Edit tour

Windows Analysis Report
buNtKcYHCa.exe

Overview

General Information

Sample name:	buNtKcYHCa.exe renamed because original name is a hash value
Original sample name:	0680170d17b99321500944eb7deded51.exe
Analysis ID:	1544505
MD5:	0680170d17b99321500944eb7deded51
SHA1:	e7f95862d8e68584087acee5207dde9d81d544af
SHA256:	d4a2d9c10babdabd7bf16ee4773da3f82951c5741a682db002820deb6ff5eafd
Tags:	32exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

buNtKcYHCa.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\buNtKcYHCa.exe" MD5: 0680170D17B99321500944EB7DEDED51)

BitLockerToGo.exe (PID: 1528 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["offybirhtdi.sbs", "ostracizez.sbs", "arenbootk.sbs", "mediavelk.sbs", "strikebripm.sbs", "definitib.sbs", "activedomest.sbs", "elaboretib.sbs"], "Build id": "tLYMe5--4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.buNtKcYHCa.exe.3182000.3.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.buNtKcYHCa.exe.3182000.3.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.buNtKcYHCa.exe.2e18000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.buNtKcYHCa.exe.2e18000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.BitLockerToGo.exe.32c0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (activedomest .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.280852+0100	2056835	1	Domain Observed Used for C2 Detected	192.168.2.7	51494	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arenbootk .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.267368+0100	2056838	1	Domain Observed Used for C2 Detected	192.168.2.7	63286	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (definitib .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.244857+0100	2056844	1	Domain Observed Used for C2 Detected	192.168.2.7	49415	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elaboretib .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.231589+0100	2056847	1	Domain Observed Used for C2 Detected	192.168.2.7	49437	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mediavelk .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.255937+0100	2056841	1	Domain Observed Used for C2 Detected	192.168.2.7	52069	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offybirhtdi .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.292936+0100	2056832	1	Domain Observed Used for C2 Detected	192.168.2.7	59331	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ostracizez .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.202315+0100	2056853	1	Domain Observed Used for C2 Detected	192.168.2.7	53451	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strikebripm .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:30.219270+0100	2056850	1	Domain Observed Used for C2 Detected	192.168.2.7	50115	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T14:17:31.806578+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49759	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["offybirhtdi.sbs", "ostracizez.sbs", "arenbootk.sbs", "mediavelk.sbs", "strikebripm.sbs", "definitib.sbs", "activedomest.sbs", "elaboretib.sbs"], "Build id": "tLYMe5--4"}

Multi AV Scanner detection for submitted file

Source: buNtKcYHCa.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: offybirhtdi.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: activedomest.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: arenbootk.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mediavelk.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: definitib.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: elaboretib.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strikebripm.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--4

Source: buNtKcYHCa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: buNtKcYHCa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000106h]	3_2_032CDE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18E26AFFh]	3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_032EC390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], F2EEECF6h	3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	3_2_032C12D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+548844AEh]	3_2_03305120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4E2BFA43h]	3_2_03301100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax]	3_2_032EF1A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+4FFEBE6Ch]	3_2_032CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	3_2_032CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_032EC020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [edi+34h], 00000001h	3_2_032C9006
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 50DC24C7h	3_2_03306040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_032E2090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_032D10D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_032E5770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esi+20h]	3_2_032EA7E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	3_2_032EC7DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3E416E49h	3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 16194952h	3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_032DC692
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_032DC692
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_032E16C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_032E15AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_032F0417
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [03310498h]	3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_032F1495
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_033064F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edi	3_2_033054D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3602324Eh	3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_032E3B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	3_2_032E3B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	3_2_032E6B58
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edi]	3_2_03303A33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], dl	3_2_032EEAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_032F9970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx+77CF5801h]	3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-000000A1h]	3_2_032ED9C5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edi	3_2_03305800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_032C5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3568C09Bh	3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+02h], 0000h	3_2_032E18B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	3_2_032ECD09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 9ABDB589h	3_2_032E9FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_032F0FFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	3_2_032DCFDD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9ABDB589h	3_2_032EEE3D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_032EDE60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C0A4C970h	3_2_03306E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-27h]	3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-27h]	3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_03303E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	3_2_032ECD09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-411B9734h]	3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*4+000004A8h]	3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp edx, 02h	3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_032ECC5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+4E2BFA47h]	3_2_032FFC90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056850 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strikebripm .sbs) : 192.168.2.7:50115 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056841 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mediavelk .sbs) : 192.168.2.7:52069 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056844 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (definitib .sbs) : 192.168.2.7:49415 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056853 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ostracizez .sbs) : 192.168.2.7:53451 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056835 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (activedomest .sbs) : 192.168.2.7:51494 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056832 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offybirhtdi .sbs) : 192.168.2.7:59331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056838 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arenbootk .sbs) : 192.168.2.7:63286 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056847 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elaboretib .sbs) : 192.168.2.7:49437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49759 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: offybirhtdi.sbs
Source: Malware configuration extractor	URLs: ostracizez.sbs
Source: Malware configuration extractor	URLs: arenbootk.sbs
Source: Malware configuration extractor	URLs: mediavelk.sbs
Source: Malware configuration extractor	URLs: strikebripm.sbs
Source: Malware configuration extractor	URLs: definitib.sbs
Source: Malware configuration extractor	URLs: activedomest.sbs
Source: Malware configuration extractor	URLs: elaboretib.sbs

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: BitLockerToGo.exe, 00000003.00000002.1488710149.0000000003664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb4a621662dea893af1b461ce15baa4ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=39815ef0c60c9a8065487d53; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 29 Oct 2024 13:17:31 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ostracizez.sbs
Source: global traffic	DNS traffic detected: DNS query: strikebripm.sbs
Source: global traffic	DNS traffic detected: DNS query: elaboretib.sbs
Source: global traffic	DNS traffic detected: DNS query: definitib.sbs
Source: global traffic	DNS traffic detected: DNS query: mediavelk.sbs
Source: global traffic	DNS traffic detected: DNS query: arenbootk.sbs
Source: global traffic	DNS traffic detected: DNS query: activedomest.sbs
Source: global traffic	DNS traffic detected: DNS query: offybirhtdi.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/publi
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: buNtKcYHCa.exe	String found in binary or memory: https://doi.org/GTB
Source: buNtKcYHCa.exe	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-modetable
Source: buNtKcYHCa.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: buNtKcYHCa.exe	String found in binary or memory: https://liveinternet.club
Source: buNtKcYHCa.exe	String found in binary or memory: https://liveinternet.clubh
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486585764.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487667734.000000000361E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&&
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487667734.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003634000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003634000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/x
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1486883970.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488710149.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb4a621662dea893
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032F6960 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_032F6960

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032F6960 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_032F6960

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CF490	3_2_032CF490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CEE20	3_2_032CEE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C132D	3_2_032C132D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E3330	3_2_032E3330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EB30E	3_2_032EB30E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D0370	3_2_032D0370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9340	3_2_032E9340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032ED3EA	3_2_032ED3EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC3E0	3_2_032FC3E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CD3F0	3_2_032CD3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D3227	3_2_032D3227
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C12D5	3_2_032C12D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03305120	3_2_03305120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CB130	3_2_032CB130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC152	3_2_032FC152
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EF1A2	3_2_032EF1A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FC180	3_2_032FC180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033041C0	3_2_033041C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F41D4	3_2_032F41D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CA020	3_2_032CA020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EC020	3_2_032EC020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EB03C	3_2_032EB03C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C9006	3_2_032C9006
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C1000	3_2_032C1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C7040	3_2_032C7040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E60BA	3_2_032E60BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E2090	3_2_032E2090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D10D7	3_2_032D10D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D7736	3_2_032D7736
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C971D	3_2_032C971D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CD780	3_2_032CD780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EA7E2	3_2_032EA7E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306600	3_2_03306600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DD667	3_2_032DD667
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03304640	3_2_03304640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D56C1	3_2_032D56C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F6520	3_2_032F6520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CA500	3_2_032CA500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0330354C	3_2_0330354C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033005D0	3_2_033005D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F0417	3_2_032F0417
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C8460	3_2_032C8460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FD4B8	3_2_032FD4B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F1495	3_2_032F1495
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032D6493	3_2_032D6493
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033054D0	3_2_033054D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EA4D0	3_2_032EA4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306B70	3_2_03306B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FDB76	3_2_032FDB76
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E6B58	3_2_032E6B58
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CABC0	3_2_032CABC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C7A60	3_2_032C7A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DCAB0	3_2_032DCAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C9A81	3_2_032C9A81
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FCAF0	3_2_032FCAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9ADE	3_2_032E9ADE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CE920	3_2_032CE920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FB91D	3_2_032FB91D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C99A9	3_2_032C99A9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F09A1	3_2_032F09A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E29C0	3_2_032E29C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E59D0	3_2_032E59D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03305800	3_2_03305800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DF8A0	3_2_032DF8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032DE882	3_2_032DE882
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C38E0	3_2_032C38E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_033068C0	3_2_033068C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032C4FB0	3_2_032C4FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9FE0	3_2_032E9FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032F0FFE	3_2_032F0FFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EEE3D	3_2_032EEE3D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_03306E50	3_2_03306E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CFE86	3_2_032CFE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E9D3E	3_2_032E9D3E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032EFD63	3_2_032EFD63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E0D60	3_2_032E0D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032CBC40	3_2_032CBC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032E2CE0	3_2_032E2CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_032FACD9	3_2_032FACD9

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032DC670 appears 197 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 032CC830 appears 72 times

Source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs buNtKcYHCa.exe

Source: buNtKcYHCa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@10/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032E5770 CoCreateInstance,

3_2_032E5770

Source: buNtKcYHCa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: buNtKcYHCa.exe

