Windows Analysis Report
HLZwUhcJ28.exe

Overview

General Information

Sample name:	HLZwUhcJ28.exe renamed because original name is a hash value
Original sample name:	4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014.exe
Analysis ID:	1545779
MD5:	b736da6a81e01bebfdd469d26785e13c
SHA1:	e82d651e62747674fd6c8bfeb2ebdb569f572c9f
SHA256:	4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014
Tags:	arch-x64arch-x86exeimage-win10v2004-20241007-enlocale-en-usos-windows10-2004-x64systemhttps-tipneikidevhttps-traigeuser-NeikiSamples
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HLZwUhcJ28.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Avira: detection malicious, Label: TR/Redcap.tpgxx

Found malware configuration

Source: 1.2.Imperial_Delay.exe.a488000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["heroicmint.sbs", "wrigglesight.sbs", "ferrycheatyk.sbs", "snailyeductyi.sbs", "captaitwik.sbs", "monstourtu.sbs", "sidercotay.sbs", "deepymouthi.sbs"], "Build id": "tLYMe5--3"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: HLZwUhcJ28.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snailyeductyi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ferrycheatyk.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deepymouthi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wrigglesight.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: captaitwik.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sidercotay.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: heroicmint.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: monstourtu.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deepymouthi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--3

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0041F5CB CryptUnprotectData,

2_2_0041F5CB

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: HLZwUhcJ28.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
Source:	Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECD647C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED03130 FindFirstFileExA,	0_2_00007FF70ED03130

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	2_2_0042D020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-515AFC65h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+edx-4D4CB3B5h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edx+3BB86854h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, ecx	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+585213E0h]	2_2_00444200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_00410310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041F5CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+2A1E1BB5h]	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_0040D740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_004108C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ecx], ax	2_2_0041F8F4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx-42B872D0h]	2_2_00443A46
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_00431C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	2_2_0040FDCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx]	2_2_00447F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00429170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [ebp-44h]	2_2_0042F221
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp esi	2_2_004202C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-221F534Ah]	2_2_0042C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, eax	2_2_0042C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+30h], 0206040Eh	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebx+edx]	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, eax	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebx	2_2_0040F345
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-69h]	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0040F39C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ecx, eax	2_2_0042C5E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	2_2_0042A593
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-09h]	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [0044FEE0h]	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_00409602
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, eax	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [0044FFC8h]	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push eax	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi]	2_2_00441770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430991
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042E9BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430A1E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]	2_2_00423AD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	2_2_00423AD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3EDD3066h]	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp di, 005Ch	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esp+0Ch]	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+08h]	2_2_00442AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, esi	2_2_0042BABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]	2_2_00423ABE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	2_2_00423ABE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-271B4865h]	2_2_00424B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_00410BB6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebx]	2_2_0040DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043AC20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0043FCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00404D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00430E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042EE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2AF4E5B5h]	2_2_00423E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+08h]	2_2_00441EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0042EF36
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	2_2_00420FE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446F80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056762 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs) : 192.168.2.4:62213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056764 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs) : 192.168.2.4:49626 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056760 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs) : 192.168.2.4:59066 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056766 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs) : 192.168.2.4:57319 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056754 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs) : 192.168.2.4:60925 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056752 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs) : 192.168.2.4:63735 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056756 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs) : 192.168.2.4:52412 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056750 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs) : 192.168.2.4:58904 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49734 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.32.196:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: heroicmint.sbs
Source: Malware configuration extractor	URLs: wrigglesight.sbs
Source: Malware configuration extractor	URLs: ferrycheatyk.sbs
Source: Malware configuration extractor	URLs: snailyeductyi.sbs
Source: Malware configuration extractor	URLs: captaitwik.sbs
Source: Malware configuration extractor	URLs: monstourtu.sbs
Source: Malware configuration extractor	URLs: sidercotay.sbs
Source: Malware configuration extractor	URLs: deepymouthi.sbs

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18159Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8780Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20433Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3802Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3818Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1117Host: villagedguy.cyou

