzy Hash: b4e4373c64a15e30cbc499ebfbe72e16d3e6d674ecb473181a36f4cad195d695
Instruction Fuzzy Hash: 7F0175F5B0030157D724BF56A4E1727B2A85F88708F18663ED80957346DB79FC05CAD9

Function 0041AF40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a609698ddd97a65969a2e4c2976e0a84a4a62fb69de5fdfb15c75b1161379c6b
Instruction ID: 3a64693a716a7bb6d799a239aed4efa64f13b72749a984ec0944380185557190
Opcode Fuzzy Hash: a609698ddd97a65969a2e4c2976e0a84a4a62fb69de5fdfb15c75b1161379c6b
Instruction Fuzzy Hash: 40F0ECF570411067DB2289959CC0FB7BBACCB8B368F190416F84557242D1756C95C3EF

Function 00441A80 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 5693cf3f988e29c11e876379024e78bb3f89d2661a8311d70cff87b3958a2d7d
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 76D05E21A0922246AB648E19A400977F7E4EAC7B51B49995FF582E3258D234DC81C2AD

Function 0043618F Relevance: 50.8, APIs: 2, Strings: 27, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436199
VariantInit.OLEAUT32 ref: 004361AC

Strings

I, xrefs: 00436241
3, xrefs: 004361D3
d, xrefs: 004361C4
E, xrefs: 004361CE
;, xrefs: 004361FB
v, xrefs: 004361F6
;, xrefs: 00436232
C, xrefs: 00436223
?, xrefs: 004361E7
_, xrefs: 004361E2
K, xrefs: 0043624B
A, xrefs: 00436219
9, xrefs: 004361F1
_, xrefs: 004361D8
%, xrefs: 00436200
-, xrefs: 00436214
E, xrefs: 00436205
M, xrefs: 0043622D
:, xrefs: 0043620A
G, xrefs: 0043620F
J, xrefs: 00436246
1, xrefs: 004361C9
=, xrefs: 004361DD
%, xrefs: 00436228
O, xrefs: 00436237
L, xrefs: 004361EC
%, xrefs: 0043623C

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: %$%$%$-$1$3$9$:$;$;$=$?$A$C$E$E$G$I$J$K$L$M$O$_$_$d$v
API String ID: 2610073882-3468994831
Opcode ID: 3daa8f507907f839462dfa39eb420bde44c109fe08867309b26a0d00f417e6b4
Instruction ID: e9c7f1146032128724f9bdec031daba2a225aa60f9f3e315a0bdf175d789d0af
Opcode Fuzzy Hash: 3daa8f507907f839462dfa39eb420bde44c109fe08867309b26a0d00f417e6b4
Instruction Fuzzy Hash: E741C87010C3C0DEE352DB28C09875BBFE1AB96308F44599DE5D947382C7BA9649CB5B

Function 0043630E Relevance: 47.4, APIs: 1, Strings: 26, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004363BE

Strings

{, xrefs: 0043643F
(, xrefs: 00436467
}, xrefs: 0043640F
q, xrefs: 0043646F
g, xrefs: 004363DF
c, xrefs: 004363FF
4, xrefs: 004363F7
=, xrefs: 00436407
#, xrefs: 00436487
X, xrefs: 00436437
(, xrefs: 004365D7
T, xrefs: 00436457
!, xrefs: 00436417
a, xrefs: 004363EF
G, xrefs: 0043632C
", xrefs: 00436477
@, xrefs: 0043633C
9, xrefs: 004363E7
@, xrefs: 00436447
', xrefs: 004365C7
u, xrefs: 0043644F
0, xrefs: 004366D4
w, xrefs: 0043645F
#, xrefs: 004365B7
s, xrefs: 0043647F
y, xrefs: 0043642F