ReversingLabs: Detection: 23%

Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain
Source: buNtKcYHCa.exe	String found in binary or memory: $github.com/mmcloughlin/addchain/meta
Source: buNtKcYHCa.exe	String found in binary or memory: $descriptor.FileOptions_OptimizeMode$func(gob.encEngine) gob.encEngine$map.bucket[reflect.Type]gob.gobType$github.com/mmcloughlin/addchain/meta%map.bucket[interface {}]interface {}%struct { F uintptr; X0 sync.Mutex }%func(pe.StringTable) (string, error)%func(io.Writer, string) (int, error)
Source: buNtKcYHCa.exe	String found in binary or memory: &github.com/mmcloughlin/addchain/acc/ir
Source: buNtKcYHCa.exe	String found in binary or memory: 'github.com/mmcloughlin/addchain/acc/ast
Source: buNtKcYHCa.exe	String found in binary or memory: 'atomic.Pointer[encoding/gob.encEngine]'struct { F uintptr; X0 gob.typeInfo }'github.com/mmcloughlin/addchain/acc/ast(map.bucket[string]mysql.DialContextFunc
Source: buNtKcYHCa.exe	String found in binary or memory: (github.com/mmcloughlin/addchain/acc/pass
Source: buNtKcYHCa.exe	String found in binary or memory: (descriptor.GeneratedCodeInfo_Annotation(github.com/mmcloughlin/addchain/acc/pass(struct { F uintptr; X0 int; X1 string })func(interface {}) (driver.Value, error))struct { F uintptr; R *mysql.mysqlConn }
Source: buNtKcYHCa.exe	String found in binary or memory: .github.com/mmcloughlin/addchain/internal/print
Source: buNtKcYHCa.exe	String found in binary or memory: .github.com/mmcloughlin/addchain/internal/print/*func([]uint8, []uint8, []uint8, []uint8) error
Source: buNtKcYHCa.exe	String found in binary or memory: Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchain
Source: buNtKcYHCa.exe	String found in binary or memory: Span>protobuf:"varint,2,rep,packed,name=span" json:"span,omitempty"Cgithub.com/consensys/gnark-crypto/field/generator/internal/addchainCstruct { F uintptr; X0 gob.encOp; X1 *gob.encOp; X2 int; X3 int }
Source: buNtKcYHCa.exe	String found in binary or memory: merge_operatormax_open_filesmem_table_sizebytes_per_syncmin_flush_rateGetSystemTimesfragment-startfragment-end %p: %02d/%02d
Source: buNtKcYHCa.exe	String found in binary or memory: gogoproto.protosizergogoproto.customtypegogoproto.customnamegogoproto.wktpointerinvalid map key typeJavaOuterClassname: PhpGenericServices: invalid nil Durationmmcloughlin/addchainBSD 3-Clause LicenseMorocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian Standard TimeMagadan Standard TimeMyanmar Standard TimeYakutsk Standard TimeBelarus Standard TimeRussian Standard TimeRomance Standard TimeSaratov Standard TimeNorfolk Standard Timeutf8mb4_lithuanian_ciutf8mb4_vietnamese_cicaching_sha2_passwordmysql_native_passwordinvalid dbname %q: %wunknown collation: %qunknown field type %dtrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationreflect.Value.ComplexWSALookupServiceNextAWSALookupServiceNextWWSARemoveServiceClassWSCUnInstallNameSpaceWSCWriteProviderOrderWSAAsyncGetHostByAddrWSAAsyncGetHostByNameWSAAsyncGetServByPortWSAAsyncGetServByNameWSACancelAsyncRequestWSAUnhookBlockingHookWSACancelBlockingCallSafeArrayUnaccessDataSysAllocStringByteLenQueryPathOfRegTypeLibVARIANT_UserUnmarshalLPSAFEARRAY_UnmarshalSafeArrayCreateVectorOleCreateFontIndirectSami (Southern) (sma)Tajik (Cyrillic) (tg)Arabic Jordan (ar-JO)Arabic Kuwait (ar-KW)Arabic U.a.e. (ar-AE)Breton France (br-FR)Catalan Spain (ca-ES)Dutch Belgium (nl-BE)English India (en-IN)French Canada (fr-CA)French France (fr-FR)Fulah Nigeria (ff-NG)Hebrew Israel (he-IL)Irish Ireland (ga-IE)Italian Italy (it-IT)Kannada India (kn-IN)Maltese Malta (mt-MT)Marathi India (mr-IN)Polish Poland (pl-PL)Punjabi India (pa-IN)Quechua Peru (quz-PE)Sakha Russia (sah-RU)Spanish Chile (es-CL)Spanish Spain (es-ES)Syriac Syria (syr-SY)Thai Thailand (th-TH)Wolof Senegal (wo-SN)unsupported operationnegative shift amountconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = runtime: mappedReady=runtime: totalMapped=defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptioninvalid NumericStringx509: invalid versioninvalid scalar lengthlocalhost.localdomainkey is not comparableafter top-level valuein string escape code186264514923095703125931322574615478515625decompression failureunsupported extensionFloat.SetFloat64(NaN)set bit is not 0 or 1unknown ABI part kind of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintSignatureDoesNotMatchEC2ThrottledExceptionfeature not supportedhttp: invalid patternPrecondition RequiredInternal Server Erroruse of closed Encoderinput string too longhex number > 256 bitsVariabl
Source: buNtKcYHCa.exe	String found in binary or memory: no non-null argumentsstep must not be zeroinvalid end index: %sinvalid named captureJavaScriptDecodeValueDecimal128DecodeValueJSONNumberDecodeValueDecimal128EncodeValueJSONNumberEncodeValueJavaScriptEncodeValueno encoder found for no decoder found for ","subType":"%02x"}},bsoncore.Value.Doublebsoncore.Value.Binarybsoncore.Value.Symbolinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setType.IsNil argument 1pebble: invalid batchinvalid key kind 0x%xunknown hint type: %d \| top in read pebble_version=0.1
Source: buNtKcYHCa.exe	String found in binary or memory: bootstrap type already present: bytes.Buffer.Grow: negative countlocal file '%s' is not registeredcolumn count mismatch n:%d len:%dinvalid DATETIME packet length %dbytes.Reader.Seek: invalid whencecrypto/aes: output not full blocktoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesscalar has high bit set illegallygo package net: confVal.netCgo = sql: connection is already closed142108547152020037174224853515625710542735760100185871124267578125tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeFloat.GobDecode: buffer too smallreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length application/x-www-form-urlencodedhttp: multiple registrations for too large block number: bitlen %drlp: non-canonical integer formatcan't Reset derived EncoderBufferAttributeTypes on non-object Typeskip everything and stop the walkcannot serialize infinity as JSONextraneous data after JSON objecttoo many tuple elements (need %d)CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWwaiting for unsupported file typecrypto: requested hash function #encoding: missing byte order markindefinite length found (not DER)struct contains unexported fieldsGODEBUG: no value specified for "unaligned 64-bit atomic operationcrypto/des: output not full blocktoo many Answers to pack (>65535)more than one dot found in numberCount of all completed GC cycles.The stack size of new goroutines.attributes %q and %q are requiredThe prefix to remove, if present.The suffix to remove, if present.at least one argument is requiredfailed to marshal %#v as JSON:
Source: buNtKcYHCa.exe	String found in binary or memory: bootstrap type already present: bytes.Buffer.Grow: negative countlocal file '%s' is not registeredcolumn count mismatch n:%d len:%dinvalid DATETIME packet length %dbytes.Reader.Seek: invalid whencecrypto/aes: output not full blocktoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert short slice passed to readGCStatsruntime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesscalar has high bit set illegallygo package net: confVal.netCgo = sql: connection is already closed142108547152020037174224853515625710542735760100185871124267578125tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeFloat.GobDecode: buffer too smallreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length application/x-www-form-urlencodedhttp: multiple registrations for too large block number: bitlen %drlp: non-canonical integer formatcan't Reset derived EncoderBufferAttributeTypes on non-object Typeskip everything and stop the walkcannot serialize infinity as JSONextraneous data after JSON objecttoo many tuple elements (need %d)CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWwaiting for unsupported file typecrypto: requested hash function #encoding: missing byte order markindefinite length found (not DER)struct contains unexported fieldsGODEBUG: no value specified for "unaligned 64-bit atomic operationcrypto/des: output not full blocktoo many Answers to pack (>65535)more than one dot found in numberCount of all completed GC cycles.The stack size of new goroutines.attributes %q and %q are requiredThe prefix to remove, if present.The suffix to remove, if present.at least one argument is requiredfailed to marshal %#v as JSON:
Source: buNtKcYHCa.exe	String found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.\|\?)?\zTime.UnmarshalBinary: invalid lengthyear is not in the range [1, 9999]: bytes.Reader.Seek: negative positionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: buNtKcYHCa.exe	String found in binary or memory: pebble/table: %d: unknown merger %spebble: invalid call to virtualLast%d extra bits on block, should be 0can only encode up to 64K sequenceszero matchoff and matchlen (%d) > 0proto: internal error: bad wiretypeduration: %#v: seconds out of rangebad type for XXX_extensions field: protobuf tag field not an integer: cockroach.errorspb.EncodedErrorLeaftruncated input (or invalid offset)file %q has a name conflict over %vfound wrong type: got %v, want enumvarint,62022,opt,name=enum_stringervarint,63017,opt,name=marshaler_allgogoproto.goproto_enum_stringer_allvarint,64004,opt,name=verbose_equaldelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagegoogle.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{\A[_\pL][_\pL\p{Nd}]*(\.\.\.\|\?)?\zTime.UnmarshalBinary: invalid lengthyear is not in the range [1, 9999]: bytes.Reader.Seek: negative positionlocale not found when calling %s: %vcrypto/cipher: input not full blocksbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %vstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: buNtKcYHCa.exe	String found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functionx509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifiersyntax error scanning complex numberedwards25519: invalid point encodingname %q does not begin with a lettersql: converting argument %s type: %vconverting NULL to %s is unsupportedjson: encoding error for type %q: %q444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzexpected an ECDSA public key, got %Ttls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharemultiplication of zero with infinityinvalid semicolon separator in querymethod ABI and value ABI don't alignreflect.Value.Equal: values of type http: no Location header in responsehttp: invalid byte %q in Cookie.Pathhttp://www.w3.org/XML/1998/namespacexml: end tag </%s> without start tagxml: %s chain not valid with %s flagrlp: type %v is not RLP-serializablecty.Capsule(%q, reflect.TypeOf(%#v))%d elements are required, but got %dunsupported value type %#v in Equalselement key for tuple must be numberIA5String contains invalid characterreflect: NumField of non-struct typeno assembly implementation availablecompressed name in SRV resource dataX-Amz-Server-Side-Encryption-Contextmalformed MIME header initial line: there are bytes left after unmarshalReturns the union of all given sets.argument must be list, tuple, or setthe given object has no attribute %qkeys list has null value at index %dcannot parse %q as a base %d integerend index must not be less than zeroinvalid pattern syntax (+ after -): chacha20: wrong HChaCha20 nonce sizecannot parse -Infinity as a *big.Int) inline map must have a string keystoo few bytes to read next componentmust set the output target only onceunknown problem parsing YAML contentdocument contains excessive aliasingdid not find expected <stream-start>did not find expected version numberL%d->L%d: %s already being compacted[JOB %d] sstable delete error %s: %sMemTables: %d (%s) zombie: %d (%s)
Source: buNtKcYHCa.exe	String found in binary or memory: unexpected block num %d, expected %dpebble: invalid end key for span: %sNumber of heap bytes released to OS.error while unmarshalling error: %+vinvalid input: magic number mismatchcompressed block size too large (%d)corruption detected (total %d != %d)total mismatch %d (got) != %d (want)proto: tag has unknown wire type: %qbad pointer or slice in map case in proto: textWriter unindented too farstdtime is not time.Duration, but %Tany: message type %q isn't linked infunc(v %v) *%v { return &v } ( %#v )google/protobuf/source_context.protocompare: unexpected type %T in oneofcannot merge into invalid %v messagebytes,62023,opt,name=enum_customnamegogoproto.goproto_extensions_map_allvarint,63028,opt,name=protosizer_allinvalid hex escape code %q in string%v: MessageSet with no unknown fieldgoogle.protobuf.FieldDescriptorProtogoogle.protobuf.OneofDescriptorProto&descriptor.SourceCodeInfo_Location{duration (%v) has out-of-range nanostimezone hour outside of range [0,23]could not use requested auth plugin 'invalid value / unknown config name: invalid value for TLS config name: %vnon-Value type %T returned from Valuecipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/cipher: incorrect GCM tag sizebytes.Buffer: truncation out of rangecannot exec a shared library directlyvalue too large for defined data typetoo many symbols; file may be corruptFrench Principality Of Monaco (fr-MC)Inuktitut (Latin) Canada (iu-Latn-CA)Mongolian (Cyrillic) Mongolia (mn-MN)Uzbek (Latin) Uzbekistan (uz-Latn-UZ)Yi People's Republic Of China (ii-CN)` VirtualAddress is beyond 0x10000000runtime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto/rsa: public exponent too smallcrypto/rsa: public exponent too largecrypto: Size of unknown hash functioncrypto/rsa: unsupported hash functionbigmod: internal error: shrinking natx509: malformed extension value fieldx509: RSA key missing NULL parametersx509: invalid CRL distribution pointscrypto/ecdh: invalid private key sizecannot create context from nil parentsql: Scan called without calling Next2220446049250313080847263336181640625tls: unsupported certificate key (%T)tls: failed to verify certificate: %sreflect: Bits of non-arithmetic Type reflect: NumField of non-struct type reflect: IsVariadic of non-func type reflect: funcLayout of non-func type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-byte arrayreflect.Value.Bytes of non-rune slicemethod ABI and value ABI do not alignreflect.Value.Convert: value of type http: invalid byte %q in Cookie.Value^(us\|eu\|ap\|sa\|ca\|me\|af\|il)\-\w+\-\d+$xml: bad type for comment field of %sinvalid sequence <!- not part of <!--too large block difficulty: b
Source: buNtKcYHCa.exe	String found in binary or memory: disk slowness detected: %s on file %s has been ongoing for %0.1fsDesc{fqName: %q, help: %q, constLabels: {%s}, variableLabels: %v}error %+v (%T) announces proto message, but marshaling fails: %+verrors.As: target must be interface or implement error, found %Tunexpected literal count, want %d bytes, but only %d is availableunable to query buffer size from InitializeProcThreadAttributeListlast data directory entry is a reserved field, must be set to zerox509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typetls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensionreflect: indirection through nil pointer to embedded struct field 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0xd4e56740f876aef8c010b86a40d5f56745a118d0906a34e69aec8c0db1cb8fa30xb5f7f912443c940f21fd611f12828d75b534364ed9e95ca4e307729a4661bde40x25a5cc106eea7138acab33231d7160d69cb777ee0c2c553fcddf5138993e6dd9pkcs7: signing time %q is outside of certificate validity %q to %qCumulative sum of memory allocated to the heap by the application.not a valid RFC3339 timestamp: minute must have exactly two digitsnot enough arguments for %q at %d: need index %d but have %d totaldocument end byte found before end of document. remaining bytes=%vinternal error: attempted to parse unknown event (please report): Cannot use WithApproximateSpanBytes without WithProperties option.ingest-time split produced a file that overlaps with ingested filepebble: tried to transition an eventually-file-only-snapshot twicepebble: internal error: file L%d.%s obsolete during B-Tree removalNumber of heap bytes when next garbage collection will take place.internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)Descriptor.Options called without importing the descriptor packageinvalid DSN: network address not terminated (missing closing brace)tls: server sent certificate containing RSA key larger than %d bitsMemory that is used by the stack trace hash map used for profiling.returned value %#v does not conform to expected return type %#v: %sReturns true if the two given values are equal, or false otherwise.Returns false if the two given values are equal, or true otherwise.not a valid RFC3339 timestamp: missing required time introducer 'T'SliceDecodeValue can only decode a binary into a byte array, got %vSliceDecodeValue can only decode a string into a byte array, got %vOnlyReadGuaranteedDurable is not supported for batches or snapshotspebble: shared file outside of excise span, span [%s-%s), file = %spebble: comparer name from file %q != comparer name from options %qfile %s chosen as seed file for compaction should not be compactingL0 files %s and %s are not properly ordered: <#%d-#%d> vs <#%d-#%d>pebble: range keys must be added via one of the RangeKey functionspebble: range keys s
Source: buNtKcYHCa.exe	String found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
Source: buNtKcYHCa.exe	String found in binary or memory: Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.You have encountered an unexpected error.
Source: buNtKcYHCa.exe	String found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.TokenNilTokenNewlineTokenBangTokenPercentTokenBitwiseAndTokenApostropheTokenOParenTokenCParenTokenStarTokenPlusTokenCommaTokenMinusTokenDotTokenSlashTokenColonTokenSemicolonTokenLessThanTokenEqualTokenGreaterThanTokenQuestionTokenCommentTokenOHeredocTokenIdentTokenNumberLitTokenQuotedLitTokenStri
Source: buNtKcYHCa.exe	String found in binary or memory: Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.GC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes.Stack memory allocated by the underlying operating system. In non-cgo programs this metric is currently zero. This may change in the future.In cgo programs this metric includes OS thread stacks allocated directly from the OS. Currently, this only accounts for one stack in c-shared and c-archive build modes, and other sources of stacks from the OS are not measured. This too may change in the future.Estimated total CPU time spent with the application paused by the GC. Even if only one thread is running during the pause, this is computed as GOMAXPROCS times the pause latency because nothing else can be executing. This is the exact sum of samples in /sched/pauses/total/gc:seconds if each sample is multiplied by GOMAXPROCS at the time it is taken. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.TokenNilTokenNewlineTokenBangTokenPercentTokenBitwiseAndTokenApostropheTokenOParenTokenCParenTokenStarTokenPlusTokenCommaTokenMinusTokenDotTokenSlashTokenColonTokenSemicolonTokenLessThanTokenEqualTokenGreaterThanTokenQuestionTokenCommentTokenOHeredocTokenIdentTokenNumberLitTokenQuotedLitTokenStri
Source: buNtKcYHCa.exe	String found in binary or memory: depgithub.com/mmcloughlin/addchainv0.4.0h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY=
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Equal
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.EqualInt64
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Pow2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.One
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Mask
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Ones
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Contains
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Index
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigints.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).AppendClone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.End
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Ops
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Op
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Program
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigint.Zero
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Validate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Produces
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.Superset
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Chain.IsAscending
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.IsDouble
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Op.Uses
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Shift
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Double
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Add
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.boundscheck
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Doubles
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Count
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Adds
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Evaluate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.New
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.ReadCounts
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.Program.Dependencies
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).End
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).IsAscending
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Op
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Ops
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Produces
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Program
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Superset
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Chain).Validate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).IsDouble
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Op).Uses
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Adds
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Count
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Dependencies
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Doubles
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).Evaluate
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain.(*Program).ReadCounts
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).AddInstruction
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Output
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Program.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Operand.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Instruction.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Add.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Double.String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.Shift.String
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Operand
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Operand).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).Operands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Instruction).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).Output
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Program).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Add).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Double).String
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Clone
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).Inputs
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ir.(*Shift).String
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ir.Instruction
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.AssertionFailure
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Linef
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).NL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Printf
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).SetError
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.NewTabWriter
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.New
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.Printer
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/internal/print.TabWriter
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.Identifier.Precedence
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/ast.(*Identifier).Precedence
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/acc/ast.Statement
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryValues
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameOperands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.NameBinaryRuns
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.NameOperands.func4
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryRuns.func2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.NameOperands.func3
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.init.NameBinaryValues.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Compile
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/errutil.UnexpectedType
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Eval
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Func.Execute
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Concat
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.Exec.Concat.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.CanonicalizeOperands
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/acc/pass.(*Func).Execute
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/bigvector.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.init
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).CheckCitable
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).IsRelease
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTime
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Title
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func2
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).WriteCitation.func1
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).RepositoryURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Module
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).DOIURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.doiurl
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*TabWriter).Flush
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/internal/print.(*Printer).Error
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).Citation
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseTag
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ReleaseURL
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain/meta.(*Properties).ConceptDOIURL
Source: buNtKcYHCa.exe	String found in binary or memory: type:.eq.github.com/mmcloughlin/addchain/meta.Properties
Source: buNtKcYHCa.exe	String found in binary or memory: net/addrselect.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigint/bigint.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigints/bigints.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/chain.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/program.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ir/ir.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/errutil/errutil.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/print/printer.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/ast/ast.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/naming.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/eval.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/acc/pass/pass.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/internal/bigvector/bigvector.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/meta.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/mmcloughlin/addchain@v0.4.0/meta/cite.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/decred/dcrd/dcrec/secp256k1/v4@v4.0.1/loadprecomputed.go
Source: buNtKcYHCa.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

File read: C:\Users\user\Desktop\buNtKcYHCa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\buNtKcYHCa.exe "C:\Users\user\Desktop\buNtKcYHCa.exe"
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior

Source: buNtKcYHCa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: buNtKcYHCa.exe

Static file information: File size 20195328 > 1048576

Source: buNtKcYHCa.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8f5600
Source: buNtKcYHCa.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x966400

Source: buNtKcYHCa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: buNtKcYHCa.exe, 00000000.00000002.1472271900.0000000002EA6000.00000004.00001000.00020000.00000000.sdmp

Source: buNtKcYHCa.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_032DB928 pushad ; ret

3_2_032DB929

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3232	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3284	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>V
Source: BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: buNtKcYHCa.exe, 00000000.00000002.1471400938.000000000266C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_03302710 LdrInitializeThunk,

3_2_03302710

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offybirhtdi.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: activedomest.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: arenbootk.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mediavelk.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: definitib.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: elaboretib.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strikebripm.sbs
Source: buNtKcYHCa.exe, 00000000.00000002.1471620699.0000000002C5E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ostracizez.sbs

Writes to foreign memory regions

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 300D008	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C0000	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32C1000	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3308000	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 330B000	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 331B000	Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Users\user\Desktop\buNtKcYHCa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buNtKcYHCa.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.32c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.3182000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buNtKcYHCa.exe.2e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.32c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
buNtKcYHCa.exe	24%	ReversingLabs	Win32.Trojan.LummaStealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	true	unknown
mediavelk.sbs	unknown	unknown	true	unknown
activedomest.sbs	unknown	unknown	true	unknown
ostracizez.sbs	unknown	unknown	true	unknown
definitib.sbs	unknown	unknown	true	unknown
strikebripm.sbs	unknown	unknown	true	unknown
arenbootk.sbs	unknown	unknown	true	unknown
offybirhtdi.sbs	unknown	unknown	true	unknown
elaboretib.sbs	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
strikebripm.sbs	true	unknown
ostracizez.sbs	true	unknown
offybirhtdi.sbs	true	unknown
mediavelk.sbs	true	unknown
https://steamcommunity.com/profiles/76561199724331900	true	unknown
definitib.sbs	true	unknown
elaboretib.sbs	true	unknown
activedomest.sbs	true	unknown
arenbootk.sbs	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doi.org/GTB	buNtKcYHCa.exe	false		unknown
https://steamcommunity.com/my/wishlist/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/golang/protobuf/issues/1609):	buNtKcYHCa.exe	false		unknown
https://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://recaptcha.net/recaptcha/;	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://liveinternet.club	buNtKcYHCa.exe	false		unknown
https://www.google.com	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://medal.tv	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/steam_refunds/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://liveinternet.clubh	buNtKcYHCa.exe	false		unknown
https://steam.tv/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb4a621662dea893	BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/&&	BitLockerToGo.exe, 00000003.00000003.1486585764.000000000361E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1487667734.000000000361E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/account/cookiepreferences/	BitLockerToGo.exe, 00000003.00000003.1486536395.0000000003695000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003617000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/go-sql-driver/mysql/wiki/strict-modetable	buNtKcYHCa.exe	false		unknown
https://store.steampowered.com/mobile	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;	BitLockerToGo.exe, 00000003.00000003.1486883970.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003654000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488710149.0000000003664000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/publi	BitLockerToGo.exe, 00000003.00000002.1487546926.000000000360C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/x	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486947718.0000000003634000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1486585764.0000000003632000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/about/	BitLockerToGo.exe, 00000003.00000003.1486536395.000000000369B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/	BitLockerToGo.exe, 00000003.00000002.1488558833.0000000003654000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544505
Start date and time:	2024-10-29 14:16:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	buNtKcYHCa.exe renamed because original name is a hash value
Original Sample Name:	0680170d17b99321500944eb7deded51.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@10/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 79% Number of executed functions: 10 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target buNtKcYHCa.exe, PID 1240 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: buNtKcYHCa.exe