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: deepymouthi.sbs
Source: global traffic	DNS traffic detected: DNS query: monstourtu.sbs
Source: global traffic	DNS traffic detected: DNS query: heroicmint.sbs
Source: global traffic	DNS traffic detected: DNS query: sidercotay.sbs
Source: global traffic	DNS traffic detected: DNS query: captaitwik.sbs
Source: global traffic	DNS traffic detected: DNS query: wrigglesight.sbs
Source: global traffic	DNS traffic detected: DNS query: ferrycheatyk.sbs
Source: global traffic	DNS traffic detected: DNS query: snailyeductyi.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: villagedguy.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: villagedguy.cyou

Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Qt5GuiVBox.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: Qt5GuiVBox.dll	String found in binary or memory: http://www.color.org)
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Imperial_Delay.exe	String found in binary or memory: https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/communit
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=xYs7
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=I6RUPT-G-voT&amp
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Imperial_Delay.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: Imperial_Delay.exe	String found in binary or memory: https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://gnu.org/licenses/gpl.htmlWritten
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.0000000005090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/Y
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2022709028.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1922685655.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api0
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiF9
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010533759.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiO
Source: BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiX
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apibu
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apibu0
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apig
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiob
Source: BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apis
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api~Vl
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/ges
Source: BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/h
Source: BitLockerToGo.exe, 00000002.00000003.1998002889.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/api
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/gethelp/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/gethelp/exebatcmdcom
Source: libiconv-2.dll.0.dr	String found in binary or memory: https://www.gnu.org/licenses/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/software/libidn/#libidn2
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/software/libidn/#libidn2Libidn2General
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: VBoxProxyStub-x86.dll.0.dr	String found in binary or memory: https://www.virtualbox.org/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00438A30

Contains functionality to read the clipboard data

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00438A30

Contains functionality to record screenshots

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438BF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00438BF0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF400C	0_2_00007FF70ECF400C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDA8AC	0_2_00007FF70ECDA8AC
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECE569C	0_2_00007FF70ECE569C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDDC4C	0_2_00007FF70ECDDC4C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF09D8	0_2_00007FF70ECF09D8
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECE6294	0_2_00007FF70ECE6294
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED09008	0_2_00007FF70ED09008
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED02F24	0_2_00007FF70ED02F24
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFC074	0_2_00007FF70ECFC074
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFBDF8	0_2_00007FF70ECFBDF8
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFFD18	0_2_00007FF70ECFFD18
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDBF0C	0_2_00007FF70ECDBF0C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDB318	0_2_00007FF70ECDB318
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED05510	0_2_00007FF70ED05510
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED059E0	0_2_00007FF70ED059E0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF400C	0_2_00007FF70ECF400C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDE91C	0_2_00007FF70ECDE91C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDB948	0_2_00007FF70ECDB948
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD72AC	0_2_00007FF70ECD72AC
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECECA30	0_2_00007FF70ECECA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D020	2_2_0042D020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004321CC	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004412F0	2_2_004412F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E280	2_2_0040E280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043D530	2_2_0043D530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F6E0	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411789	2_2_00411789
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004488A0	2_2_004488A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043DAF2	2_2_0043DAF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00431C50	2_2_00431C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040FDCC	2_2_0040FDCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043DE1A	2_2_0043DE1A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00447F40	2_2_00447F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442040	2_2_00442040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430068	2_2_00430068
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408020	2_2_00408020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004461C0	2_2_004461C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A1EE	2_2_0040A1EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E180	2_2_0043E180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043C1B1	2_2_0043C1B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407270	2_2_00407270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448230	2_2_00448230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004202C1	2_2_004202C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004012D5	2_2_004012D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430280	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D2AD	2_2_0041D2AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E343	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004293D0	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F388	2_2_0041F388
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D420	2_2_0042D420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B4E0	2_2_0040B4E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004264BD	2_2_004264BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040C560	2_2_0040C560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448560	2_2_00448560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00405500	2_2_00405500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E5C0	2_2_0043E5C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042C5A0	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004385A0	2_2_004385A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042F662	2_2_0042F662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409602	2_2_00409602
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407620	2_2_00407620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D621	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004466F0	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004247C0	2_2_004247C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E780	2_2_0040E780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A8F0	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00416892	2_2_00416892
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00445950	2_2_00445950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00403960	2_2_00403960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E9BD	2_2_0042E9BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BA50	2_2_0040BA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429A2F	2_2_00429A2F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411789	2_2_00411789
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00436A80	2_2_00436A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446AA0	2_2_00446AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00421AB0	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442AB0	2_2_00442AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BABB	2_2_0042BABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DB48	2_2_0041DB48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424B50	2_2_00424B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00420B70	2_2_00420B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042FB39	2_2_0042FB39
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446BB0	2_2_00446BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041EC80	2_2_0041EC80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043CC90	2_2_0043CC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00445D40	2_2_00445D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00425D7B	2_2_00425D7B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429E48	2_2_00429E48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00422E70	2_2_00422E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AE18	2_2_0042AE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AEE0	2_2_0042AEE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423E90	2_2_00423E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DF77	2_2_0042DF77
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00420FE9	2_2_00420FE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446F80	2_2_00446F80