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: !$"$#$#$'$($($0$4$9$=$@$@$G$T$X$a$c$g$q$s$u$w$y${$}
API String ID: 2525500382-432418991
Opcode ID: 055f4e05de53a28a97d7b61db737b0b64d5b3e3a791466188282ba4c649d95ca
Instruction ID: 9f388b386099813a24fdc584a8711f8671c1a8d4ca6d4d3bfda74d394ad693ea
Opcode Fuzzy Hash: 055f4e05de53a28a97d7b61db737b0b64d5b3e3a791466188282ba4c649d95ca
Instruction Fuzzy Hash: 8CA15F7050CBC1CAD3328A2C98487DABFD16BAB324F484B9DE4ED4A2E2C7754146C767

Function 00438599 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 61COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004385A3
VariantInit.OLEAUT32 ref: 004385B6

Strings

q, xrefs: 0043862C
{, xrefs: 004385DC
y, xrefs: 004385EC
i, xrefs: 0043866C
m, xrefs: 0043868C
w, xrefs: 0043863C
o, xrefs: 0043867C
k, xrefs: 0043865C
}, xrefs: 0043860C
n, xrefs: 00438684
u, xrefs: 0043864C
s, xrefs: 0043861C

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: i$k$m$n$o$q$s$u$w$y${$}
API String ID: 2610073882-434376181
Opcode ID: a77d44d7207b62bf3763f28adf2973eafd3e1ef1eacc2f09b76565d718051be0
Instruction ID: ecf7aa1ba93f11b931c4b017102072dc6f9a5f92655033f76003445eb29e414e
Opcode Fuzzy Hash: a77d44d7207b62bf3763f28adf2973eafd3e1ef1eacc2f09b76565d718051be0
Instruction Fuzzy Hash: 4C41E32450D7C1CEE371DB288848B9EBFD26BA6224F184A9DD4ED4B3D2CB795049C763

Function 00437C32 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 88COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00437C6C

Strings

E, xrefs: 00437CAF
K, xrefs: 00437C9B
p, xrefs: 00437CEB
@, xrefs: 00437C91
c, xrefs: 00437CF5
R, xrefs: 00437CA5
x, xrefs: 00437CC3
@, xrefs: 00437C87
c, xrefs: 00437CE1
Y, xrefs: 00437CB9
|, xrefs: 00437CD7

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: @$@$E$K$R$Y$c$c$p$x$|
API String ID: 1927566239-2099116840
Opcode ID: 426eb7dc079c400172ce8bcf8d12a27ad94d6feb782ba49786e064d385da1be3
Instruction ID: b12030f24b8e78c2a73ac03f9e99b91eb4c424fd9d57ec5d8587879669f5671a
Opcode Fuzzy Hash: 426eb7dc079c400172ce8bcf8d12a27ad94d6feb782ba49786e064d385da1be3
Instruction Fuzzy Hash: 2941E16010C7C1CED362DB28949875BBFE0AFA6228F584A4DF0E85B3D2C7799505CB67

Function 00438821 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 77COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043884F

Strings

K, xrefs: 0043887E
Y, xrefs: 0043889C
@, xrefs: 0043886A
p, xrefs: 004388CE
c, xrefs: 004388C4
|, xrefs: 004388BA
c, xrefs: 004388D8
@, xrefs: 00438874
E, xrefs: 00438892
x, xrefs: 004388A6
R, xrefs: 00438888

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: @$@$E$K$R$Y$c$c$p$x$|
API String ID: 1927566239-2099116840
Opcode ID: 8d3988a134aff82abaffb864f758e2f5f40d4437aff6175adb62cd310acdddf6
Instruction ID: d30c8e658de2a8e7b200eddcfa233859c6d20831a6f90ca12c34b24fcd39450d
Opcode Fuzzy Hash: 8d3988a134aff82abaffb864f758e2f5f40d4437aff6175adb62cd310acdddf6
Instruction Fuzzy Hash: 5441D37410C7C1CED321DB28949874ABFE06FAA228F480A8DF1E85B2D2C3759505CB67