Simulations

Behavior and APIs

Time	Type	Description
09:17:29	API Interceptor	3x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	yt5xqAvHnZ.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9yJSTTEg68.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..eml	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27
	Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..eml	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	96.17.237.137
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	23.47.50.150
	JVLkkfzSKW.exe	Get hash	malicious	Stealc, Vidar	Browse	23.47.50.145
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	104.93.21.152
	https://apollomicsinc-my.sharepoint.com/:u:/p/peony_yu/EThcAjzaTWNPs4NpIP1X0v0BUe4pmKNB9s6TANBDk5EDeA?rtime=8VndtY_33Eg	Get hash	malicious	HtmlDropper	Browse	2.19.126.199
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	23.192.223.230
	main.exe	Get hash	malicious	Unknown	Browse	184.28.90.27
	https://teams.microsoft.com/l/meetup-join/19%3ameeting_MjMzOWVkZWYtYzg2MC00YjYzLWE5MmItMTA0OTE2MWJkOWYw%40thread.v2/0?context=%7b%22Tid%22%3a%2211d0e217-264e-400a-8ba0-57dcc127d72d%22%2c%22Oid%22%3a%2220d61d95-c7cb-4170-b8c4-9ea749bac872%22%7d	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.19.126.151

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.493216683810929
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	buNtKcYHCa.exe
File size:	20'195'328 bytes
MD5:	0680170d17b99321500944eb7deded51
SHA1:	e7f95862d8e68584087acee5207dde9d81d544af
SHA256:	d4a2d9c10babdabd7bf16ee4773da3f82951c5741a682db002820deb6ff5eafd
SHA512:	d5f3c3de6ab48749c686686440affedeb8f9af272d8a3f50d4144dfb62fcfb43f4b501d13a156498b72a176d527ece6af4c27efa5c44e63b90d92a0c837daa2a
SSDEEP:	196608:4ce3WrKkBP/xttbTk6v69c6rW+s0Sq+eHJMI0/:4cLf1xtt165rjRMz/
TLSH:	19173B41FDCB88F2D9475832449B722F63305D058B25CBDBFB45BA2AE837AE50977206
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........4..............V..........pb........%...@...........................:......e4...@................................

File Icon


Icon Hash:	5969696471717109

Static PE Info

General

Entrypoint:	0x476270
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4f2f006e2ecf7172ad368f8289dc96c1

Entrypoint Preview

Instruction
jmp 00007F4310BFD5E0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007F4310BE0B96h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007F4310BFFA74h
cld
call 00007F4310BFEACEh
call 00007F4310BFD709h
add esp, 08h
ret
jmp 00007F4310BFF920h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007F4310BFF921h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x133a000	0x45e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13a8000	0x1091	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x133b000	0x6b4e2	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x125fda0	0xb8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8f55e8	0x8f5600	a08527b94d6497d7dd5c726995e729f2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f7000	0x9662cc	0x966400	d387382ae028b6c2e7e8ec46097e8a8f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x125e000	0xdb100	0x79a00	a2dc0a261017d139529e9421e9d621e4	False	0.37981757451181913	data	5.7235932930136215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x133a000	0x45e	0x600	523aaad506ad47174854f7c85962ddfb	False	0.3639322916666667	data	4.075488032274871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x133b000	0x6b4e2	0x6b600	3b6c6c4f3014b4afaa7d548e021c9920	False	0.5723429314610011	data	6.671405720780694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x13a7000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x13a8000	0x1091	0x1200	de49c4a58530b8c5377997280b2726d6	False	0.4188368055555556	data	4.732340969030496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x13a8130	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.41335740072202165
RT_GROUP_ICON	0x13a89d8	0x14	data	English	United States	1.1
RT_VERSION	0x13a89ec	0x278	data	Russian	Russia	0.46360759493670883
RT_MANIFEST	0x13a8c64	0x42d	XML 1.0 document, ASCII text, with very long lines (1069), with no line terminators	English	United States	0.5182413470533208

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T14:17:30.202315+0100	2056853	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ostracizez .sbs)	1	192.168.2.7	53451	1.1.1.1	53	UDP
2024-10-29T14:17:30.219270+0100	2056850	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strikebripm .sbs)	1	192.168.2.7	50115	1.1.1.1	53	UDP
2024-10-29T14:17:30.231589+0100	2056847	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elaboretib .sbs)	1	192.168.2.7	49437	1.1.1.1	53	UDP
2024-10-29T14:17:30.244857+0100	2056844	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (definitib .sbs)	1	192.168.2.7	49415	1.1.1.1	53	UDP
2024-10-29T14:17:30.255937+0100	2056841	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mediavelk .sbs)	1	192.168.2.7	52069	1.1.1.1	53	UDP
2024-10-29T14:17:30.267368+0100	2056838	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (arenbootk .sbs)	1	192.168.2.7	63286	1.1.1.1	53	UDP
2024-10-29T14:17:30.280852+0100	2056835	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (activedomest .sbs)	1	192.168.2.7	51494	1.1.1.1	53	UDP
2024-10-29T14:17:30.292936+0100	2056832	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offybirhtdi .sbs)	1	192.168.2.7	59331	1.1.1.1	53	UDP
2024-10-29T14:17:31.806578+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49759	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 14:17:30.319015026 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:30.319042921 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:30.319102049 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:30.322294950 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:30.322307110 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.193496943 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.193594933 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.196417093 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.196423054 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.196815014 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.242307901 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.283358097 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806793928 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806844950 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806878090 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.806885958 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806905985 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806932926 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.806935072 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806952000 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.806958914 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.806978941 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.806994915 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.925003052 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.925052881 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.925075054 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.925082922 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.925116062 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.925226927 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.925273895 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.927331924 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.927339077 CET	443	49759	104.102.49.254	192.168.2.7
Oct 29, 2024 14:17:31.927347898 CET	49759	443	192.168.2.7	104.102.49.254
Oct 29, 2024 14:17:31.927352905 CET	443	49759	104.102.49.254	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 14:17:30.202315092 CET	53451	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.212682009 CET	53	53451	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.219269991 CET	50115	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.229273081 CET	53	50115	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.231589079 CET	49437	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.242261887 CET	53	49437	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.244857073 CET	49415	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.254585028 CET	53	49415	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.255937099 CET	52069	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.265861988 CET	53	52069	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.267368078 CET	63286	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.277642012 CET	53	63286	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.280852079 CET	51494	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.291467905 CET	53	51494	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.292936087 CET	59331	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.303056955 CET	53	59331	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:30.304874897 CET	61785	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:30.313237906 CET	53	61785	1.1.1.1	192.168.2.7
Oct 29, 2024 14:17:42.919289112 CET	58455	53	192.168.2.7	1.1.1.1
Oct 29, 2024 14:17:42.927695990 CET	53	58455	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 14:17:30.202315092 CET	192.168.2.7	1.1.1.1	0xba81	Standard query (0)	ostracizez.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.219269991 CET	192.168.2.7	1.1.1.1	0x89fc	Standard query (0)	strikebripm.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.231589079 CET	192.168.2.7	1.1.1.1	0x353f	Standard query (0)	elaboretib.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.244857073 CET	192.168.2.7	1.1.1.1	0x33d7	Standard query (0)	definitib.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.255937099 CET	192.168.2.7	1.1.1.1	0xafff	Standard query (0)	mediavelk.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.267368078 CET	192.168.2.7	1.1.1.1	0xa9a3	Standard query (0)	arenbootk.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.280852079 CET	192.168.2.7	1.1.1.1	0x8a80	Standard query (0)	activedomest.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.292936087 CET	192.168.2.7	1.1.1.1	0x7eda	Standard query (0)	offybirhtdi.sbs	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.304874897 CET	192.168.2.7	1.1.1.1	0xeea2	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:42.919289112 CET	192.168.2.7	1.1.1.1	0xdf64	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 14:17:30.212682009 CET	1.1.1.1	192.168.2.7	0xba81	Name error (3)	ostracizez.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.229273081 CET	1.1.1.1	192.168.2.7	0x89fc	Name error (3)	strikebripm.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.242261887 CET	1.1.1.1	192.168.2.7	0x353f	Name error (3)	elaboretib.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.254585028 CET	1.1.1.1	192.168.2.7	0x33d7	Name error (3)	definitib.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.265861988 CET	1.1.1.1	192.168.2.7	0xafff	Name error (3)	mediavelk.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.277642012 CET	1.1.1.1	192.168.2.7	0xa9a3	Name error (3)	arenbootk.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.291467905 CET	1.1.1.1	192.168.2.7	0x8a80	Name error (3)	activedomest.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.303056955 CET	1.1.1.1	192.168.2.7	0x7eda	Name error (3)	offybirhtdi.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:30.313237906 CET	1.1.1.1	192.168.2.7	0xeea2	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:17:42.927695990 CET	1.1.1.1	192.168.2.7	0xdf64	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49759	104.102.49.254	443	1528	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 13:17:31 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-29 13:17:31 UTC	1917	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 29 Oct 2024 13:17:31 GMT Content-Length: 26105 Connection: close Set-Cookie: sessionid=39815ef0c60c9a8065487d53; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cb4a621662dea893af1b461ce15baa4ea; Path=/; Secure; HttpOnly; SameSite=None
2024-10-29 13:17:31 UTC	14467	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-29 13:17:31 UTC	11638	IN	Data Raw: 22 3f 6c 3d 74 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 20 28 54 72 61 64 69 74 69 6f 6e 61 6c 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 6a 61 70 61 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6a 61 70 61 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e6 97 a5 e6 9c ac e8 aa 9e 20 28 4a Data Ascii: "?l=tchinese" onclick="ChangeLanguage( 'tchinese' ); return false;"> (Traditional Chinese)</a><a class="popup_menu_item tight" href="?l=japanese" onclick="ChangeLanguage( 'japanese' ); return false;"> (J

Target ID:	0
Start time:	09:17:12
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\buNtKcYHCa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\buNtKcYHCa.exe"
Imagebase:	0xb00000
File size:	20'195'328 bytes
MD5 hash:	0680170D17B99321500944EB7DEDED51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1475000869.0000000003282000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1475000869.0000000003182000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1472271900.0000000002E18000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1475000869.00000000030D6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:17:23
Start date:	29/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x450000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00B3ED20 Relevance: 11.4, Strings: 9, Instructions: 189COMMON

Download Yara Rule

Strings

runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00B3EF8E
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto/rsa: public exponent too smallcrypto/rsa: public exponent too largec, xrefs: 00B3F078
%, xrefs: 00B3F081
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timercrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public k, xrefs: 00B3EFC2
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: IP constraint contained inval, xrefs: 00B3F044
) @s -> Pn=][}]i)> + %!)(tvrRuUeEaAlLsS01bBoOxX+-nNiIfFpPip53])%v, xrefs: 00B3EF4C
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: IP constraint contained invalid mask %xx509: certificate signed by unknown, xrefs: 00B3EFE9
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=x509: X25519 key encoded with illegal parametersx509: SAN uniformResourceIdentifier is malformedx509: IP constraint , xrefs: 00B3F01D
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchECDSA-SHA256ECDSA-SHA384ECDSA-SHA512%!(BADWIDTH)short buffermultipat, xrefs: 00B3EF67

Memory Dump Source

Source File: 00000000.00000002.1468689106.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.1468669619.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469349340.00000000013F7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469349340.0000000001794000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1469349340.0000000001797000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470336488.0000000001D5E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470354435.0000000001D5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470384162.0000000001D63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470413162.0000000001D64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470457305.0000000001D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470482274.0000000001D69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470516525.0000000001D6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470564373.0000000001DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470585261.0000000001DBE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470604354.0000000001DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470627878.0000000001DCC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470647632.0000000001DCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470674110.0000000001DD5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470698593.0000000001DD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470698593.0000000001DE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470698593.0000000001E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470698593.0000000001E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470698593.0000000001E31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470827644.0000000001E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470849314.0000000001E3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1470849314.0000000001EA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_buNtKcYHCa.jbxd

Similarity

API ID:
String ID: %$) @s -> Pn=][}]i)> + %!)(tvrRuUeEaAlLsS01bBoOxX+-nNiIfFpPip53])%v$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=x509: X25519 key encoded with illegal parametersx509: SAN uniformResourceIdentifier is malformedx509: IP constraint $VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timercrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public k$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchECDSA-SHA256ECDSA-SHA384ECDSA-SHA512%!(BADWIDTH)short buffermultipat$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: IP constraint contained inval$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto/rsa: public exponent too smallcrypto/rsa: public exponent too largec$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: IP constraint contained invalid mask %xx509: certificate signed by unknown$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2781843799
Opcode ID: 90519e42d41df18e0fc4ecad73f82571148ac4bca182dc0271a7ea899ef21e19
Instruction ID: fe04766c6ebce9f7401dd3f37b85902fe8b4ea51eaa700c357664001b442f96b
Opcode Fuzzy Hash: 90519e42d41df18e0fc4ecad73f82571148ac4bca182dc0271a7ea899ef21e19
Instruction Fuzzy Hash: 6091EFB45087018FD350EF68D095B1ABBF0FF88704F1189ADE4988B382D775EA89DB52

Analysis Process: BitLockerToGo.exePID: 1528, Parent PID: 1240COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	42%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 032CEE20 Relevance: 13.3, Strings: 10, Instructions: 762
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

u;q9, xrefs: 032CF291
g!~_, xrefs: 032CEF53
@-+, xrefs: 032CEF35
!m%k, xrefs: 032CEFD5
L3, xrefs: 032CF919
v%r#, xrefs: 032CEF49
yw, xrefs: 032CEFB7
#i4g, xrefs: 032CEFDF
+e(c, xrefs: 032CEFE9
y)v', xrefs: 032CEF3F

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !m%k$#i4g$+e(c$@-+$L3$g!~_$u;q9$v%r#$y)v'$yw
API String ID: 0-1298823376
Opcode ID: 2242a72e13816b168384be7e9255a5732a9f2275d881646d545aedfbdef435cc
Instruction ID: e552125a86c8bf086e1f92ea8fccc6b81c7260c54a6232407677948dbf354b0f
Opcode Fuzzy Hash: 2242a72e13816b168384be7e9255a5732a9f2275d881646d545aedfbdef435cc
Instruction Fuzzy Hash: 3D420EB1514B41DFE3209F25D8907ABBBF9FF85314F04892CE5A68B694DBB8A445CF40

Function 032CF490 Relevance: 11.8, Strings: 9, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v%r#, xrefs: 032CF510
@-+, xrefs: 032CF500
!m%k, xrefs: 032CF59B
g!~_, xrefs: 032CF518
yw, xrefs: 032CF57A
y)v', xrefs: 032CF508
L3, xrefs: 032CF919
#i4g, xrefs: 032CF5A6
+e(c, xrefs: 032CF5B1

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: !m%k$#i4g$+e(c$@-+$L3$g!~_$v%r#$y)v'$yw
API String ID: 0-2850119623
Opcode ID: 3340c19979f205b11d70237505eb8f89bdb216825b58514a52207f1b7d91f223
Instruction ID: cb57d5254b4cff7f74b834451481d9c8a16b08d8a78ab6877667321225218ee6
Opcode Fuzzy Hash: 3340c19979f205b11d70237505eb8f89bdb216825b58514a52207f1b7d91f223
Instruction Fuzzy Hash: 3B02BBB1518381DFD3209F65E8907ABBBE9FF85304F05892DE68A8B258EB748445CF52

Function 03302710 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(033065F2,?,00000004,?,?,00000018,?), ref: 0330273E