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll 86F6A04FE611CA402D3C4841561F5B396CE61F0212BB6DA58C7274532E2CFD14
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll EAA9EFDE1704FA6ABBEF9878EECFA386E89003F23E07ADCAF641A6C741893BA1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll 84B47308ABC293515FA8B682D7EDE3A53FED426A7073CFEC466BCDE681DA715F

Found potential string decryption / allocating functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040D040 appears 68 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0041E8C0 appears 234 times

PE file contains more sections than normal

Source: libidn2-0.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libintl-8.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: libiconv-2.dll.0.dr	Static PE information: Number of sections : 12 > 10

Yara signature match

Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/13@10/2

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECD3BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF70ECD3BF8

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0043D8D0 CoCreateInstance,

2_2_0043D8D0

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECEC260 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF70ECEC260

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: HLZwUhcJ28.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qsqlite.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: qsqlite.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: BitLockerToGo.exe, 00000002.00000003.1924561686.0000000005066000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1925169464.000000000504A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: HLZwUhcJ28.exe

ReversingLabs: Detection: 50%

Source: Imperial_Delay.exe	String found in binary or memory: &github.com/filecoin-project/go-address
Source: Imperial_Delay.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine (BADINDEX)%!(NOVERB)Connectionlocal-addrSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionHost: %s
Source: Imperial_Delay.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=store64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine RegSetValueExWContent-Length; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM.WithDeadline(<not Stringer>.in-addr.arpa.unknown mode: invalid syntax1907348632812595367431640625unexpected EOFunsafe.Pointer on zero Valuereflect.Value.unknown method^[a-f0-9]{64}$^[a-f0-9]{96}$CLICOLOR_FORCEerrdefs.Vertexerrdefs.Sourceexec.meta.baseexec.mount.sshexec.secretenvpb.ExportCachereserved_rangefield_presencemurmur3-x64-64ControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.goboringcrypto: data truncated
Source: Imperial_Delay.exe	String found in binary or memory: depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE=
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func1
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func2
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.base32decode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: Imperial_Delay.exe	String found in binary or memory: net/addrselect.go
Source: Imperial_Delay.exe	String found in binary or memory: google.golang.org/grpc@v1.64.0/internal/balancerload/load.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File read: C:\Users\user\Desktop\HLZwUhcJ28.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HLZwUhcJ28.exe "C:\Users\user\Desktop\HLZwUhcJ28.exe"
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: HLZwUhcJ28.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HLZwUhcJ28.exe

Static file information: File size 13706949 > 1048576

Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HLZwUhcJ28.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: HLZwUhcJ28.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
Source:	Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr

Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6902359

Jump to behavior

PE file contains sections with non-standard names

Source: HLZwUhcJ28.exe	Static PE information: section name: .didat
Source: HLZwUhcJ28.exe	Static PE information: section name: _RDATA
Source: VBoxProxyStub-x86.dll.0.dr	Static PE information: section name: .orpc
Source: Imperial_Delay.exe.0.dr	Static PE information: section name: .symtab
Source: libiconv-2.dll.0.dr	Static PE information: section name: .xdata
Source: libidn2-0.dll.0.dr	Static PE information: section name: .xdata
Source: libintl-8.dll.0.dr	Static PE information: section name: .xdata
Source: qsqlite.dll.0.dr	Static PE information: section name: .qtmetad