Function 00435F3A Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 68COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435F44
VariantInit.OLEAUT32 ref: 00435F57

Strings

4, xrefs: 00436022
v, xrefs: 00436062
5, xrefs: 00435FB2
), xrefs: 00435FF2
w, xrefs: 0043606A
:, xrefs: 00435FE2
!, xrefs: 00436012
S, xrefs: 00435F72
u, xrefs: 0043605A

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$)$4$5$:$S$u$v$w
API String ID: 2610073882-1934825185
Opcode ID: 06f9d2fee9d34c107782edff0bb0b0e2011f785913a47f806bd2ce1dc3e36627
Instruction ID: 0f120a937187d79d8767381d2f8fd6867be001f0cf99e9ab3928262e0b07fd64
Opcode Fuzzy Hash: 06f9d2fee9d34c107782edff0bb0b0e2011f785913a47f806bd2ce1dc3e36627
Instruction Fuzzy Hash: B841B32014C7C6CED332CA28C448BAEBFD06BA6264F088EADD0EA5A6D2D3755445D767

Function 004358AB Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004358B5
VariantInit.OLEAUT32 ref: 004358C8

Strings

l, xrefs: 004358F3
v, xrefs: 00435913
k, xrefs: 00435903
1, xrefs: 004358E3
z, xrefs: 00435973
., xrefs: 00435953

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: .$1$k$l$v$z
API String ID: 2610073882-3405225686
Opcode ID: 6cb15e98699db120211ec7808f161d22fee2e421fed54cc1ac1a4d858ec00f32
Instruction ID: 24f2675c95bc9c42a0cfd94f3c60aecfa22dde20c39f5de747ca3bf39958b4f7
Opcode Fuzzy Hash: 6cb15e98699db120211ec7808f161d22fee2e421fed54cc1ac1a4d858ec00f32
Instruction Fuzzy Hash: 4D31902410D7C1CEE3329B688958B9EBFE16FD6224F084B9DD4E94B2D2C7B55445CB23

Function 0043680F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 180COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0043681C

Strings

+, xrefs: 004368FF
<, xrefs: 004368FA
?, xrefs: 00436904
#, xrefs: 004368F0
0, xrefs: 004368F5
5, xrefs: 0043690E

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID: #$+$0$5$<$?
API String ID: 2568140703-1474803392
Opcode ID: 8cc688ed6792fe88fea4fc47e62f6dde1bcfe798667701542d6c037ca773dea4
Instruction ID: 07fc8111defc27ae49d79230bef23680b6313b5502691f1b37ba41c954f9577d
Opcode Fuzzy Hash: 8cc688ed6792fe88fea4fc47e62f6dde1bcfe798667701542d6c037ca773dea4
Instruction Fuzzy Hash: A961D772A097508FC3299F2CC45035EBBE29BD9324F1A8A2DD5E9C73D1DA398842C746

Function 0043526B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 170COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00435275

Strings

5, xrefs: 0043534E
#, xrefs: 00435330
?, xrefs: 00435344
+, xrefs: 0043533F
<, xrefs: 0043533A
0, xrefs: 00435335

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID: #$+$0$5$<$?
API String ID: 2568140703-1474803392
Opcode ID: 1ee41aa9a3fe2d67bce96b0d3f5bc8fbfe8f58c10a396114396c0f9200eddb8d
Instruction ID: 3370ecbb4f06aa56e6e429b7051654f41c76f23f79daf93a791cdd7eceeda512
Opcode Fuzzy Hash: 1ee41aa9a3fe2d67bce96b0d3f5bc8fbfe8f58c10a396114396c0f9200eddb8d
Instruction Fuzzy Hash: 7261C831A087508FC7299B2CC4503AEB7E1AFDA324F194A2DE5EAC73D1DA798841C746

Function 004356CB Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 69COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004356D9