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 032CDE90 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16aaee9b43a828b4bbeb16bc173d74767164ee81feb1bcbfc01f289c2991580e
Instruction ID: a8d5106850c4dd05f4c0942c73c20c0d4347071ec57e65af8f398f4715a293d1
Opcode Fuzzy Hash: 16aaee9b43a828b4bbeb16bc173d74767164ee81feb1bcbfc01f289c2991580e
Instruction Fuzzy Hash: CA412B75C143009FE301EF15EC915FABBF9E78A316F59852CE5882B255E7B54801CFA1

Function 032CCED0 Relevance: 6.0, APIs: 4, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 032CCF15
GetForegroundWindow.USER32 ref: 032CCF1B
GetCurrentProcessId.KERNEL32 ref: 032CCF25
ExitProcess.KERNEL32 ref: 032CCF45

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 18187af493fac025a4b1eb8b6efebb4ebcd3fb33b29ea53c78443f824ef50861
Instruction ID: 766dc54c907ef2f781126d53d96c31004e2f8caecb390774c3689b8f3facc510
Opcode Fuzzy Hash: 18187af493fac025a4b1eb8b6efebb4ebcd3fb33b29ea53c78443f824ef50861
Instruction Fuzzy Hash: 1AF0E93443439197C610FB74B19C39DB7985F56349F08995ED9C9CB298EA6840C7C763

Function 03302630 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 033026CC

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b7172bdbf1603cf0a31da13962f5d1534c31b1c7ef9961a28563b15043442f68
Instruction ID: 336e46c2a7159a7cf5b02abab025d48540d4100db30f5f1183901e014da34bb5
Opcode Fuzzy Hash: b7172bdbf1603cf0a31da13962f5d1534c31b1c7ef9961a28563b15043442f68
Instruction Fuzzy Hash: 12115BB6B083068FD304DE64EDD4767B75EFBC9304F084938D9C897641D5F598458751

Function 032FF710 Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 032FF76A

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bbd0a4c12baa71cfb9f230a7c00879d2f1f50d6aa9558d9a0e4d45c70121557d
Instruction ID: 27d51db13996dbf733af2baf085f7c8b44bdf68ca3894d99815cb55904549f32
Opcode Fuzzy Hash: bbd0a4c12baa71cfb9f230a7c00879d2f1f50d6aa9558d9a0e4d45c70121557d
Instruction Fuzzy Hash: D4F0277460A2509FE7085B78ACA1A3BBBD8EF56325F28057DE582936A0C6615C11CA81

Function 032FF6A0 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,033026DA), ref: 032FF6ED

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9b853f376cf9d2e7636980395d87568e75d35cb6481d0efe3e2588d2ecb6712b
Instruction ID: ff01f0fad7ec22a5534975c2289ac547ed8fc2570bbeb0435f029ad104142f46
Opcode Fuzzy Hash: 9b853f376cf9d2e7636980395d87568e75d35cb6481d0efe3e2588d2ecb6712b
Instruction Fuzzy Hash: 5AF0E5B02893889FD31D9E20CC90BBB7B99EB99354F28096CE59587B92C6690C41CB80

Function 03302C8A Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 03302CC0

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ab8a434edf74e203035b0c8b416c44d8042db6702b206c7db1f1c6a969cd18db
Instruction ID: 98afab63e2c46411f7a0489272cd2cd4b2c42afbabbf863833928b13fa04519d
Opcode Fuzzy Hash: ab8a434edf74e203035b0c8b416c44d8042db6702b206c7db1f1c6a969cd18db
Instruction Fuzzy Hash: 95F0A076A155418FEB05EF38E8EA96B77E4EB17324B080966D152C72C2D63494C2CF41

Function 033029E6 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 03302CC0

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: acd72d36e335b3f1a371e3a31f8c7d19c7e07da360da77498b1747b6db34fc5f
Instruction ID: 48901a3d44d84834f5d9ee54a9751aead0133c3a4d32ccc31822caf75efe99af
Opcode Fuzzy Hash: acd72d36e335b3f1a371e3a31f8c7d19c7e07da360da77498b1747b6db34fc5f
Instruction Fuzzy Hash: 14E04F7AA15600DFCB08EF54F4E69AA73B8FB0D315F14441AE552E7785C7306981CF21

Non-executed Functions

Function 032FB91D Relevance: 71.6, Strings: 57, Instructions: 312COMMON

Download Yara Rule

Strings

], xrefs: 032FBAA3
{, xrefs: 032FBC05
u, xrefs: 032FB961
e, xrefs: 032FBC1D
y, xrefs: 032FB96F
o, xrefs: 032FBA5D
U, xrefs: 032FBB5D
q, xrefs: 032FBD69
=, xrefs: 032FBAF7
M, xrefs: 032FBBBD
(, xrefs: 032FBB05
b, xrefs: 032FBD49
r, xrefs: 032FBB69
G, xrefs: 032FBB95
x, xrefs: 032FB9A7
I, xrefs: 032FBBCD
K, xrefs: 032FBBC5
s, xrefs: 032FBBE5
L, xrefs: 032FBB29
w, xrefs: 032FB98B
", xrefs: 032FBAE9
k, xrefs: 032FB937
Q, xrefs: 032FBB6D
x, xrefs: 032FBD61
e, xrefs: 032FBA87
f, xrefs: 032FBC19
9, xrefs: 032FBB39
O, xrefs: 032FBBB5
q, xrefs: 032FBBED
S, xrefs: 032FBB65
}, xrefs: 032FBBFD
y, xrefs: 032FBC0D
m, xrefs: 032FBD41
h, xrefs: 032FBBD1
Y, xrefs: 032FBB8D
[, xrefs: 032FBB85
C, xrefs: 032FBBA5
i, xrefs: 032FBA33
A, xrefs: 032FBBAD
u, xrefs: 032FBBDD
W, xrefs: 032FBB55
s, xrefs: 032FBADB
g, xrefs: 032FBC15
F, xrefs: 032FBB49
t, xrefs: 032FB9B5
a, xrefs: 032FB953
0, xrefs: 032FB929
], xrefs: 032FBB7D
|, xrefs: 032FBD51
E, xrefs: 032FBB9D
u, xrefs: 032FBAB1
8, xrefs: 032FBB41
_, xrefs: 032FBB75
b, xrefs: 032FBBA9
:, xrefs: 032FBB13
w, xrefs: 032FBBD5
;, xrefs: 032FBB31

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "$($0$8$9$:$;$=$A$C$E$F$G$I$K$L$M$O$Q$S$U$W$Y$[$]$]$_$a$b$b$e$e$f$g$h$i$k$m$o$q$q$r$s$s$t$u$u$u$w$w$x$x$y$y${$|$}
API String ID: 0-2883926043
Opcode ID: 0766c307eb4ef46f15e8fa6717d216778f926f4d3ed78e15e737359724365956
Instruction ID: c4fc73d93e0b0d15913281655f4d6592d954990d55eaf4ab322a3d979af0437a
Opcode Fuzzy Hash: 0766c307eb4ef46f15e8fa6717d216778f926f4d3ed78e15e737359724365956
Instruction Fuzzy Hash: 9BF1FE11D0CBE989DB32C67C4C0878DAE611B67234F0843D9D5F96B3D3C7A90A86CB66

Function 032FACD9 Relevance: 30.3, Strings: 24, Instructions: 288COMMON

Download Yara Rule

Strings

v, xrefs: 032FAF82
g, xrefs: 032FAD16
e, xrefs: 032FAD08
>, xrefs: 032FAF51
<, xrefs: 032FAF48
X, xrefs: 032FAD1D
u, xrefs: 032FAD78
q, xrefs: 032FAD5C
0, xrefs: 032FB09A
A, xrefs: 032FAF92
{, xrefs: 032FAD32
c, xrefs: 032FACFA
{, xrefs: 032FAFA2
w, xrefs: 032FAD86
D, xrefs: 032FAF9A
x, xrefs: 032FAF8A
C, xrefs: 032FAF7A
4, xrefs: 032FACE5
s, xrefs: 032FAD6A
}, xrefs: 032FAD40
y, xrefs: 032FAD24
p, xrefs: 032FB0C5
W, xrefs: 032FAF72
a, xrefs: 032FACEC

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$4$<$>$A$C$D$W$X$a$c$e$g$p$q$s$u$v$w$x$y${${$}
API String ID: 2994545307-2161808528
Opcode ID: 9703308a3547d837fa12d679892cb92fab3a062764927732acd8c0c99d0917ed
Instruction ID: 8c8a4ab474b6b6f6f7b723c781d735cbf46bdcd192cbf235098e8fb1c2848dc6
Opcode Fuzzy Hash: 9703308a3547d837fa12d679892cb92fab3a062764927732acd8c0c99d0917ed
Instruction Fuzzy Hash: EAE16E31D086E98ADB36C63C8C483DDBFB15B52324F0843E8D5A96B3D2D6754A85CB62

Function 032C12D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON

Download Yara Rule

Strings

0, xrefs: 032C21FF
i, xrefs: 032C2A7E
0000, xrefs: 032C27A5
0, xrefs: 032C2151
0000, xrefs: 032C27AC
0000, xrefs: 032C280E
0000, xrefs: 032C27C8
@, xrefs: 032C29AF
0, xrefs: 032C2449
0000, xrefs: 032C27BA
0000, xrefs: 032C27B3
0000, xrefs: 032C27C1

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-3385986306
Opcode ID: e050a512fc4fab345c72f258f703b0af27c7ce33dddc13c5a31b27a88f5b3bab
Instruction ID: 0b8835a302b3ddc4b0210827129fc83ff547203e7e14a83a8236b41ca547beb2
Opcode Fuzzy Hash: e050a512fc4fab345c72f258f703b0af27c7ce33dddc13c5a31b27a88f5b3bab
Instruction Fuzzy Hash: 4882C475A39382CFCB19CE18C49031AFBE1AB85704F188E5DE4DA97391DB74D985CB82

Function 032DF8A0 Relevance: 15.3, Strings: 11, Instructions: 1540COMMON

Download Yara Rule

Strings

\CBA, xrefs: 032DFC73
, xrefs: 032E00F7
XtF%, xrefs: 032E0B1F
+Jm, xrefs: 032DFCEC
\_, xrefs: 032E0C27
-"# , xrefs: 032DFA95
45, xrefs: 032E0048
`gfe, xrefs: 032DFCD6
, xrefs: 032E0366
1674, xrefs: 032DFA74
PWVU, xrefs: 032DFC52

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $ $-"# $1674$45$PWVU$XtF%$\CBA$\_$`gfe$+Jm
API String ID: 0-3479896102
Opcode ID: 86c3874089be97c116fffd78b6ad52cef29d07161b66bd74be6e4059cc0a7c5d
Instruction ID: 822fe1aed4b633c3b1107f937ed97da819092248fcec575f746db08fe94c31b5
Opcode Fuzzy Hash: 86c3874089be97c116fffd78b6ad52cef29d07161b66bd74be6e4059cc0a7c5d
Instruction Fuzzy Hash: E2B200715183818BD735CF26C8917ABFBE1EFC6304F58895CE4C98B291D7B49846CB92

Function 032E3330 Relevance: 14.4, Strings: 11, Instructions: 622COMMON

Download Yara Rule

Strings

>:;0, xrefs: 032E3872
,<,(, xrefs: 032E388A
{G, xrefs: 032E338C
b$#., xrefs: 032E389A
%. $, xrefs: 032E3892
@C, xrefs: 032E346C
SW, xrefs: 032E3577
SU, xrefs: 032E358F
j, xrefs: 032E38A9
^Y, xrefs: 032E357F
0", xrefs: 032E38A2

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %. $$,<,($0"$>:;0$@C$SU$SW$^Y$b$#.$j${G
API String ID: 0-588226034
Opcode ID: abc4b716df0b11dbae5213b20e0bbe3e3e8c97e4762e38867cd941af3fdb3e4f
Instruction ID: c85ad5e737c0171b03c1a28aff88bba96386b3e33d6b25cf345e86481c19606b
Opcode Fuzzy Hash: abc4b716df0b11dbae5213b20e0bbe3e3e8c97e4762e38867cd941af3fdb3e4f
Instruction Fuzzy Hash: BC122FB99283918FC710DF28D85166BBBF5AF82304F48896CF5D98B381D775C845CB82

Function 032CD3F0 Relevance: 14.0, Strings: 11, Instructions: 287COMMON

Download Yara Rule

Strings

r}C}, xrefs: 032CD547
fgK6, xrefs: 032CD537
-XnS, xrefs: 032CD527
fd^f, xrefs: 032CD58F
wyEH, xrefs: 032CD557
oRSV, xrefs: 032CD52F
txZf, xrefs: 032CD577
p8&B, xrefs: 032CD54F
}I{@, xrefs: 032CD55F
Za]X, xrefs: 032CD43D
,(^^, xrefs: 032CD51F

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,(^^$-XnS$Za]X$fd^f$fgK6$oRSV$p8&B$r}C}$txZf$wyEH$}I{@
API String ID: 0-470552829
Opcode ID: 9ee0638cf791ae6d5ac550f064677e4fd8b5e0a38782ee2158a426bd98c376ed
Instruction ID: 2b61b46059c8e1ed355d7ae226c0ff7449b9da6757fcb85a68e3fb823b91b08b
Opcode Fuzzy Hash: 9ee0638cf791ae6d5ac550f064677e4fd8b5e0a38782ee2158a426bd98c376ed
Instruction Fuzzy Hash: A591E0715187918BC321CF29C84036BFFE1AF96744F188AADE4D59B352D339C94ACB92

Function 032ECD09 Relevance: 13.0, Strings: 10, Instructions: 452COMMON

Download Yara Rule

Strings

iM:-, xrefs: 032ECF1E
^gfa, xrefs: 032ED1B8
mM:-, xrefs: 032ECF52
L)H+, xrefs: 032ED03C
E!T#, xrefs: 032ED02C
iM:-, xrefs: 032ED1C0
A%J', xrefs: 032ED034
mM:-, xrefs: 032ED1F2
,-, xrefs: 032ED044
\_, xrefs: 032ED0FD

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,-$A%J'$E!T#$L)H+$\_$^gfa$iM:-$iM:-$mM:-$mM:-
API String ID: 0-2966039890
Opcode ID: 5009b8837313c2bbf8bd8730af8f8c3f5726114c671ec645f42c54e24f13639d
Instruction ID: 937ca449974a807a437666efdb02a5e7f44b98f0d1b6f5aeb8a91daeb2f293f9
Opcode Fuzzy Hash: 5009b8837313c2bbf8bd8730af8f8c3f5726114c671ec645f42c54e24f13639d
Instruction Fuzzy Hash: 84C1FEB41283218BD714CF25D86232BB7F1EFD2754F48995CE8D68B394E3748981CB86

Function 032DD667 Relevance: 12.0, Strings: 9, Instructions: 763COMMON

Download Yara Rule

Strings

cgqz, xrefs: 032DDBE2
x|, xrefs: 032DDCB8
f,$(, xrefs: 032DD7CE
/2] , xrefs: 032DD84C, 032DD853
s~{n, xrefs: 032DDC0E
zn|v, xrefs: 032DDBF8
uys9, xrefs: 032DDC97
vmen, xrefs: 032DDBED
xugg, xrefs: 032DDC03

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: /2] $cgqz$f,$($s~{n$uys9$vmen$xugg$x|$zn|v
API String ID: 0-2902742906
Opcode ID: 9375f049865af14ecc9427f41a8d541e012168b26ffbcb29e9c42928eaf4e712
Instruction ID: fbb5455bf0d535a7c30010c475d78b48d5ce3f376d3069d7011fee76b1008ea2
Opcode Fuzzy Hash: 9375f049865af14ecc9427f41a8d541e012168b26ffbcb29e9c42928eaf4e712
Instruction Fuzzy Hash: CB4235B5918381CFC724DF24D8917ABB7E5EF95304F08896DE4C98B395E7709981CB82

Function 032C1000 Relevance: 12.0, Strings: 9, Instructions: 702COMMON

Download Yara Rule

Strings

, xrefs: 032C170C
gfff, xrefs: 032C1D03
gfff, xrefs: 032C1D18
gfff, xrefs: 032C1D75
0123456789abcdefxp, xrefs: 032C13FA, 032C146C
+, xrefs: 032C1CAA
0123456789ABCDEFXP, xrefs: 032C13EC, 032C145F
gfff, xrefs: 032C1DBF
C, xrefs: 032C1DE2

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $+$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff$gfff$C
API String ID: 0-4201920419
Opcode ID: f303635fefa8a7dde81b353bc35b2deb0cda6b4741c572278a67248b83d89412
Instruction ID: 77dedac5c92f521453c0cdbec714c9e31f8859654276c86f11a93ab0817140c9
Opcode Fuzzy Hash: f303635fefa8a7dde81b353bc35b2deb0cda6b4741c572278a67248b83d89412
Instruction Fuzzy Hash: 244208756283D18FD714CE28C49136ABBE2AFC5314F088B6DE4C58B392D779D985CB82