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0044CE5D push esp; retf

2_2_0044CE67

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1104

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECD647C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED03130 FindFirstFileExA,	0_2_00007FF70ED03130

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECF5134 VirtualQuery,GetSystemInfo,

0_2_00007FF70ECF5134

Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: 0JvPartitionType_VMWareUnknownW@
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareVMFS@
Source: VBoxClient-x86.dll.0.dr, VBoxProxyStub-x86.dll.0.dr	Binary or memory string: AdditionsFacilityType_VBoxTrayClient
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareReserved@
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: aVmNetTx
Source: Qt5GuiVBox.dll	Binary or memory string: .?AVQEmulationPaintEngine@@H
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: aVmNetRx
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareVMKCoreW@
Source: Imperial_Delay.exe, 00000001.00000002.1878293373.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Qt5GuiVBox.dll	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004442C0 LdrInitializeThunk,

2_2_004442C0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF70ECFAC68

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ED041B0 GetProcessHeap,

0_2_00007FF70ED041B0

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF6B24 SetUnhandledExceptionFilter,	0_2_00007FF70ECF6B24
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF5CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70ECF5CE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70ECFAC68
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70ECF6940

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snailyeductyi.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ferrycheatyk.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deepymouthi.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wrigglesight.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: captaitwik.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sidercotay.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: heroicmint.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: monstourtu.sbs

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2867008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45C000	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70ECEECE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ED08DF0 cpuid

0_2_00007FF70ED08DF0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF70ECEDE44

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECF400C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70ECF400C

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECD6768 GetVersionExW,

0_2_00007FF70ECD6768

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: BitLockerToGo.exe, 00000002.00000003.2023225773.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2022709028.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000002.00000003.2023225773.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/Electrum-LTC
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000002.00000003.2010145588.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983486359.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982657253.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983200877.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983911161.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982913303.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983703963.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982143036.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true
104.21.32.196	villagedguy.cyou	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
villagedguy.cyou	104.21.32.196	true
wrigglesight.sbs	unknown	unknown
ferrycheatyk.sbs	unknown	unknown
deepymouthi.sbs	unknown	unknown
monstourtu.sbs	unknown	unknown
captaitwik.sbs	unknown	unknown
snailyeductyi.sbs	unknown	unknown
heroicmint.sbs	unknown	unknown
sidercotay.sbs	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
wrigglesight.sbs	true	unknown
heroicmint.sbs	true	unknown
ferrycheatyk.sbs	true	unknown
https://steamcommunity.com/profiles/76561199724331900	true	unknown
deepymouthi.sbs	true	unknown
sidercotay.sbs	true	unknown
https://villagedguy.cyou/api	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HLZwUhcJ28.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Avira: detection malicious, Label: TR/Redcap.tpgxx

Found malware configuration

Source: 1.2.Imperial_Delay.exe.a488000.1.raw.unpack

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: HLZwUhcJ28.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snailyeductyi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ferrycheatyk.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deepymouthi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wrigglesight.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: captaitwik.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sidercotay.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: heroicmint.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: monstourtu.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deepymouthi.sbs
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--3

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0041F5CB CryptUnprotectData,

2_2_0041F5CB

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: HLZwUhcJ28.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
Source:	Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECD647C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED03130 FindFirstFileExA,	0_2_00007FF70ED03130