Strings

l, xrefs: 00435714
I, xrefs: 00435734
V, xrefs: 00435724
_, xrefs: 004356F4
V, xrefs: 00435754
U, xrefs: 00435744

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: I$U$V$V$_$l
API String ID: 1927566239-1408917838
Opcode ID: f7a1f9fffd33309d79f9820d7441561431d5559c734cc87c434eb70e92c9d6fc
Instruction ID: a66eb5c4b7bacd560bc1acf274e01c3fc4d0360296ba44bd2bf7dae8427709c0
Opcode Fuzzy Hash: f7a1f9fffd33309d79f9820d7441561431d5559c734cc87c434eb70e92c9d6fc
Instruction Fuzzy Hash: FB41E27400C7C1CEE335DB288454BDBBBE0ABA6314F048E9DE4E887292D7B58549CB63

Function 004285B0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 443COMMON

Download Yara Rule

Strings

tz, xrefs: 004288DE
MC, xrefs: 00428745
mp, xrefs: 004288CE
E#A%, xrefs: 00428B6A

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: E#A%$mp$tz$MC
API String ID: 0-3807287400
Opcode ID: 7c3dd5337c6f32316b80cf5bfda41dc84ff65b8190589ff731955a39c09e8316
Instruction ID: bcfdbecb234d170ffacd29dfbc3b3742555c7f9b57f5a54b673af9dfcac521db
Opcode Fuzzy Hash: 7c3dd5337c6f32316b80cf5bfda41dc84ff65b8190589ff731955a39c09e8316
Instruction Fuzzy Hash: F2F130B42093409BC310DF15E990A2FBBF4EF96B48F90491EF4898B251D778C905DBAB

Function 00439950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00439986
GetSystemMetrics.USER32 ref: 00439995

Strings

, xrefs: 00439A40

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 07c45d82cd2a4d26ba099d48f9d7a1ba9dc3da252903be6a4aca464c69f28734
Instruction ID: d99e9b1e65246302fa34940887c56263ac087aa1dab2bdd5eb6eb224507250fe
Opcode Fuzzy Hash: 07c45d82cd2a4d26ba099d48f9d7a1ba9dc3da252903be6a4aca464c69f28734
Instruction Fuzzy Hash: 99318EB4918304CFDB40EF69D98561EBBF0BB89314F11892DE488DB361D774A958CB86

Function 00445A1B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(37B83947,00000000,00000800), ref: 00445A92

Strings

0EBC, xrefs: 00445A49
4I2G, xrefs: 00445A41

Memory Dump Source

Source File: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: 0EBC$4I2G
API String ID: 1029625771-3264664664
Opcode ID: 0adbe995fed65a2ce40ef144f922a7654778ad2d322e22e308813fde99c26939
Instruction ID: f7da3d5c1dd0cb831bef03aa5834eaa96156b037ec8573f4ad63a2ce40f86aa4
Opcode Fuzzy Hash: 0adbe995fed65a2ce40ef144f922a7654778ad2d322e22e308813fde99c26939
Instruction Fuzzy Hash: 4B118B711083419FEB00EF18E880A1EBBE5AF85341F958C2DE1D497352D738CA85CF5A

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Full-Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Full-Setup.exe

Function 0043F920 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 250
comCOMMON

Function 00446C94 Relevance: 4.0, Strings: 3, Instructions: 269
COMMON

Function 00449F80 Relevance: 1.4, Strings: 1, Instructions: 138
COMMON

Function 004126DB Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 286
COMMON

Function 0043FE15 Relevance: 12.3, APIs: 8, Instructions: 263
COMMON

Function 0040D3A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
threadCOMMON

Function 00445F16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
libraryCOMMON

Function 004138C8 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Function 00443A92 Relevance: 1.6, APIs: 1, Instructions: 67
memoryCOMMON

Function 00443A10 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Function 00446A50 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 004125E0 Relevance: 1.3, APIs: 1, Instructions: 13
COMMON