Function 032E0D60 Relevance: 10.3, Strings: 8, Instructions: 336COMMON

Download Yara Rule

Strings

B1nO, xrefs: 032E0EAC
c}, xrefs: 032E1141
`a, xrefs: 032E1056
$%, xrefs: 032E0FB1
DE, xrefs: 032E0EC4
S1Q3, xrefs: 032E0F99
l9E7, xrefs: 032E0F40, 032E0F44, 032E1021, 032E10B7
}z{, xrefs: 032E0E2A

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $%$B1nO$DE$S1Q3$`a$l9E7$c}$}z{
API String ID: 0-3034509644
Opcode ID: 3c38fe80cb103eef676d55b6b097dd31e114c30ddece73473ffe50f367ca2ccd
Instruction ID: 5680406e33402dde26cb68bddc2003ef45e50e29c0dd74c7eeb34dafbf91a2e7
Opcode Fuzzy Hash: 3c38fe80cb103eef676d55b6b097dd31e114c30ddece73473ffe50f367ca2ccd
Instruction Fuzzy Hash: E1B1ED7291C3818FC714DF29D8922ABBBE1EF86354F188D2CE0D58B391D7749945CB86

Function 032E6B58 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 520COMMON

Download Yara Rule

Strings

4S;M, xrefs: 032E6DF3
`C5}, xrefs: 032E6E0F
KI, xrefs: 032E7089
HI, xrefs: 032E6F97

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4S;M$HI$`C5}$KI
API String ID: 0-2625641319
Opcode ID: 06fc4fe2bd1416cf67ca09baa395b39695b0341045442d97a2ebff44f3bdb2b7
Instruction ID: 562711c5f0c10bbae69f98d76d8f6ba94bb31e707e8b6e2e2ebbb860e445aefe
Opcode Fuzzy Hash: 06fc4fe2bd1416cf67ca09baa395b39695b0341045442d97a2ebff44f3bdb2b7
Instruction Fuzzy Hash: F9F1FDB4D20319CFDB24CFA8D8926AEBBB5FF44304F084A68D846AF741E7749945CB91

Function 032F6960 Relevance: 9.1, APIs: 6, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 032F6982
GetWindowLongW.USER32 ref: 032F69AD
GetClipboardData.USER32 ref: 032F69BD
CloseClipboard.USER32 ref: 032F6B04

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: bb11abe0858cd268332c2acd7a67a0da75467df6d8e265ec0f54223235e6ec95
Instruction ID: f78b89f6887f972759ab06f53c3f11cec603b70e7f604f7512d69467e66d7cc6
Opcode Fuzzy Hash: bb11abe0858cd268332c2acd7a67a0da75467df6d8e265ec0f54223235e6ec95
Instruction Fuzzy Hash: 8D51C4B19187829FD700EFBCD44535DFFA0AB02310F048779D5A99B285E3749595C7A3

Function 032FCAF0 Relevance: 9.0, Strings: 7, Instructions: 247COMMON

Download Yara Rule

Strings

p, xrefs: 032FCB89
L, xrefs: 032FCAFF
A, xrefs: 032FCB0E
G, xrefs: 032FCB04
p, xrefs: 032FCC79
p, xrefs: 032FCD86
F, xrefs: 032FCB09

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: A$F$G$L$p$p$p
API String ID: 0-4157924366
Opcode ID: 6132ae879dc0ae8df86044cd40e217f898b7586b19d2a6b349a130d769b2f708
Instruction ID: f1714e21e38fa0dcc7693e0fcfc9182a4e7ec284ac04317d5e68272f8981cba9
Opcode Fuzzy Hash: 6132ae879dc0ae8df86044cd40e217f898b7586b19d2a6b349a130d769b2f708
Instruction Fuzzy Hash: FBA1B1B191C3A48FD319DA28C45436FFFD1ABD6308F1C8D6DE68687386D2B9C8848756

Function 032E9340 Relevance: 8.1, Strings: 6, Instructions: 567COMMON

Download Yara Rule

Strings

+[&Y, xrefs: 032E9412
cS'Q, xrefs: 032E93FE
w1u, xrefs: 032E9458
$W U, xrefs: 032E9408
=O?M, xrefs: 032E9444
c/g-, xrefs: 032E93F4

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: w1u$$W U$+[&Y$=O?M$c/g-$cS'Q
API String ID: 0-2813094053
Opcode ID: f82d873d3ce366d9b8460ac3db562d488bee58aa6e61be958c6f89c6d8ad2cba
Instruction ID: 2de5f1fbc3702044b5946b22ba3323d5a4a2814bb10bd2391944a92918ba31eb
Opcode Fuzzy Hash: f82d873d3ce366d9b8460ac3db562d488bee58aa6e61be958c6f89c6d8ad2cba
Instruction Fuzzy Hash: E512F1B4E14209CFEB24DFA8D8A2BAEBBB5FF05304F1444AAE505AB385D7345981CF51

Function 032D0370 Relevance: 7.9, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 032D0383
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 032D03A5
CoUninitialize.OLE32 ref: 032D050E
CoUninitialize.OLE32 ref: 032D0520

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeUninitialize$Security
String ID:
API String ID: 679980898-0
Opcode ID: 006ca00688ab77e8c47481dbc264bef7a08d6c9fc7b91bfa9080329e8e09c5c8
Instruction ID: 7c53f287369676a2c76112c0d610220b3567f98de27a2d8caa60c67948a8e0c9
Opcode Fuzzy Hash: 006ca00688ab77e8c47481dbc264bef7a08d6c9fc7b91bfa9080329e8e09c5c8
Instruction Fuzzy Hash: 35C110B15583C18BE330DF28D8917EBBBE6AFC2304F188A6DD4C85B295DB394405CB92

Function 032EA7E2 Relevance: 7.8, Strings: 6, Instructions: 286COMMON

Download Yara Rule

Strings

Jzu4, xrefs: 032EAA64
FnCB, xrefs: 032EAA72
Y@iF, xrefs: 032EAA79
sV*E, xrefs: 032EAA5D
T{^,, xrefs: 032EAA4F
kfhM, xrefs: 032EAA6B

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: FnCB$Jzu4$T{^,$Y@iF$kfhM$sV*E
API String ID: 0-2230338378
Opcode ID: 584a4174a057f847576fad6d971c8b7ed644cbdb4864984892cbd0953c866ca5
Instruction ID: 0a452fabeedc0e0132b9ab2e7854555e470fff9683693a05aea2d629d5761f46
Opcode Fuzzy Hash: 584a4174a057f847576fad6d971c8b7ed644cbdb4864984892cbd0953c866ca5
Instruction Fuzzy Hash: A4A1DDB4610B41CFD724DF69D8A0226BBF0FF1A310F198AADD4968B646D774E486CB90

Function 032EA4D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

(', xrefs: 032EAD9C
_p, xrefs: 032EABE4
P+P), xrefs: 032EAD94

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ('$P+P)$_p
API String ID: 0-1584404448
Opcode ID: 5e236c74e0d23378c51e061d70c9e434b91260b959d4f27e9b771ff30caf8317
Instruction ID: b08738f3d80b8dc10dca1b2bd51041bfb1a317861a2a866297779490a01b337a
Opcode Fuzzy Hash: 5e236c74e0d23378c51e061d70c9e434b91260b959d4f27e9b771ff30caf8317
Instruction Fuzzy Hash: 98A1CBB5A19341CFE320DF25E89126BBBE5EFC5318F484A2CE4C44B291E775854ACB93

Function 03304640 Relevance: 7.0, Strings: 5, Instructions: 763COMMON

Download Yara Rule

Strings

0765, xrefs: 03304C6E
x, xrefs: 03304862
%&' , xrefs: 03304BE5
L, xrefs: 03304A30
InA>, xrefs: 03304C10

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %&' $0765$InA>$L$x
API String ID: 0-3649279264
Opcode ID: 9cfcc13f9ca8cfa2a75f8da32c908ec26349efcbe676c2cdd0d91afd701f934a
Instruction ID: 8cb3a2dca77fd04c8b2a163b3668162891aacc9975820bd5a7e3f6eb70b0abc6
Opcode Fuzzy Hash: 9cfcc13f9ca8cfa2a75f8da32c908ec26349efcbe676c2cdd0d91afd701f934a
Instruction Fuzzy Hash: 194203316083514FD315CE29D8A076FBBE1ABC5214F19C92DE5EA8B3D2DA74C946CB82

Function 032CD780 Relevance: 6.6, Strings: 5, Instructions: 392COMMON

Download Yara Rule

Strings

G#, xrefs: 032CDB37
Kf, xrefs: 032CDB2F
, xrefs: 032CDA16
|s, xrefs: 032CDC3E
d, xrefs: 032CD942

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $G#$Kf$d$|s
API String ID: 0-2395289669
Opcode ID: 0585236bfc1e340aba105a348debb2297799d29d2ea74c30960ecb76c239214b
Instruction ID: 39a0adb1e100d60a23c39819b78df51656251b474b52a3abbb483404b777a106
Opcode Fuzzy Hash: 0585236bfc1e340aba105a348debb2297799d29d2ea74c30960ecb76c239214b
Instruction Fuzzy Hash: FED1EFB16583808FE314CF25C88175FBBE6BBC5618F088A6CE0C99B345D779854ACB57

Function 032CE920 Relevance: 6.6, Strings: 5, Instructions: 367COMMON

Download Yara Rule

Strings

SQ, xrefs: 032CEA30
_-], xrefs: 032CEA38
[V, xrefs: 032CEB07
0ki, xrefs: 032CE9E0
H, xrefs: 032CE945

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0ki$H$[V$SQ$_-]
API String ID: 0-818067795
Opcode ID: 9c94ff3f027681e2a5853f1a2bad83b233f7513143832c2e897ba71383f1a15d
Instruction ID: 606add618924cb786e70ef41916eab29980f9c462a82e8f42e078dfc5fd7f454
Opcode Fuzzy Hash: 9c94ff3f027681e2a5853f1a2bad83b233f7513143832c2e897ba71383f1a15d
Instruction Fuzzy Hash: D3C126716283D28FC324CF2484A13AFFBE2ABC1215F1D8A2CE4D55B346D7758846CB82

Function 032E18B0 Relevance: 6.6, Strings: 5, Instructions: 364COMMON

Download Yara Rule

Strings

yD, xrefs: 032E196A
GL, xrefs: 032E195A
qM, xrefs: 032E1962
l9E7, xrefs: 032E18B2
U+a), xrefs: 032E1B85

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: GL$U+a)$l9E7$qM$yD
API String ID: 0-27879146
Opcode ID: eb5e804f2486990c60cc0bffda2df02cc9d2ef8a0e5f1910a3fb0db387a2f962
Instruction ID: 27c68e1f9af9217d64ccafb4e8744ce94a30d779bbbb8668784a3738e69dfe47
Opcode Fuzzy Hash: eb5e804f2486990c60cc0bffda2df02cc9d2ef8a0e5f1910a3fb0db387a2f962
Instruction Fuzzy Hash: B9A1E0B59283418BC724DF14C89266BB7F4FF85354F58896CE8C58B390E738E981CB92

Function 032CD1F0 Relevance: 6.4, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

IWWL, xrefs: 032CD2C0
j, xrefs: 032CD20C
(, xrefs: 032CD2F8
ZCQ_, xrefs: 032CD2B0
IFAJ, xrefs: 032CD298

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ($IFAJ$IWWL$ZCQ_$j
API String ID: 0-1951835913
Opcode ID: 7a21a4f41201c95f4dccd046a8f5d879dcc4fc92b8cb9af9a002f38fea991a53
Instruction ID: 4f98bf32066048be6f908430106ae6ece7838ace1b81819b8512277602add589
Opcode Fuzzy Hash: 7a21a4f41201c95f4dccd046a8f5d879dcc4fc92b8cb9af9a002f38fea991a53
Instruction Fuzzy Hash: F051CE7055D3C28AD311CF35919032BFFE0AFA3644F185AADE4D55B252C37A844ADBA3

Function 032EF1A2 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 750COMMON

Download Yara Rule

Strings

\XL#, xrefs: 032EF5A8
vT^8, xrefs: 032EF3B9

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: \XL#$vT^8
API String ID: 0-3953467014
Opcode ID: fa2b846639381dde49860ff326c606a2306341c874dd595f43bd100e0cabebc8
Instruction ID: a6aaedb40d5fbed5216b6a34475f0ec6b2cc5b03786234c2c227447a07e7fa40
Opcode Fuzzy Hash: fa2b846639381dde49860ff326c606a2306341c874dd595f43bd100e0cabebc8
Instruction Fuzzy Hash: 4E3235756247429FE329CF398861763BBE1EF46310F588A6ED4EB8B381D779A045CB10

Function 032E60BA Relevance: 5.8, Strings: 4, Instructions: 791COMMON

Download Yara Rule

Strings

^YKK, xrefs: 032E61ED
]YZT, xrefs: 032E61E3
yyom, xrefs: 032E619D
InA>, xrefs: 032E6140

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: InA>$]YZT$^YKK$yyom
API String ID: 0-2203053018
Opcode ID: f745b58d6ad72c84dc29d81dc586adb0ebb487b8e13e2c719498039c67af7639
Instruction ID: bb14c8f351dfb2d7bb36b7563eb6f3cf1c95d98b5a5b835334d4f45c216947a7
Opcode Fuzzy Hash: f745b58d6ad72c84dc29d81dc586adb0ebb487b8e13e2c719498039c67af7639
Instruction Fuzzy Hash: AC422071A14216CFDB18CFA8DCA17AEB3F5FF48315F1884A9C856A7384E774A980CB40

Function 032E9FE0 Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

/\K, xrefs: 032EA442
C\K, xrefs: 032EA478
cjkf, xrefs: 032EA41C
i!fY, xrefs: 032EA424

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: /\K$C\K$cjkf$i!fY
API String ID: 2994545307-2760849073
Opcode ID: 01324063919ad8fb6eee770b8f7ab0fa90c3d490acdd673aee263d8d24454475
Instruction ID: b77ccc79bc434151999fc90498790bbfbf04002c32922d269d3cfe837dac7ba7
Opcode Fuzzy Hash: 01324063919ad8fb6eee770b8f7ab0fa90c3d490acdd673aee263d8d24454475
Instruction Fuzzy Hash: 80C18A76A283118BD714CE28C89226BF7D6EFC5704F5D893CD9869B381E7759C86C382

Function 032C132D Relevance: 5.4, Strings: 4, Instructions: 388COMMON

Download Yara Rule

Strings

gfff, xrefs: 032C1F12
0123456789abcdefxp, xrefs: 032C1332
gfff, xrefs: 032C1F77
-, xrefs: 032C1ED7

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789abcdefxp$gfff$gfff
API String ID: 0-3657095489
Opcode ID: 4f7f2efda41f571c1ecf48eb2f61ba7797911a66a3951a59180e07d4ef408bfb
Instruction ID: 6ab777cf430d05eedc73ab040ace40c85cb4b3337a26655ff7886c925b6904c4
Opcode Fuzzy Hash: 4f7f2efda41f571c1ecf48eb2f61ba7797911a66a3951a59180e07d4ef408bfb
Instruction Fuzzy Hash: A8E1B37562C7D28FC715CF29C09026AFBE1AFD9204F088B6DE8D987352D634E945CB92

Function 033005D0 Relevance: 4.5, Strings: 3, Instructions: 703COMMON

Download Yara Rule

Strings

f, xrefs: 03300911
InA>, xrefs: 03300690
InA>, xrefs: 03300A80

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>$InA>$f
API String ID: 2994545307-1036101952
Opcode ID: 7c28af940518faf01f0a72cca2677a703ac92a3e55e8e2e760a62b86c472703b
Instruction ID: 90ef56f775aaaef38ba0db2b8678a323774c4e09d75239a8ff12168027857748
Opcode Fuzzy Hash: 7c28af940518faf01f0a72cca2677a703ac92a3e55e8e2e760a62b86c472703b
Instruction Fuzzy Hash: 0B32CD716093419FD718CF18C8A0B6BBBE6BBC8714F188A6DE4959B3D1D734E805CB92

Function 032C8460 Relevance: 4.2, Strings: 3, Instructions: 413COMMON

Download Yara Rule

Strings

IEND, xrefs: 032C88CD
), xrefs: 032C84E6
), xrefs: 032C84DC

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: fe07e90135cdedbdfc67df547b56ef2b5b0a7d9884a0de45b14adbb8028ffaaa
Instruction ID: 7a87f6ead43030985051917a95a0bee07a46505c3080f73f7d6ae88a071bb8b3
Opcode Fuzzy Hash: fe07e90135cdedbdfc67df547b56ef2b5b0a7d9884a0de45b14adbb8028ffaaa
Instruction Fuzzy Hash: 5CE1E575A287819FD310CF28D88471BFBE4BB84304F088A2DE5999B381D7B5E955CBC2