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	2_2_0042D020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-515AFC65h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+edx-4D4CB3B5h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edx+3BB86854h]	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, ecx	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+585213E0h]	2_2_00444200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	2_2_00410310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041F5CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+2A1E1BB5h]	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, eax	2_2_0040D740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_004108C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [ecx], ax	2_2_0041F8F4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx-42B872D0h]	2_2_00443A46
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_00431C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebx	2_2_0040FDCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx]	2_2_00447F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00429170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [ebp-44h]	2_2_0042F221
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp esi	2_2_004202C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-221F534Ah]	2_2_0042C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, eax	2_2_0042C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp+30h], 0206040Eh	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebx+edx]	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebp, eax	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebx	2_2_0040F345
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-69h]	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0040F39C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ecx, eax	2_2_0042C5E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push esi	2_2_0042A593
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-09h]	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [0044FEE0h]	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	2_2_00409602
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, eax	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [0044FFC8h]	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push eax	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi]	2_2_00441770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430991
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042E9BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_00430A1E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]	2_2_00423AD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	2_2_00423AD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3EDD3066h]	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp di, 005Ch	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esp+0Ch]	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+08h]	2_2_00442AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, esi	2_2_0042BABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]	2_2_00423ABE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	2_2_00423ABE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-271B4865h]	2_2_00424B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	2_2_00410BB6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ebx]	2_2_0040DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043AC20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0043FCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00404D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00430E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h	2_2_0042EE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2AF4E5B5h]	2_2_00423E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+08h]	2_2_00441EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0042EF36
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	2_2_00420FE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ebp	2_2_00446F80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056762 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs) : 192.168.2.4:62213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056764 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs) : 192.168.2.4:49626 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056760 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs) : 192.168.2.4:59066 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056766 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs) : 192.168.2.4:57319 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056754 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs) : 192.168.2.4:60925 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056752 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs) : 192.168.2.4:63735 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056756 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs) : 192.168.2.4:52412 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056750 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs) : 192.168.2.4:58904 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49734 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.32.196:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.32.196:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: heroicmint.sbs
Source: Malware configuration extractor	URLs: wrigglesight.sbs
Source: Malware configuration extractor	URLs: ferrycheatyk.sbs
Source: Malware configuration extractor	URLs: snailyeductyi.sbs
Source: Malware configuration extractor	URLs: captaitwik.sbs
Source: Malware configuration extractor	URLs: monstourtu.sbs
Source: Malware configuration extractor	URLs: sidercotay.sbs
Source: Malware configuration extractor	URLs: deepymouthi.sbs

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18159Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8780Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20433Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3802Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3818Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: villagedguy.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1117Host: villagedguy.cyou

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: deepymouthi.sbs
Source: global traffic	DNS traffic detected: DNS query: monstourtu.sbs
Source: global traffic	DNS traffic detected: DNS query: heroicmint.sbs
Source: global traffic	DNS traffic detected: DNS query: sidercotay.sbs
Source: global traffic	DNS traffic detected: DNS query: captaitwik.sbs
Source: global traffic	DNS traffic detected: DNS query: wrigglesight.sbs
Source: global traffic	DNS traffic detected: DNS query: ferrycheatyk.sbs
Source: global traffic	DNS traffic detected: DNS query: snailyeductyi.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: villagedguy.cyou

Source: unknown

Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0N
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Qt5GuiVBox.dll	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: Qt5GuiVBox.dll	String found in binary or memory: http://www.color.org)
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Imperial_Delay.exe	String found in binary or memory: https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/communit
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=xYs7
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=I6RUPT-G-voT&amp
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Imperial_Delay.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: Imperial_Delay.exe	String found in binary or memory: https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://gnu.org/licenses/gpl.htmlWritten
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.0000000005090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/Y
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2022709028.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1922685655.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api0
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiF9
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010533759.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiO
Source: BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiX
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apibu
Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apibu0
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apig
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiob
Source: BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apis
Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api~Vl
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/ges
Source: BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/h
Source: BitLockerToGo.exe, 00000002.00000003.1998002889.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/api
Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/gethelp/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/gethelp/exebatcmdcom
Source: libiconv-2.dll.0.dr	String found in binary or memory: https://www.gnu.org/licenses/
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/software/libidn/#libidn2
Source: libidn2-0.dll.0.dr	String found in binary or memory: https://www.gnu.org/software/libidn/#libidn2Libidn2General
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: VBoxProxyStub-x86.dll.0.dr	String found in binary or memory: https://www.virtualbox.org/
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00438A30