Function 032CFE86 Relevance: 4.2, Strings: 3, Instructions: 409COMMON

Download Yara Rule

Strings

wI, xrefs: 032D014C
C{, xrefs: 032D0144
KH, xrefs: 032D013C

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: C{$KH$wI
API String ID: 0-157203947
Opcode ID: 3f9de9581ac1e86561b3588cae3ad8115c4ef56f3e350befc85efd5b343c4349
Instruction ID: 88e824ce6df2f985fae75110fada3cc9d403514066f0e70a2ec3740afa72e80e
Opcode Fuzzy Hash: 3f9de9581ac1e86561b3588cae3ad8115c4ef56f3e350befc85efd5b343c4349
Instruction Fuzzy Hash: DCC1217461C342DFC3149F64E89076BBBE8EF86308F04892CE5D997294EB788946CB56

Function 032F0FFE Relevance: 4.1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

' "., xrefs: 032F1323
6T^z, xrefs: 032F124D
,\ y, xrefs: 032F132D

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ' ".$,\ y$6T^z
API String ID: 0-934940848
Opcode ID: 4c03f86fec9c92039462fc4c8574911980e01f9523fa6cc466c3fdacfa68e9b8
Instruction ID: 996207c316512a26fbd4ba736a61659aee1d40756b807795859e29152044ee13
Opcode Fuzzy Hash: 4c03f86fec9c92039462fc4c8574911980e01f9523fa6cc466c3fdacfa68e9b8
Instruction Fuzzy Hash: 78D18334109B81CFE726CF3584A0BA3FBE1AF17304F48899DC1D69B686D7796049CB66

Function 032EFD63 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 542COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 032EFE47

Strings

_P\e, xrefs: 032EFDAA

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: FreeLibrary
String ID: _P\e
API String ID: 3664257935-4114639319
Opcode ID: 433062630e405c8c489a96bf21acca890089665cfd681098bca52f589c949ab4
Instruction ID: ee3f242401d45ee046b3844085bbcc1dcabb2e2fead41e37b1ecbcf9e80f92f3
Opcode Fuzzy Hash: 433062630e405c8c489a96bf21acca890089665cfd681098bca52f589c949ab4
Instruction Fuzzy Hash: 7602E970115B418EE735CF35C8A17B3FBE5AF52304F0889ADC1EA8B282D739A149CB65

Function 032F09A1 Relevance: 3.0, Strings: 2, Instructions: 534COMMON

Download Yara Rule

Strings

ZZcd, xrefs: 032F0A36
w%pb, xrefs: 032F0A2C

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ZZcd$w%pb
API String ID: 0-2617558804
Opcode ID: 854b98539ea522e3173d60485dc930717fa8b1367c29c750a960ed4e1b3e30e8
Instruction ID: 0129fcbb1e78132e5ab7111128e409235175a0ac5494943344c9ed027115e1bb
Opcode Fuzzy Hash: 854b98539ea522e3173d60485dc930717fa8b1367c29c750a960ed4e1b3e30e8
Instruction Fuzzy Hash: AAF1F3B0514B818ED725CF39C4607B3FBE5AF92304F1889ADC1E78B293D774A1868B65

Function 032C38E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

NaN, xrefs: 032C393A
Inf, xrefs: 032C3933

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 97a4892f43e364c0607c77cf635f72b60e9818df90b3e92a609b9eda987b8a2f
Instruction ID: 5c5c902138d28f1880f15d3bfc2790da7c2a9abe1d9d72eee8dc1c8780b5585e
Opcode Fuzzy Hash: 97a4892f43e364c0607c77cf635f72b60e9818df90b3e92a609b9eda987b8a2f
Instruction Fuzzy Hash: BFD1E376A283529BC704CE28C48065EFBE5EBC8750F15CE2DE9999B390E775DC848BC1

Function 032EC7DC Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

BD:G, xrefs: 032EC808
55%0, xrefs: 032EC810

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 55%0$BD:G
API String ID: 0-1772350360
Opcode ID: 6a1005f5ec08da4f338a7a895e17e155e5ac1a0cb139ae8872d976d3d0cf4afb
Instruction ID: 2617c429787dfdbbd9c392240c4e392d3e9bb83fc2f60e3d3546716e6cf84ff5
Opcode Fuzzy Hash: 6a1005f5ec08da4f338a7a895e17e155e5ac1a0cb139ae8872d976d3d0cf4afb
Instruction Fuzzy Hash: 2AB123B58183A18FC724DF64D89122BBBF1BF85304F44896DE8D98B391D734D885CB92

Function 03306E50 Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

2;:9, xrefs: 0330702C
, xrefs: 03306ED5, 03306EE6, 03307065, 03307076, 033070B1

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2;:9$
API String ID: 0-2585926393
Opcode ID: e1431f26a29e8c99e792bafce32851c3eb6e267a6456de623b11c7b7889f5f25
Instruction ID: 792e0e44ce68f72003f6e1663c04412a75a509b7e7ac7b137487521fadeb5956
Opcode Fuzzy Hash: e1431f26a29e8c99e792bafce32851c3eb6e267a6456de623b11c7b7889f5f25
Instruction Fuzzy Hash: 379104326083108FC728DE28D8E166BF7E6EBC5314F19892CE9959B3D5D675EC05C782

Function 03303E80 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

%&' , xrefs: 03303EB5
%&' , xrefs: 03304004

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $%&'
API String ID: 2994545307-1644610688
Opcode ID: a18f1e6ab121bd06e36d83e323554e2bf6411534ba38fa0112a9f4d3291f3c0e
Instruction ID: 9097678342930bfee1cb26112834f3cb35eb53ceb93385191b56b28d901d143f
Opcode Fuzzy Hash: a18f1e6ab121bd06e36d83e323554e2bf6411534ba38fa0112a9f4d3291f3c0e
Instruction Fuzzy Hash: E681E9746083019BE728DF26DDD0BBBF7E5EF85314F14892DE699972C1EA309940CB52

Function 032D10D7 Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

yq, xrefs: 032D1230, 032D1316
wq, xrefs: 032D11D8

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: yq$wq
API String ID: 0-206952631
Opcode ID: 489d94f1935a31ff525b3a94d1ca0554d2fcb9088db66fc223e38892f6852583
Instruction ID: 65cb61e4495c668095a1e26778f2e8d7a33c594a6ef73655dd854a323860ac47
Opcode Fuzzy Hash: 489d94f1935a31ff525b3a94d1ca0554d2fcb9088db66fc223e38892f6852583
Instruction Fuzzy Hash: 44A189B15283418BE364DF11C8A076FFBE4EF84314F588A1CE4C95B680D7B69885CB86

Function 032E15AD Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

WU, xrefs: 032E15EE
_], xrefs: 032E15DE

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: WU$_]
API String ID: 0-3594180508
Opcode ID: 75bf4967a49db05d16a2f218cb2e712e14d0e1bdeed484d680e0511d34dfd14e
Instruction ID: 074643e9b22d5b67b382dc582a4a878eb412d48511127fd9927d6ccddf9a9c2b
Opcode Fuzzy Hash: 75bf4967a49db05d16a2f218cb2e712e14d0e1bdeed484d680e0511d34dfd14e
Instruction Fuzzy Hash: 7F21BEA05183028AD714CF10C46237BB7B1FF92784F0C596CE5C11F7A5E3BA8981CB96

Function 032E16C0 Relevance: 2.6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

Strings

_], xrefs: 032E16EE
WU, xrefs: 032E16FE

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: WU$_]
API String ID: 0-3594180508
Opcode ID: cb06f4b57f90729c2bf5772eb7fe226e4962468215683285ae23a482b7d6dcb2
Instruction ID: 2c45c2a79d4568c73e411b98e1affc752a3f93f79c37e52d2f424d67052e5704
Opcode Fuzzy Hash: cb06f4b57f90729c2bf5772eb7fe226e4962468215683285ae23a482b7d6dcb2
Instruction Fuzzy Hash: CF21F2605683028AD310CF10C46233BB7B1FF92B84F0C596CE5C21F7A1E3BA8981DB86

Function 032EC020 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

[I}, xrefs: 032EC0C5

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: [I}
API String ID: 0-555681764
Opcode ID: c5f234f06923fcfdf91d197bd9558ff8ece329cc6962146ac5f857cea8e30ebd
Instruction ID: 9dfe288485a813e9011bdc3297d66c3ad1bd4484c78e1d452f04cb14801619e3
Opcode Fuzzy Hash: c5f234f06923fcfdf91d197bd9558ff8ece329cc6962146ac5f857cea8e30ebd
Instruction Fuzzy Hash: 740232716183218BD314DF58D8927ABB7E1FFC5318F488A2DE8E55B380D7B4850ACB96

Function 032C4FB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 032C5336

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 8e52d1442d2f960b24c28a853e6014fbcb5e306b7e03334610877a89607d9d71
Instruction ID: 135afd1565d50a08788c6aa11bdae194e7fb1ead81323f523936cfdb34d0779d
Opcode Fuzzy Hash: 8e52d1442d2f960b24c28a853e6014fbcb5e306b7e03334610877a89607d9d71
Instruction Fuzzy Hash: 2012D971A383C28BD725CE56C480327FBD2AF92214F3D866DD8994B352E7B5E885C742

Function 032E5770 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(033099D8,00000000,00000001,033099C8), ref: 032E5799

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: a26a4f4b6168d3cf4df2691356af6c8192ca74763f65cc528814792c6670c0f3
Instruction ID: bf24e6cf4cd7c149c4686539a50d8dc73bc209b4bcb09600379ece178ba97f2d
Opcode Fuzzy Hash: a26a4f4b6168d3cf4df2691356af6c8192ca74763f65cc528814792c6670c0f3
Instruction Fuzzy Hash: 4151CFB16303059BDB20DB24DC96BA773A8EF86368F588558E9858B291E3B4D881C761

Function 032E59D0 Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

HGFE, xrefs: 032E5C99

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: HGFE
API String ID: 0-2862901527
Opcode ID: 34163f7476bda62d33ef4425ad7913600eef97ccae3286f7a93d4b359b6242a0
Instruction ID: af65a61163da825c94b476444d77a96a3ffbdb065af784d83dd5b323bd4e27d6
Opcode Fuzzy Hash: 34163f7476bda62d33ef4425ad7913600eef97ccae3286f7a93d4b359b6242a0
Instruction Fuzzy Hash: 29C13576A343118BC314DF24C89276BB3E6EFC6218F6D856CE8859B381E774D8858792

Function 032F0417 Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

-'.$, xrefs: 032F07C6

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -'.$
API String ID: 0-2031752551
Opcode ID: 34cf8470bb62a45dec453f79dc53eb2bdb162fc0108496929a2b80309102d5fb
Instruction ID: d0a4ef72de425544fb314d8c0aea8fa4151a48a87f5c5a5cfe240e4faa42ebd0
Opcode Fuzzy Hash: 34cf8470bb62a45dec453f79dc53eb2bdb162fc0108496929a2b80309102d5fb
Instruction Fuzzy Hash: F6E1DA75515B818FE325CF39C8507A3FBE2AF96304F08C9ADC0EA8B642D779A049CB51

Function 032E2CE0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

(, xrefs: 032E2D2C

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 6457bee3e67b01bf29251144948ae2f291ebac9cbb565796ace7aef5a070f109
Instruction ID: 9c72482315016adb23269d2a63bdbbe83aeb827884b02dce09f5b169330f84ea
Opcode Fuzzy Hash: 6457bee3e67b01bf29251144948ae2f291ebac9cbb565796ace7aef5a070f109
Instruction Fuzzy Hash: DBE10375628340ABD701DF25DC42BAFBBE9EBC6314F18492CF8C59B381D27598458B93

Function 032ED3EA Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

B, xrefs: 032ED751

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 2049789ec760295a730b8d2b99fc21b4be710c6505caa82f976daaf0bd181ff7
Instruction ID: ac8ccd410bbc90e3edf62ce93a6a2ee36cab9b5f770275b25a18d472f0af1bc3
Opcode Fuzzy Hash: 2049789ec760295a730b8d2b99fc21b4be710c6505caa82f976daaf0bd181ff7
Instruction Fuzzy Hash: 51E12271618381CFD310EF28D89172BBBE6AF86314F488E6DE4D48B291D736D945CB52

Function 032DCAB0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

~, xrefs: 032DCB8A

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1314861826
Opcode ID: 44d845b7c862f869aaf91b277c527c7b7c25c8fb53b5ca2bbd666dc7dbe0edfb
Instruction ID: 65ca9161a3dcf008c092c2f87ed84b8ede2f2f22975ace3055ae52e098cf4924
Opcode Fuzzy Hash: 44d845b7c862f869aaf91b277c527c7b7c25c8fb53b5ca2bbd666dc7dbe0edfb
Instruction Fuzzy Hash: 48B103B55283509BC734DF24C8917ABB7E5FF89714F088A5DE9C98B380E7749881CB92

Function 032DCFDD Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,00000000,27992596,00000000), ref: 032DF6C9

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 1d0bd196e926d2c522f6efb8d6269731960ffe2992b496d20955fdb19ef60c29
Instruction ID: 61060988d655ac68376a2d86fdd61a57d8edb6a474d5a0245a4154cddd74b21d
Opcode Fuzzy Hash: 1d0bd196e926d2c522f6efb8d6269731960ffe2992b496d20955fdb19ef60c29
Instruction Fuzzy Hash: E53105B091C3809FE364DF20D1953DBBBE0AB98714F408A2DD5C94B280DBB45485CF86

Function 03306B70 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

, xrefs: 03306B95, 03306BA6, 03306C35, 03306C46

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 5c3cad5ca6f04c0caffcdd879aeafb932ccb3141ca81c5bc2b5f856ab2786ef1
Instruction ID: 5e59448acd9df2d5ae6687cc33244138f5ceeede4ea3be7e019c85f22e80a4f6
Opcode Fuzzy Hash: 5c3cad5ca6f04c0caffcdd879aeafb932ccb3141ca81c5bc2b5f856ab2786ef1
Instruction Fuzzy Hash: C991C135A083118BC724DF28D8A162BF7F6EF89710F19892CE991573A9D731EC61C781

Function 03306600 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

, xrefs: 03306625, 03306636, 03306735, 03306746

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: e2f7a32eb1efbb630e710198fe995e63096def98ba3460e30393122afd68108e
Instruction ID: 86c6b857ed9437aea5f2858f704c37f4683ae1af16175712853b8c5ad9d6b7aa
Opcode Fuzzy Hash: e2f7a32eb1efbb630e710198fe995e63096def98ba3460e30393122afd68108e
Instruction Fuzzy Hash: 5671E7356083019BDB14DF28D8E1A2FB7E6EFC4750F19C96CE9858B399EB30D8618752

Function 032CA500 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 032CA636

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 37f756bf959ae2e0a7e7d78eeac5330931023742c7c43367a445c5a24df0fd56
Instruction ID: d1a2ec783c83d5c2b50225c522c95a52d3f5a34bc5857872d2269d723de764ae
Opcode Fuzzy Hash: 37f756bf959ae2e0a7e7d78eeac5330931023742c7c43367a445c5a24df0fd56
Instruction Fuzzy Hash: 5DB148715183859FD321CF28C88061FFBE0AFA9604F488E2DE5D997382D671E958CB66

Function 033068C0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

, xrefs: 033068E5, 033068F6, 03306995, 033069A6

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 8b3a885c6d8b872fe6d72d376ffd36b7616f2dc24bc4af167467d5734cabb5d4
Instruction ID: 25415d303940028790c1d51c8010aa31f6d5d8b2605c1dad463fb3e1761d0d5a
Opcode Fuzzy Hash: 8b3a885c6d8b872fe6d72d376ffd36b7616f2dc24bc4af167467d5734cabb5d4
Instruction Fuzzy Hash: 7781C3756047029BD714EF18D8E1A2BF7E5FF84750F19852CE8858B399DB30E861CB82

Function 03301100 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

InA>, xrefs: 033011A0

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>
API String ID: 2994545307-2903657838
Opcode ID: 843b6c6863e509e5d92ba01409d942de900842b5224bf2aa4fd7c919795de807
Instruction ID: c5e08f295a1a7e31082f0868de4b5e0856a5afb0b9b0a94fdab19ed2fe7a4d3b
Opcode Fuzzy Hash: 843b6c6863e509e5d92ba01409d942de900842b5224bf2aa4fd7c919795de807
Instruction Fuzzy Hash: BA710039A083019FD718DE68CCE0B6BB7EAABC4354F1C886CE985D73D5E274E8058B51

Function 032E29C0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 032E2B43

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: a73daf746abf04e0c47c282e2f223a2d395c1c654b78c5a27a48051604b9cf1d
Instruction ID: 5f9608a5ce891b692ef15baa3f9ed6b343177d6cae4e9dc96aa3faaa072f5447
Opcode Fuzzy Hash: a73daf746abf04e0c47c282e2f223a2d395c1c654b78c5a27a48051604b9cf1d
Instruction Fuzzy Hash: 2451FA33A3AB90CBC724EC3C4C533A5AA0F5BA6234B7D476AD4B68B3D5C6A688414351

Function 032E9ADE Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

", xrefs: 032E9D28

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-3984020932
Opcode ID: aff0dad158059dc93526dcc688eddfc24dab5b8a61b7ddf31b3bfe5f2f7fe61b
Instruction ID: 995f54043be2d6c467217f119e50944ae1cb151205a01601490f15770e49d4ff
Opcode Fuzzy Hash: aff0dad158059dc93526dcc688eddfc24dab5b8a61b7ddf31b3bfe5f2f7fe61b
Instruction Fuzzy Hash: 2C510676D242678FDB10CA68C4822BAFBA1FB4A340F4D826AC8559B385D37CD8C5D7D1

Function 032E9D3E Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

", xrefs: 032E9F88

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-3984020932
Opcode ID: 2c33b001021260ab249361e2108c8a42a73a895cef485b6beaaac408b8162028
Instruction ID: 27cae63c20222eb322913dec0ed4f4654fcd2e494836c9f97ba22ae516724c6d
Opcode Fuzzy Hash: 2c33b001021260ab249361e2108c8a42a73a895cef485b6beaaac408b8162028
Instruction Fuzzy Hash: 495138B2E202578FDB20CA68C4426BBF7A6EB55200F4C856BD8859B385E77CD8C5D7D0

Function 03306040 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

@, xrefs: 033060F1

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 3abc7b1fcc1570132ebf3750e4f4c140dd2be9ba50a25ee539a662fb3d98aab1
Instruction ID: af03c9c233d2957c0c0dc3f85e940d36bf36953fe2f9c67bd89519ef6986a2a0
Opcode Fuzzy Hash: 3abc7b1fcc1570132ebf3750e4f4c140dd2be9ba50a25ee539a662fb3d98aab1
Instruction Fuzzy Hash: 4741EF709083008BD714DF28D89676BB7B4FF85324F188A1CE8995B3D6E7399915C792

Function 033064F0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 03306559

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: b9afa1c370a98259fad944de41ce964548434f152e1a0583b6fad18b8586250c
Instruction ID: 0728945d634148602c6d955669847d504317f45681733ea36fdb83576a0da95a
Opcode Fuzzy Hash: b9afa1c370a98259fad944de41ce964548434f152e1a0583b6fad18b8586250c
Instruction Fuzzy Hash: 7E21BB715083048BC314DF68D8D266BBBF8EF96314F14892DEA98872C8E7359918CB96

Function 032CBC40 Relevance: .9, Instructions: 855COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c07c6aa2b5a6701d8050d4a515ce89995d9b9219aac0b1f1af7e485e0ac167
Instruction ID: 8d9329396b5ec13d0228c17cbffdee2367368fb143208b30c5613683796ed732
Opcode Fuzzy Hash: 67c07c6aa2b5a6701d8050d4a515ce89995d9b9219aac0b1f1af7e485e0ac167
Instruction Fuzzy Hash: 7252B2719387628BC325DF18D4802BAB3E1FFC4319F194B2DD9DA97280D775A492CB86

Function 032E2090 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04396431a2e6cf655f272d173fdc329b0aa0acbdd60004c87790251895eb0173
Instruction ID: fd4c58bdeee9780c12f7a810aed8a27e4466ea4c76d1219e532b52f7601fe0c0
Opcode Fuzzy Hash: 04396431a2e6cf655f272d173fdc329b0aa0acbdd60004c87790251895eb0173
Instruction Fuzzy Hash: E432F375618341DBD724DF14C992B6BF7EAEBC4314F588C2CE9869B390D7B0A881CB52

Function 032C7040 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974bdcc2c36c888b0f0456aea0e3f641bad2d2500ff3abcca158626bcc417cb7
Instruction ID: ec1958a460fbb9be679a8afd3f5067bc3be0455acbf9080ccd94d8f142f88851
Opcode Fuzzy Hash: 974bdcc2c36c888b0f0456aea0e3f641bad2d2500ff3abcca158626bcc417cb7
Instruction Fuzzy Hash: AD52AF315283868FC715CF2CC0906AAFBE1BF88314F198A6DE89A5B351D775D989CF81

Function 032CB130 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d4077578bbc2f084d04b886dff474728b044ea2bebe7b4dd73ecf128060aca
Instruction ID: e7bd581da8c42d22dbe5bb62b4b44d1a18dbb4f5ea49f28819c0b028b0daeab4
Opcode Fuzzy Hash: c9d4077578bbc2f084d04b886dff474728b044ea2bebe7b4dd73ecf128060aca
Instruction Fuzzy Hash: 8D52E5709387C58FE735CB24C4893A7BBE5EB41314F1C4A6DC5EA07A82D2B9A4C9CB41

Function 033054D0 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9babcdead62c7e2b54f43ae5c58e781c8f78e00d432966b2166e488119052f85
Instruction ID: 9e37d73de96604348c6f285cbec1c0bbf485249599dbfbad4221772bf01fa047
Opcode Fuzzy Hash: 9babcdead62c7e2b54f43ae5c58e781c8f78e00d432966b2166e488119052f85
Instruction Fuzzy Hash: F3123436A08215CFC708CF28D8E06AEB7E6FF8A310F5D856DE98697395D7349945CB80

Function 032C7A60 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cfa6fe7139a1529db7438a7f12a0174bbf51acaf4bba9732b58886736b716a
Instruction ID: 700cc442b84d4a157226661d22b1432d6505182f86db37f8af20f40b8cf0aedd
Opcode Fuzzy Hash: 33cfa6fe7139a1529db7438a7f12a0174bbf51acaf4bba9732b58886736b716a
Instruction Fuzzy Hash: D7424571A34B918FC328CF29C59056ABBF2BF44710B548A2ED69787B90D776F880CB10

Function 032FDB76 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114591d525216ad86a3c6f2623906f9451b2c07247367ef39d7e27eb0843dfa5
Instruction ID: 30132f3b30ac4c8b76f2901b2f61ceeb9ac333db09c8675aeb3d32698780b196
Opcode Fuzzy Hash: 114591d525216ad86a3c6f2623906f9451b2c07247367ef39d7e27eb0843dfa5
Instruction Fuzzy Hash: 30022576A14216CFCB18DF28D9A12BFBBB2FF49301F0A847DC54197298EB759981CB50

Function 032DE882 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42d32ed16d1c7f2c736ec349a4d02387331b14239a429caf83f907993ff26fdb
Instruction ID: e9e54631f7f44de9df49b8a23c90c9f50037faecf097a72a8a1ac8733aef3280
Opcode Fuzzy Hash: 42d32ed16d1c7f2c736ec349a4d02387331b14239a429caf83f907993ff26fdb
Instruction Fuzzy Hash: 25E124716183428BD728DF24D8D176BB7EAFF84304F1E8D6DD4828B286D7B49885C792

Function 032E3B40 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17b60838ccda2e8de27da8e9a5ca4be30469d4f3ea4ea2df38fd84850046693
Instruction ID: f387315f5bcf03170057bdeb6f66e69f91d6d8ec48fc6713ca56be713dc2b520
Opcode Fuzzy Hash: f17b60838ccda2e8de27da8e9a5ca4be30469d4f3ea4ea2df38fd84850046693
Instruction Fuzzy Hash: 96C100B45183018BD724DF25C89276BB7F2FF92355F48899CE5814F3A4E7798881CB92

Function 032CA020 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a9915af957c528a61812ee8299480e6dfef751ec0918b04dfab1b27f8bd7f3
Instruction ID: 25c800427cc5bf642a07ec16371d699bfba91b6ec29188e76c1a8581fab8f728
Opcode Fuzzy Hash: 30a9915af957c528a61812ee8299480e6dfef751ec0918b04dfab1b27f8bd7f3
Instruction Fuzzy Hash: 60E191752183818FC325CF29C884A6BFBE6EFD8200F48892DE4DA87751D775E985CB52

Function 032C9006 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c62b767ba9246d3425ec0ee51bec910034a67095cadd3dbaa5db649dbdc2f47
Instruction ID: c9583f4d8b12d740546547ffef8c7240d73a2d360ac2a00848d4bfc219b3f91f
Opcode Fuzzy Hash: 0c62b767ba9246d3425ec0ee51bec910034a67095cadd3dbaa5db649dbdc2f47
Instruction Fuzzy Hash: DBF18A75220602CFDB28CF24D4A07AAB7B5FF48309F148A6DD44687B85D7B5E695CF80

Function 032CABC0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef9a3f350b3cc5b1fc5ac12fe90280bfdf9812ef852d42490b9d3225e9ee3d4
Instruction ID: c0e757e2cba644b785083ab825d991e5c4598ec41075fb7cccc5a676ef7b9325
Opcode Fuzzy Hash: 4ef9a3f350b3cc5b1fc5ac12fe90280bfdf9812ef852d42490b9d3225e9ee3d4
Instruction Fuzzy Hash: 37F19476B687418FC728CF24C8527ABB7E2EB85314F18897DC19AC7341EA38A546CB41

Function 03305800 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70358ac9bc137aa8c49af185ceb7325f0a47770e988e63965faadcbf0f3609b5
Instruction ID: 799fe6d13b61faee8bf441ec465910c33bf542d29d7c4e5bea5276287ce4b704
Opcode Fuzzy Hash: 70358ac9bc137aa8c49af185ceb7325f0a47770e988e63965faadcbf0f3609b5
Instruction Fuzzy Hash: 1BC13336A0D321CFD304DF28D8E02AAB7E5EF8A310F49896DE9C597391D6359809CB81

Function 032EB30E Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a792ff7e8f7a835f533ba9b03dff75c4e79bced131965e2c89a46549d18e7a4
Instruction ID: 4f918c858eb32f93ec42ba57f2d41209c19fe20606bff103e999288d7c873323
Opcode Fuzzy Hash: 6a792ff7e8f7a835f533ba9b03dff75c4e79bced131965e2c89a46549d18e7a4
Instruction Fuzzy Hash: 92C14832A1C781CFD710DF3898A172A77E2BF8A324F594BACE1A55B2D5D3319944CB41

Function 0330354C Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb4aa64f5676af409f8bbcc5b7d8187c78542d870179e928dd99a69ababbde9
Instruction ID: 73d37041d60bcc76b24714cfc4d8e5381c8851bd9356cad0cdc900e7840077cd
Opcode Fuzzy Hash: 2cb4aa64f5676af409f8bbcc5b7d8187c78542d870179e928dd99a69ababbde9
Instruction Fuzzy Hash: 75B1D13AA18240CFC708DF38E8D06AAB7E6EB89324F198A7CD595C3385D739D955CB41

Function 032C9A81 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8e3d511249098ce1a2d3c826b2d72f35dc1e79c1b6665a3d4ce52f3e6ba230
Instruction ID: 75341f56993a268a63f95c8388202159d15821cea20dc6a81f96f88af00801d5
Opcode Fuzzy Hash: ad8e3d511249098ce1a2d3c826b2d72f35dc1e79c1b6665a3d4ce52f3e6ba230
Instruction Fuzzy Hash: 4FE16835110641EFCB60DF28D990A5AFBF6FF48314F098A5DE98A87A51D331E9A1CF90

Function 032FC3E0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dc0ef1997e454bd653b5ed4eaa20efe33f714164dd0511d2672dd097057c19
Instruction ID: ba1b54c7ad406ea73d772ca6b35ad1e57eafc459d6604fd1fcaf4970fe91a046
Opcode Fuzzy Hash: c5dc0ef1997e454bd653b5ed4eaa20efe33f714164dd0511d2672dd097057c19
Instruction Fuzzy Hash: FDC14972D186E58FCB11CA7CCC80369BF725B57224F1D82E9C5A1EB3C6C27A8846C761

Function 032F1495 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f67e6e57f72abd7da4b911606760aef7c9f9276bf35e7e93d18c9277600e8e
Instruction ID: e17111ad7c07e74e2618ed5d3f5fb2e476f64ba2fba806eab0f59ab2494b79e4
Opcode Fuzzy Hash: 42f67e6e57f72abd7da4b911606760aef7c9f9276bf35e7e93d18c9277600e8e
Instruction Fuzzy Hash: C2B12671A24B42CFD728CA29C4A1272F7A2EF9626475C8B6DC6A70B7C2D334F465C750

Function 032EC390 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aaba4deacb64b9b4c61394f6b4784762c23293508c98331a802f21e4197fc95
Instruction ID: cfb2d82b9f3c483addf1e6605ea3749abab13c771c8f10d7aca3c667a2231c78
Opcode Fuzzy Hash: 5aaba4deacb64b9b4c61394f6b4784762c23293508c98331a802f21e4197fc95
Instruction Fuzzy Hash: 269121B16183208BD314EF54D85276BB3F1FFC2318F488A2CE8964B394E3758944CB96

Function 032EEE3D Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0a811f1aa4797b60c1da881db97ea7fc8e1fbde851cac6f9c4c25d32553186f
Instruction ID: c2f7c8772b00e9ce92a0b0b55842ff851f4b5aecb163ec6c00ba44fe6cace7a7
Opcode Fuzzy Hash: e0a811f1aa4797b60c1da881db97ea7fc8e1fbde851cac6f9c4c25d32553186f
Instruction Fuzzy Hash: 2F816871614B418BE325CB25C9A2BA3BBD3EB82301F5D886DD4D58B38AC379A442C760

Function 032C971D Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42a75b92ce0f36b16514372c8b2c7a6a7973029cc0973d1d413ea11599df723
Instruction ID: 87687235c7a31edbe75f0298c4f10d2b58018948b16a1a6e507c0d0a0594bac2
Opcode Fuzzy Hash: c42a75b92ce0f36b16514372c8b2c7a6a7973029cc0973d1d413ea11599df723
Instruction Fuzzy Hash: 37D14675110A41EFC720DF18D990A5AFBF6FF48304F098A5DE99A87B51D331E8A1CB90

Function 032D56C1 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981f2e07aa405cd23693ba9ca544fb9ab7f4166d48a416e22ac7c940a8248965
Instruction ID: 89d13d33587855d3c6c0bf8fe2ac6a7342e3bf804979b2c005ec840f26626d21
Opcode Fuzzy Hash: 981f2e07aa405cd23693ba9ca544fb9ab7f4166d48a416e22ac7c940a8248965
Instruction Fuzzy Hash: 25C1F271A28F808BD325DB38C8597A6BBE5AB46314F184E6DD4EFCB382D7786544C702

Function 03305120 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f831515a6361ed5cc677b492932d19880fee3312eea16b969fbed3ea08371e
Instruction ID: b0db52c7f4e56a8e7bbf12a5c62304c58f3240d0d162ff112bafdcc41f844b1a
Opcode Fuzzy Hash: 21f831515a6361ed5cc677b492932d19880fee3312eea16b969fbed3ea08371e
Instruction Fuzzy Hash: F3816C76B69210CFD714DF68E8E0696B3A9FB8E315F0E80BCCA8587759C275D804C780

Function 032FD4B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc84d6e5a2c6b082c4dfcc3632b70248a4b51ce72527d1472799a064d506a42
Instruction ID: 9c0f099f08a4a655747515b1c0372c2f7efeafb01d6c2a6f97941578ff50f7b3
Opcode Fuzzy Hash: 7dc84d6e5a2c6b082c4dfcc3632b70248a4b51ce72527d1472799a064d506a42
Instruction Fuzzy Hash: CC816376A14205CFEB04DF28D8D177EB3A9EB49710F144828D646AB2C4DBB59581CB90

Function 032D7736 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02107b5452c8d7312f400d0344a7ce553471fa2db5f72f14dd2a33d5dc1bb4a
Instruction ID: 97fcb784a395063ad91b081f6e92a6fae8de55c36078caa938d17bb8d30f9471
Opcode Fuzzy Hash: a02107b5452c8d7312f400d0344a7ce553471fa2db5f72f14dd2a33d5dc1bb4a
Instruction Fuzzy Hash: 40B1F676528B808BD725DF3CC8553A7BBE1BB46214F188E6DC4EBC7386E678A444C712