Contains functionality to read the clipboard data

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00438A30

Contains functionality to record screenshots

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_00438BF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00438BF0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF400C	0_2_00007FF70ECF400C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDA8AC	0_2_00007FF70ECDA8AC
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECE569C	0_2_00007FF70ECE569C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDDC4C	0_2_00007FF70ECDDC4C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF09D8	0_2_00007FF70ECF09D8
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECE6294	0_2_00007FF70ECE6294
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED09008	0_2_00007FF70ED09008
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED02F24	0_2_00007FF70ED02F24
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFC074	0_2_00007FF70ECFC074
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFBDF8	0_2_00007FF70ECFBDF8
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFFD18	0_2_00007FF70ECFFD18
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDBF0C	0_2_00007FF70ECDBF0C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDB318	0_2_00007FF70ECDB318
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED05510	0_2_00007FF70ED05510
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED059E0	0_2_00007FF70ED059E0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF400C	0_2_00007FF70ECF400C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDE91C	0_2_00007FF70ECDE91C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECDB948	0_2_00007FF70ECDB948
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD72AC	0_2_00007FF70ECD72AC
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECECA30	0_2_00007FF70ECECA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D020	2_2_0042D020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004321CC	2_2_004321CC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004412F0	2_2_004412F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E280	2_2_0040E280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043D530	2_2_0043D530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040F6E0	2_2_0040F6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411789	2_2_00411789
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004488A0	2_2_004488A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043DAF2	2_2_0043DAF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00431C50	2_2_00431C50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040FDCC	2_2_0040FDCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043DE1A	2_2_0043DE1A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00447F40	2_2_00447F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442040	2_2_00442040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430068	2_2_00430068
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00408020	2_2_00408020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004461C0	2_2_004461C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A1EE	2_2_0040A1EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E180	2_2_0043E180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043C1B1	2_2_0043C1B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407270	2_2_00407270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448230	2_2_00448230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004202C1	2_2_004202C1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004012D5	2_2_004012D5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00430280	2_2_00430280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041D2AD	2_2_0041D2AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E343	2_2_0042E343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004293D0	2_2_004293D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041F388	2_2_0041F388
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D420	2_2_0042D420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040B4E0	2_2_0040B4E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004264BD	2_2_004264BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040C560	2_2_0040C560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00448560	2_2_00448560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00405500	2_2_00405500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043E5C0	2_2_0043E5C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042C5A0	2_2_0042C5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004385A0	2_2_004385A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042F662	2_2_0042F662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00409602	2_2_00409602
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00407620	2_2_00407620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042D621	2_2_0042D621
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004466F0	2_2_004466F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_004247C0	2_2_004247C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040E780	2_2_0040E780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040A8F0	2_2_0040A8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00416892	2_2_00416892
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00445950	2_2_00445950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00403960	2_2_00403960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042E9BD	2_2_0042E9BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0040BA50	2_2_0040BA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429A2F	2_2_00429A2F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00411789	2_2_00411789
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00436A80	2_2_00436A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446AA0	2_2_00446AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00421AB0	2_2_00421AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00442AB0	2_2_00442AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042BABB	2_2_0042BABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041DB48	2_2_0041DB48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00424B50	2_2_00424B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00420B70	2_2_00420B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042FB39	2_2_0042FB39
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446BB0	2_2_00446BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0041EC80	2_2_0041EC80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0043CC90	2_2_0043CC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00445D40	2_2_00445D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00425D7B	2_2_00425D7B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00429E48	2_2_00429E48
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00422E70	2_2_00422E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AE18	2_2_0042AE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042AEE0	2_2_0042AEE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00423E90	2_2_00423E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_0042DF77	2_2_0042DF77
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00420FE9	2_2_00420FE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 2_2_00446F80	2_2_00446F80

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll 86F6A04FE611CA402D3C4841561F5B396CE61F0212BB6DA58C7274532E2CFD14
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll EAA9EFDE1704FA6ABBEF9878EECFA386E89003F23E07ADCAF641A6C741893BA1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll 84B47308ABC293515FA8B682D7EDE3A53FED426A7073CFEC466BCDE681DA715F

Found potential string decryption / allocating functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040D040 appears 68 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0041E8C0 appears 234 times

PE file contains more sections than normal

Source: libidn2-0.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libintl-8.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: libiconv-2.dll.0.dr	Static PE information: Number of sections : 12 > 10

Yara signature match

Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/13@10/2

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECD3BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF70ECD3BF8

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0043D8D0 CoCreateInstance,

2_2_0043D8D0

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECEC260 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF70ECEC260

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: HLZwUhcJ28.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qsqlite.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: qsqlite.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: BitLockerToGo.exe, 00000002.00000003.1924561686.0000000005066000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1925169464.000000000504A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: qsqlite.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: HLZwUhcJ28.exe

ReversingLabs: Detection: 50%

Source: Imperial_Delay.exe	String found in binary or memory: &github.com/filecoin-project/go-address
Source: Imperial_Delay.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine (BADINDEX)%!(NOVERB)Connectionlocal-addrSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionHost: %s
Source: Imperial_Delay.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=store64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine RegSetValueExWContent-Length; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM.WithDeadline(<not Stringer>.in-addr.arpa.unknown mode: invalid syntax1907348632812595367431640625unexpected EOFunsafe.Pointer on zero Valuereflect.Value.unknown method^[a-f0-9]{64}$^[a-f0-9]{96}$CLICOLOR_FORCEerrdefs.Vertexerrdefs.Sourceexec.meta.baseexec.mount.sshexec.secretenvpb.ExportCachereserved_rangefield_presencemurmur3-x64-64ControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.goboringcrypto: data truncated
Source: Imperial_Delay.exe	String found in binary or memory: depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE=
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func1
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func2
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.base32decode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.init
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: Imperial_Delay.exe	String found in binary or memory: net/addrselect.go
Source: Imperial_Delay.exe	String found in binary or memory: google.golang.org/grpc@v1.64.0/internal/balancerload/load.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
Source: Imperial_Delay.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File read: C:\Users\user\Desktop\HLZwUhcJ28.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HLZwUhcJ28.exe "C:\Users\user\Desktop\HLZwUhcJ28.exe"
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: HLZwUhcJ28.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HLZwUhcJ28.exe

Static file information: File size 13706949 > 1048576

Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HLZwUhcJ28.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HLZwUhcJ28.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: HLZwUhcJ28.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
Source:	Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
Source:	Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr

Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HLZwUhcJ28.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

File is packed with WinRar

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6902359

Jump to behavior

PE file contains sections with non-standard names

Source: HLZwUhcJ28.exe	Static PE information: section name: .didat
Source: HLZwUhcJ28.exe	Static PE information: section name: _RDATA
Source: VBoxProxyStub-x86.dll.0.dr	Static PE information: section name: .orpc
Source: Imperial_Delay.exe.0.dr	Static PE information: section name: .symtab
Source: libiconv-2.dll.0.dr	Static PE information: section name: .xdata
Source: libidn2-0.dll.0.dr	Static PE information: section name: .xdata
Source: libintl-8.dll.0.dr	Static PE information: section name: .xdata
Source: qsqlite.dll.0.dr	Static PE information: section name: .qtmetad

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_0044CE5D push esp; retf

2_2_0044CE67

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1104

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECEECE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70ECD647C
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ED03130 FindFirstFileExA,	0_2_00007FF70ED03130

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECF5134 VirtualQuery,GetSystemInfo,

0_2_00007FF70ECF5134

Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: 0JvPartitionType_VMWareUnknownW@
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareVMFS@
Source: VBoxClient-x86.dll.0.dr, VBoxProxyStub-x86.dll.0.dr	Binary or memory string: AdditionsFacilityType_VBoxTrayClient
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareReserved@
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: aVmNetTx
Source: Qt5GuiVBox.dll	Binary or memory string: .?AVQEmulationPaintEngine@@H
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: aVmNetRx
Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VBoxProxyStub-x86.dll.0.dr	Binary or memory string: PartitionType_VMWareVMKCoreW@
Source: Imperial_Delay.exe, 00000001.00000002.1878293373.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Qt5GuiVBox.dll	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 2_2_004442C0 LdrInitializeThunk,

2_2_004442C0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF70ECFAC68

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ED041B0 GetProcessHeap,

0_2_00007FF70ED041B0

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF6B24 SetUnhandledExceptionFilter,	0_2_00007FF70ECF6B24
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF5CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70ECF5CE0
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70ECFAC68
Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Code function: 0_2_00007FF70ECF6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70ECF6940

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snailyeductyi.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ferrycheatyk.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deepymouthi.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wrigglesight.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: captaitwik.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sidercotay.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: heroicmint.sbs
Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: monstourtu.sbs

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2867008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45C000	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

0_2_00007FF70ECEECE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ED08DF0 cpuid

0_2_00007FF70ED08DF0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF70ECEDE44

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

0_2_00007FF70ECF400C

Source: C:\Users\user\Desktop\HLZwUhcJ28.exe

Code function: 0_2_00007FF70ECD6768 GetVersionExW,

0_2_00007FF70ECD6768

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000002.00000003.2023225773.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/Electrum-LTC
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000002.00000003.2010145588.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983486359.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982657253.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983200877.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983911161.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982913303.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1983703963.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1982143036.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Windows Analysis Report
HLZwUhcJ28.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1545779
Product:	CloudBasic
Start time:	01:04:08
Start date:	31.10.2024
Sample:	HLZwUhcJ28.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b736da6a81e01bebfdd469d26785e13c
SHA1:	e82d651e62747674fd6c8bfeb2ebdb569f572c9f
SHA256:	4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C1A90FA945AD6CED2104263762C7FCB4	9FB88668EB77F217A8C513AB8DAD78969CF68A5F	61784B8AA2940DC231E8CBD955C5F313556B14EACB6B19699DA46A76FC496074
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FDB292453760D9BC3CDD0B54013C6A99	30D27DA6EC867ED2B8A53384AC947B812D9D7CBD	86F6A04FE611CA402D3C4841561F5B396CE61F0212BB6DA58C7274532E2CFD14
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BBC454DFBD919CE1524E75478582C04D	4A331B6DC29C28A0D4FBEF90225448B88FD2A6FD	EAA9EFDE1704FA6ABBEF9878EECFA386E89003F23E07ADCAF641A6C741893BA1
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C5C4D6351AF07ABBAECE1A4AA03C21FC	0C08FF968AA41A5CC5AC5C70BC98448D8A7D9B2E	3054976F132DDA71B964B9303757078BFB75E94F19A2D2100180B86A8263384C
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8499BCB782E639B57ABB8B503D410EB8	A4E3363A30C02FE999EEDFED50A8DD200F4C46C9	84B47308ABC293515FA8B682D7EDE3A53FED426A7073CFEC466BCDE681DA715F
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6D3C7D2E108CBB7B5389F51FF68BCB9A	E47006DBD81B0AD005DFE95339BB54AC59B20F47	53ED3512437FBEB4277C24790CE67DB048F81B60C3669765541495EF88056B88
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	C50B50303FAE4AFE7248307339A00D13	1B4A3F7666172809BD0D88F793EE855BD4B92938	712C39A069541AFA69CFCBE01B422BD67B4201EEE7E94CC1327D4ED8B4FA2167
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	28C28885656C64FC5ED923CC97C77718	71F4B7E06010F8F4D975AD6E2C919B56801447F3	967189ADFBC889FDE89AAFC867F7A1F02731F8592CF6FD5A4ACE1929213E2E13
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	3F7F652DA15858368B346010B1655EBF	57BB9DF055AB11BA82BB9E5D9AA20CAC3AE4B242	621F5BFC24CDAE8479A69B56DE530AB6CEE633352AE0BCE01885CC6B1ECA0371
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	E3F805C0B24A800C30A63E36E6153AD1	639F3F22B2A885335C8973D35B0923BE979B621F	42A63CB4C3C28A683D9F6C3510DE5EC17849EB18C097FA02CD78AEB800BFF202
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\liblibimhex.dll.a	current ar archive	998EAE6672A406B75BF6F00B932D6441	462D238E306474068E4ABFED0F7F952DC6098BB3	5C23768BDA74BDF8B2775166D5AD9BBF603EF864DFF58F7B091B15420A2187C1
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\liblibpl.dll.a	current ar archive	773D20B0FAA71528D04FCF9BA6196A44	5B29CBCB56B873E630C0D5304836913E467F2D33	0AF3025B2F13EA825E2EEA6E69EFC6EB68A78FC09387CA75E54083C0E6580CEB
C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	51B250D1B96BDE5CCEC152C11667692B	C12D436BB7F9D5F4449633300994D8EBEB20F8B0	F6B6F1161F924F997C186C78D6CAB6EC0DE0D06EA7B56E4876D02FBE8B4DCB32

Windows Analysis Report HLZwUhcJ28.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
HLZwUhcJ28.exe

Malware Threat Intel
Provided by