Function 032EEAF0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e8c23f8e6c6c7e07ba371c741a1a37d4590585b8e160d419e50222c08911dd
Instruction ID: eabeae850f5b64f96829f730d5095ea149006121591b5c121968c69914b6d499
Opcode Fuzzy Hash: 05e8c23f8e6c6c7e07ba371c741a1a37d4590585b8e160d419e50222c08911dd
Instruction Fuzzy Hash: CB81CDB4108B818AE332CF39C4917E3BFE5AB57300F58889DC1EA0B285D7796045CBA6

Function 032D6493 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece18d50e9561c9a45f68f9b01766fb0106c678a2422a5c33b1e9ea01255e7f9
Instruction ID: 07a8d1d542fac7f2875cfb7704364be06a1f060d9bff1fcc02b4adbb6e0c1306
Opcode Fuzzy Hash: ece18d50e9561c9a45f68f9b01766fb0106c678a2422a5c33b1e9ea01255e7f9
Instruction Fuzzy Hash: E9910572A29B804FC325DB38C8993E7BBD2AB95314F4C8A7DC5EAC73C5D678A0458711

Function 033041C0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a87fcbb0e9fbb4da443e141e7b379a74a20d428ba54f2036ad37f9c4ad14b6
Instruction ID: 704f8dc1e3312ab8634e43bec04eba12867ccbfefdae16e08259c50809ad9016
Opcode Fuzzy Hash: 09a87fcbb0e9fbb4da443e141e7b379a74a20d428ba54f2036ad37f9c4ad14b6
Instruction Fuzzy Hash: 81710676B043106BD714EA69DCE477BB6D9EFC0614F08496CEB89C7381E670EE148A92

Function 032F41D4 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2471502a362a509f65ab3c27ae654f5789f7769227e2af482ff326b530408fe8
Instruction ID: d389880c333c0ff73a2d3a274dbcff1d8053c93c6f6b149104d5c81143213200
Opcode Fuzzy Hash: 2471502a362a509f65ab3c27ae654f5789f7769227e2af482ff326b530408fe8
Instruction Fuzzy Hash: 79910572A08B804FD3159A38C4943A7BFD2ABD6318F1D897CC6EB4B346D679A485C712

Function 032D3227 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b51e2ea53fcdabe73a694fd832eb265283edf5c4dc98f46a47293639747d3a
Instruction ID: 4ed6ede09e69c8b9b3087b7394a44e8748569eda3e14073f087d19ec6589cf80
Opcode Fuzzy Hash: d6b51e2ea53fcdabe73a694fd832eb265283edf5c4dc98f46a47293639747d3a
Instruction Fuzzy Hash: 6A910976928B808BD325DB38C95536ABFE1AB96214F088E6DC4EBC73C2D678D4448712

Function 032F6520 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f5327295889a84d33c0c1f9fc221fddb3cab6561c46a8aaa4672bed2446f6a
Instruction ID: a00932b6b10671c51484d5117fd4de46f999d610d7d24b83eb22a82ab3d4d73c
Opcode Fuzzy Hash: c8f5327295889a84d33c0c1f9fc221fddb3cab6561c46a8aaa4672bed2446f6a
Instruction Fuzzy Hash: E4516B27F395914FC718D93C0CA13B9EA468B97234B1D83BAEEB1DB3E9C65988458350

Function 03303A33 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd828e201feecbcb83cdc6e5676fea6637ce11bdc9c0913399c7a37b3d20d1a9
Instruction ID: a13f08afb8167cdc93d6862427bbab56049c1f00c602c81a965814018f0fb69e
Opcode Fuzzy Hash: fd828e201feecbcb83cdc6e5676fea6637ce11bdc9c0913399c7a37b3d20d1a9
Instruction Fuzzy Hash: 6571D73960D7B28BC322CA29C4E051DFBE16E96224B5D83FDD8F05F783C6219946C762

Function 032EB03C Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ca9d96dee6aaceb719ec3ddcb24c0bf283b7ae9e573cd35ea47dbfc728ce47
Instruction ID: 0a191f4dde2f458b3e38d0cd295e914a9ba6c7ae9fb41a0e506680602799f546
Opcode Fuzzy Hash: f6ca9d96dee6aaceb719ec3ddcb24c0bf283b7ae9e573cd35ea47dbfc728ce47
Instruction Fuzzy Hash: BF51B4767186024BC71CCE2E99A123FB6D3ABC8211F5D813DE85A8B3D5EF70E8118685

Function 032FFC90 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367720becf6136ea49044600c74ccd9ceefb02fc46192654997fa64205b14a86
Instruction ID: 136457d6f504d29cfea3d07ea0a60f43e930e86b13f446b11b23440ca7164142
Opcode Fuzzy Hash: 367720becf6136ea49044600c74ccd9ceefb02fc46192654997fa64205b14a86
Instruction Fuzzy Hash: 30513536A64351AFD720CE28C98079BF7AAEFC1714F1C8978DA94AB392D374D84187D1

Function 032FC152 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c2f261ee7b4e32f6aeb2dae93eb1ca6f4b0d5a3384d652813e0848d8bf30e3
Instruction ID: feeefab6a3fbce266bc0b2500489891b73bc1d40245e4b5ed64dd5f1460cc62e
Opcode Fuzzy Hash: b4c2f261ee7b4e32f6aeb2dae93eb1ca6f4b0d5a3384d652813e0848d8bf30e3
Instruction Fuzzy Hash: 9E618DB1A087548FE714DF29D49075BFBE1BB88308F044A2EE5D987390E379D6488F82

Function 032FC180 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2941a7b367f150150946be65622cc65c06d426a85559ebce3d8aed5128feb86
Instruction ID: 578d64f024059c0b25f5bd0451d3349ec313346bfde858cdcf77683c23e3dd7d
Opcode Fuzzy Hash: f2941a7b367f150150946be65622cc65c06d426a85559ebce3d8aed5128feb86
Instruction Fuzzy Hash: DE515BB16087548FE314DF69D49475BFBE1BBC8318F044A2DE5E987350E379D6488B82

Function 032DC692 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc094701372075add6250cc78aee25b89f7819ffdd1b85570817bacdae94d6d
Instruction ID: 72a61b4c62a06eec4aa3e55cad571f2e53796903ef68d25f3b6637bddd521fb4
Opcode Fuzzy Hash: 9fc094701372075add6250cc78aee25b89f7819ffdd1b85570817bacdae94d6d
Instruction Fuzzy Hash: DF41D3B492022287DB24DF18C892A7773B9FF55364F19525CE886AB3D0F774A540C3A5

Function 032C5850 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cade050b5f8c79027e25ae45199818fecc846d2a32f5a355ee1cb2287f936c8
Instruction ID: 834390fb5f958fd2a670c9d1a9b551e9dbc6c8d67d670d319449b62d0014e97d
Opcode Fuzzy Hash: 3cade050b5f8c79027e25ae45199818fecc846d2a32f5a355ee1cb2287f936c8
Instruction Fuzzy Hash: 495191B5A243419FC714DF19C880926B7A5BF8A324F2947ACE8998B351D731E882CB91

Function 032C99A9 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb6b3558cf70f7f53d8ddb5d7955ef50b44fb7eb05eb8a3ffeb4bb25e06f573
Instruction ID: f5ef00c02671a24dbc2e9131fdd981d8ac727887cb2050bbde56bb2a2c552e1b
Opcode Fuzzy Hash: dfb6b3558cf70f7f53d8ddb5d7955ef50b44fb7eb05eb8a3ffeb4bb25e06f573
Instruction Fuzzy Hash: C3511A212193C5CFCB0ACE6C849054ABFA1AF6A200B4CCADDD8859F34BC660D665CBE1

Function 032ED9C5 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2f0758bf1c09a00c1e46268fb386e5714ff592454e344abe94b384e7f1d6415
Instruction ID: c3acbfebd6022b0e0518e7f24c7899c7418f12dcd157597227680d7b3aba06c2
Opcode Fuzzy Hash: c2f0758bf1c09a00c1e46268fb386e5714ff592454e344abe94b384e7f1d6415
Instruction Fuzzy Hash: 9731D43532C3418FD308DE28C4A573BB3A5FF8A304F588D6DD59517785C3B55A818B9A

Function 032F9970 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d411438c58a9b318109e4cdbc8c2ea3c6126b2d92b78f4462e23a940bc7fee03
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: DA11C233A151D54EC316CD3C8840665FFA70A93134F1E83E9E5F89B2D6D72289CAC765

Function 032EDE60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e73d309f17c4f5610788fd024001330fc394db5079930bb6b2034b153c3c746
Instruction ID: 43203b105489158a0b184546cbebb59279843b164003d1d9032ae8f78755c0a0
Opcode Fuzzy Hash: 6e73d309f17c4f5610788fd024001330fc394db5079930bb6b2034b153c3c746
Instruction Fuzzy Hash: 7E01B1F97307424BDB21EF60A4C5737F2A96FA0604F5C062CC8084B201DBB1E886C6D1

Function 032ECC5F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddccb512a25ee2811c673e5b2f8244adb2ab26aa1751f140caf5f32331d1f409
Instruction ID: ba1c3d1ca5baae6c8a74a01a355186833f6fce09427e61a4021c97ab97f56df6
Opcode Fuzzy Hash: ddccb512a25ee2811c673e5b2f8244adb2ab26aa1751f140caf5f32331d1f409
Instruction Fuzzy Hash: 39118C3462C3609FD304DB58D891A2BB7E9FB49700F58DC6DE4898B252D375C8808B86

Function 032F5930 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 032F593A
VariantInit.OLEAUT32 ref: 032F594D

Strings

7, xrefs: 032F59B5
(, xrefs: 032F5965
?, xrefs: 032F59C9
3, xrefs: 032F59A1
=, xrefs: 032F5979
!, xrefs: 032F59BF
2, xrefs: 032F5983
-, xrefs: 032F596F
\, xrefs: 032F59AB
8, xrefs: 032F598D
-, xrefs: 032F5997

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$($-$-$2$3$7$8$=$?$\
API String ID: 2610073882-1255047175
Opcode ID: 4a160dd9a18d3fc0f8ddabc908b423f60fd4314b4d2ae48d1f26dc192e960cad
Instruction ID: 7aba52a3f641e4f6946f5edab5614f8cf686b6e727a0ff26f693d2e827a17e79
Opcode Fuzzy Hash: 4a160dd9a18d3fc0f8ddabc908b423f60fd4314b4d2ae48d1f26dc192e960cad
Instruction Fuzzy Hash: DF41267150C7C18ED326DA68844834AFFE16BA7324F184A6DE1E14B3D6D6B68149C753

Function 032F56C5 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 75COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 032F56CF
VariantInit.OLEAUT32 ref: 032F56E2

Strings

7, xrefs: 032F574A
8, xrefs: 032F5722
?, xrefs: 032F575E
-, xrefs: 032F5704
\, xrefs: 032F5740
!, xrefs: 032F5754
=, xrefs: 032F570E
3, xrefs: 032F5736
-, xrefs: 032F572C
2, xrefs: 032F5718
(, xrefs: 032F56FA

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$($-$-$2$3$7$8$=$?$\
API String ID: 2610073882-1255047175
Opcode ID: 779e519fffdf646ad12b85c272e2ef4bf885642f72c9468839bf76f62dc3feb6
Instruction ID: 067bc23e2d1298976a8a40c43daa7e0dd4e560ada584e17219ce883b4c1644ac
Opcode Fuzzy Hash: 779e519fffdf646ad12b85c272e2ef4bf885642f72c9468839bf76f62dc3feb6
Instruction Fuzzy Hash: 4431287150C7C18ED322DA6C844834EFFE16BA7324F584AADE1E04B3D6D6B68049CB53

Function 032F5FD0 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 032F60A7

Strings

s, xrefs: 032F6215
w, xrefs: 032F6285
w, xrefs: 032F61D5
x, xrefs: 032F6265
|, xrefs: 032F61C5
x, xrefs: 032F61B5
s, xrefs: 032F6225
v, xrefs: 032F6205
{, xrefs: 032F61F5
j, xrefs: 032F6235

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: j$s$s$v$w$w$x$x${$|
API String ID: 2525500382-2172040885
Opcode ID: 830cc366a6bd5aa22bb68c60b49c31cd1ed6d766e8009e59d2c3da5d36ef3647
Instruction ID: 4099de1d35cf8ab671e12713773501f29d00b84cffe4c31f394465c6271b86b2
Opcode Fuzzy Hash: 830cc366a6bd5aa22bb68c60b49c31cd1ed6d766e8009e59d2c3da5d36ef3647
Instruction Fuzzy Hash: 9D91E62151CBC289D336C63C88197DFBEC15BA7224F088BADD1FA5A6E2D3790146D367

Function 032FD028 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 032FD0C3
SysAllocString.OLEAUT32(77AB79D7), ref: 032FD1B1
VariantInit.OLEAUT32(?), ref: 032FD22F

Strings

(), xrefs: 032FD12D

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: AllocString$InitVariant
String ID: ()
API String ID: 3074814690-1580606521
Opcode ID: 3f82b9dae2beab58006031558fb68e852178d44bb6dc5b710e690864a6126d32
Instruction ID: c884a041cb3b301a11e8381d9cbbb283610694c7fdb079ce09cc8cda25f77d45
Opcode Fuzzy Hash: 3f82b9dae2beab58006031558fb68e852178d44bb6dc5b710e690864a6126d32
Instruction Fuzzy Hash: C991C972A183019FD314CF64D890A9ABBE9FFC5700F158D1CE5D4AB294CB74D94ACB92

Function 032F5D9F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 032F5DD7

Strings

#, xrefs: 032F5E5D
9, xrefs: 032F5E21
5, xrefs: 032F5E35
2, xrefs: 032F5E0D
#, xrefs: 032F5E49

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: #$#$2$5$9
API String ID: 1927566239-987578143
Opcode ID: a58134db00dbee117702963aa7f1a069c1ddebb14a4f2531e2c39a3a6fa94eac
Instruction ID: 80b3d7615d6c52e9655e048f6eca4b1d9b97d34c9d3e8344339e2d6b0e72ece7
Opcode Fuzzy Hash: a58134db00dbee117702963aa7f1a069c1ddebb14a4f2531e2c39a3a6fa94eac
Instruction Fuzzy Hash: 1041387141C7C18ED321CB28889838FBFD16B9A328F584A9DE4E81B3D2C7B58545CB97

Function 032F533F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 032F536E

Strings

5, xrefs: 032F53CC
2, xrefs: 032F53A4
#, xrefs: 032F53E0
#, xrefs: 032F53F4
9, xrefs: 032F53B8

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: #$#$2$5$9
API String ID: 1927566239-987578143
Opcode ID: 137385aaeaeb3beb3237bb2637bec521cb30b13248d822b7ca7302dfaa49189f
Instruction ID: 0997a73a5fb6648b48e3efd3dc6903405efbc6682318c6d0abf4a6c92b596436
Opcode Fuzzy Hash: 137385aaeaeb3beb3237bb2637bec521cb30b13248d822b7ca7302dfaa49189f
Instruction Fuzzy Hash: B5412A7011C7C08ED362CB28889834EBFD15B9A228F585A9DF0E45B3E2C7798545C757

Function 032FCE40 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

c;m5, xrefs: 032FCF75
v'w!, xrefs: 032FCFC1, 032FCFC5
03, xrefs: 032FCF85

Memory Dump Source

Source File: 00000003.00000002.1487329464.00000000032C1000.00000020.00000400.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.1487300510.00000000032C0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487375752.0000000003308000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487393978.000000000330B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1487411202.000000000331B000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 03$c;m5$v'w!
API String ID: 0-4032687651
Opcode ID: 54686f5eabb96c3473a4a62e492922f23e85bd2934b8ce4f141bccda69a4c3ef
Instruction ID: 2b9dfd003f9f8256874f4d01bd2567039c5023cad0e2a012feb3ea1560d40493
Opcode Fuzzy Hash: 54686f5eabb96c3473a4a62e492922f23e85bd2934b8ce4f141bccda69a4c3ef
Instruction Fuzzy Hash: 394188741183419FE310CF14D489B5BBBE8FB86718F008A1CF5D89A291CBB59989CF92

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report buNtKcYHCa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
buNtKcYHCa.exe

Function 032CEE20 Relevance: 13.3, Strings: 10, Instructions: 762
COMMON

Function 032CF490 Relevance: 11.8, Strings: 9, Instructions: 528
COMMON

Function 03302710 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 032CCED0 Relevance: 6.0, APIs: 4, Instructions: 42
threadCOMMON

Function 03302630 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 032FF710 Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Function 032FF6A0 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 03302C8A Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 033029E6 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON