Windows Analysis Report
MXpl6HFisn.exe

Overview

General Information

Sample name: MXpl6HFisn.exe
renamed because original name is a hash value
Original sample name: 0aadbca2d0a26b8f90fd4f31cb7f2ffc.exe
Analysis ID: 1417443
MD5: 0aadbca2d0a26b8f90fd4f31cb7f2ffc
SHA1: 57246459c3890dfcd49fb792cc55a45e3bd6c48e
SHA256: 4bee7d558a5346bffa5cc2393b579bd8abbdd6beef0ede8e71aeae10dd5ff207
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates autostart registry keys with suspicious names
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe ReversingLabs: Detection: 42%
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Virustotal: Detection: 47% Perma Link
Multi AV Scanner detection for submitted file
Source: MXpl6HFisn.exe Virustotal: Detection: 36% Perma Link
Source: MXpl6HFisn.exe ReversingLabs: Detection: 42%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A20380 RegQueryValueExA,RegCloseKey,CryptUnprotectData,CryptUnprotectData,LocalFree, 2_2_02A20380
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: MXpl6HFisn.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3E200 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADC3BA FindClose,FindFirstFileExW,GetLastError, 2_2_02ADC3BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0E0B0 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0A6B0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 2_2_02A0A6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A20CC3 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 2_2_02A20CC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADC440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_02ADC440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3FD60 FindFirstFileA, 2_2_02A3FD60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508A17B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_0508A17B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050590F0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,CopyFileA,FindNextFileA,FindClose,GetLastError, 2_2_050590F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05059990 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError, 2_2_05059990

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 95.216.41.236:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 95.216.41.236:50500
Source: Traffic Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 95.216.41.236:50500 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49740
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 95.216.41.236:50500 -> 192.168.2.4:49743
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 95.216.41.236:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: unknown TCP traffic detected without corresponding DNS query: 95.216.41.236
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1F5F0 recv,__Mtx_unlock, 2_2_02A1F5F0
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/-
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/s
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MXpl6HFisn.exe, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr String found in binary or memory: https://golang.org/doc/faq#nil_errortls:
Source: BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/O
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/R
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067758538.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920173465.00000000026B0000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999600227.0000000002EA0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003235000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43o
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43
Source: BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003216000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43:
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43P$
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000002.00000003.1826342628.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828530915.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.V
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920528481.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTR
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.000000000329B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.2.dr String found in binary or memory: https://t.me/risepro_bot
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botbackup
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.000000000326C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botc
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisep
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bott
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.p
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000002.00000003.1825988400.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827211496.0000000004F86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828884319.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, jKXEuRSxIEMXWeb Data.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: BitLockerToGo.exe, 00000002.00000003.1829264822.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1826241376.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828447229.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827672274.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829573161.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830796791.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830547597.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829150612.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829776196.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: BitLockerToGo.exe, 00000002.00000003.1829264822.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1826241376.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828447229.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1827672274.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829573161.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830796791.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1830547597.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829150612.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1829776196.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1828806562.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0AE90 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 2_2_02A0AE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05061510 __aulldiv,__aulldiv,__aulldiv,send,__aulldiv,__aulldiv,__aulldiv,send,ExitProcess,__aulldiv,__aulldiv,__aulldiv,send,__aulldiv,__aulldiv,__aulldiv,send,CreateThread,CloseHandle,lstrcatA,lstrcatA,CreateProcessA,lstrcatA,CreateProcessA,Sleep,SetThreadDesktop,OpenDesktopA,EnumDesktopWindows,CloseDesktop,CreateDesktopA,SetThreadDesktop,PostMessageA,PostMessageA,PostMessageA,WindowFromPoint,FindWindowA,GetWindowRect,PtInRect,PostMessageA,RealGetWindowClassA,lstrcmpA,SendMessageA,MenuItemFromPoint,GetMenuItemID,PostMessageA,PostMessageA,WindowFromPoint,SendMessageA,GetWindowLongA,SetWindowLongA,SendMessageA,PostMessageA,PostMessageA,GetWindowPlacement,PostMessageA,PostMessageA,WindowFromPoint,WindowFromPoint,WindowFromPoint,SendMessageA,GetWindowRect,MoveWindow,ScreenToClient,ChildWindowFromPoint,RealGetWindowClassA,RealGetWindowClassA,PostMessageA,PostMessageA,lstrcatA,lstrcatA,CreateProcessA,CreateProcessA,CreateProcessA,PostMessageA,GetCurrentThreadId,GetThreadDesktop,CreateThread,CloseHandle,send,shutdown,closesocket, 2_2_05061510

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process Stats: CPU usage > 49%
Contains functionality to launch a process as a different user
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505A360 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess, 2_2_0505A360
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3E200 2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8E240 2_2_02A8E240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2C3B0 2_2_02A2C3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0E0B0 2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A561A0 2_2_02A561A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A287E0 2_2_02A287E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3C720 2_2_02A3C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ACC4A0 2_2_02ACC4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A60400 2_2_02A60400
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AEA58E 2_2_02AEA58E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A24A10 2_2_02A24A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A6286B 2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2E9A0 2_2_02A2E9A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3C9B0 2_2_02A3C9B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A38930 2_2_02A38930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8CEC0 2_2_02A8CEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A42E70 2_2_02A42E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2AD70 2_2_02A2AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A23270 2_2_02A23270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3B3B0 2_2_02A3B3B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8D340 2_2_02A8D340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A43090 2_2_02A43090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5B160 2_2_02A5B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A41150 2_2_02A41150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A357D0 2_2_02A357D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A37710 2_2_02A37710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A49480 2_2_02A49480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5D4C0 2_2_02A5D4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8D5A0 2_2_02A8D5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A55B20 2_2_02A55B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADB830 2_2_02ADB830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3D840 2_2_02A3D840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A31E10 2_2_02A31E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A57E70 2_2_02A57E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A25D70 2_2_02A25D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A882B0 2_2_02A882B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ACE220 2_2_02ACE220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AF8244 2_2_02AF8244
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A44387 2_2_02A44387
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8E030 2_2_02A8E030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A28069 2_2_02A28069
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2E048 2_2_02A2E048
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1A1F0 2_2_02A1A1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A46160 2_2_02A46160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2E169 2_2_02A2E169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5E697 2_2_02A5E697
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ABC690 2_2_02ABC690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A58609 2_2_02A58609
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8A780 2_2_02A8A780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A58769 2_2_02A58769
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A024F0 2_2_02A024F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5C4C9 2_2_02A5C4C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AA4411 2_2_02AA4411
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A165E9 2_2_02A165E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A4C550 2_2_02A4C550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A84550 2_2_02A84550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AB6550 2_2_02AB6550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A88A6B 2_2_02A88A6B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A18BB8 2_2_02A18BB8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A32B99 2_2_02A32B99
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A38BC7 2_2_02A38BC7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8CB70 2_2_02A8CB70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AEA8D0 2_2_02AEA8D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A4A830 2_2_02A4A830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A90860 2_2_02A90860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A829B0 2_2_02A829B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AE4E88 2_2_02AE4E88
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AE6EC0 2_2_02AE6EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A94E00 2_2_02A94E00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A58E18 2_2_02A58E18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A84F80 2_2_02A84F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A9AF20 2_2_02A9AF20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A952F0 2_2_02A952F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A41208 2_2_02A41208
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8F261 2_2_02A8F261
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AD5390 2_2_02AD5390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AD1370 2_2_02AD1370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A2B029 2_2_02A2B029
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A87040 2_2_02A87040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A91040 2_2_02A91040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A4F1B0 2_2_02A4F1B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A191B9 2_2_02A191B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A331C6 2_2_02A331C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A31110 2_2_02A31110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A596F9 2_2_02A596F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5D628 2_2_02A5D628
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A85630 2_2_02A85630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A91720 2_2_02A91720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AE1700 2_2_02AE1700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A4B498 2_2_02A4B498
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3B5F9 2_2_02A3B5F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A23A68 2_2_02A23A68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A9BBD0 2_2_02A9BBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AD3B20 2_2_02AD3B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A87B10 2_2_02A87B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A4B869 2_2_02A4B869
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A59999 2_2_02A59999
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A5F928 2_2_02A5F928
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A15970 2_2_02A15970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A37977 2_2_02A37977
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A83FE0 2_2_02A83FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A9FCA0 2_2_02A9FCA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A83C70 2_2_02A83C70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A8DD90 2_2_02A8DD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AF9DD9 2_2_02AF9DD9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A17D20 2_2_02A17D20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05061510 2_2_05061510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05058040 2_2_05058040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0507A340 2_2_0507A340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05079C00 2_2_05079C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0506EE70 2_2_0506EE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05057820 2_2_05057820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505D460 2_2_0505D460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05076470 2_2_05076470
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505E490 2_2_0505E490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050A34F9 2_2_050A34F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050717E0 2_2_050717E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050747F0 2_2_050747F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505A640 2_2_0505A640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05095070 2_2_05095070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05054360 2_2_05054360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05099380 2_2_05099380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050953CF 2_2_050953CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508ED00 2_2_0508ED00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05094D2E 2_2_05094D2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050A2D60 2_2_050A2D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05072F50 2_2_05072F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505FE40 2_2_0505FE40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0505D8E0 2_2_0505D8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050A8BEB 2_2_050A8BEB
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0508D5E0 appears 54 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02ADE8F0 appears 53 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02A90E80 appears 84 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02A6CE60 appears 41 times
PE file contains more sections than normal
Source: MXpl6HFisn.exe Static PE information: Number of sections : 12 > 10
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7DA6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1781559884.00007FF6A6BF5000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002D65000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000000.1709669640.00007FF7B8D95000.00000008.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C0016F7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DEE6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000000.1793682334.00007FF7B8D95000.00000008.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1960476547.000000C001CF8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1964029089.000000C004035000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate1503.exe8 vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1881301271.0000027776EB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKVM Vision Viewer.exeD vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs MXpl6HFisn.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Yara signature match
Source: 00000000.00000002.1769068121.000000C0026F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000001.00000002.1871116463.000000C002598000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1962242072.000000C0025AA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1959576006.000000C0006B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/24@2/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A93220 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 2_2_02A93220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A92B40 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 2_2_02A92B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A46160 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 2_2_02A46160
Source: C:\Users\user\Desktop\MXpl6HFisn.exe File created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File created: C:\Users\user\AppData\Local\Temp\adobe3S903DOZntEK Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe File opened: C:\Windows\system32\d0302a26f0ed28ccdce81572cf8cd1028c63f048c9335d664d9761c42b5dbf6dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe File opened: C:\Windows\system32\c86af2d723e0710b7134d6e4af68ef7880000ae7d68cad633f8174379f7214bdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe File opened: C:\Windows\system32\346283a18873cd58eabb7a2be2ff6e75f220f81c682fdbe77aa33085aeebe489AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: MXpl6HFisn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MXpl6HFisn.exe, 00000000.00000002.1767327389.000000C001E3E000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1763770095.0000023CE7C70000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1701201194.0000023CE7B30000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002400000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1865976558.000001E67DDB0000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1869403565.000000C001CE6000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1807163070.000001E67DC70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: TEtREnT7JaI7Login Data.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MXpl6HFisn.exe Virustotal: Detection: 36%
Source: MXpl6HFisn.exe ReversingLabs: Detection: 42%
Source: MXpl6HFisn.exe String found in binary or memory: google.golang.org/grpc@v1.62.0/internal/balancerload/load.go
Source: MXpl6HFisn.exe String found in binary or memory: 500SNM8/WJmTlrtHo5fYJoHAvTJniG9TIJ1Fw6jJhVqKsGbb3KDvsivuRJuU0G5/Kn29bDvMRPWe2E9JA3Rrl9unCFzyjY445kDPy5McSufgeoG/0eeoEM0zzlb/AdDvZrLsrCaqu563nil/gAG/5N2taU+7piS3McYaVGKV8XjA28tOGwEXzehTy5NYTAbjqExFVROPKb257a3WdjE/gVSZM+Z4VXviN4bqgsvJpNkcaZxYoUc0tr4/PG/DUHBsP3P/
Source: MXpl6HFisn.exe String found in binary or memory: net/addrselect.go
Source: MXpl6HFisn.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe String found in binary or memory: google.golang.org/grpc@v1.62.0/internal/balancerload/load.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe String found in binary or memory: 500SNM8/WJmTlrtHo5fYJoHAvTJniG9TIJ1Fw6jJhVqKsGbb3KDvsivuRJuU0G5/Kn29bDvMRPWe2E9JA3Rrl9unCFzyjY445kDPy5McSufgeoG/0eeoEM0zzlb/AdDvZrLsrCaqu563nil/gAG/5N2taU+7piS3McYaVGKV8XjA28tOGwEXzehTy5NYTAbjqExFVROPKb257a3WdjE/gVSZM+Z4VXviN4bqgsvJpNkcaZxYoUc0tr4/PG/DUHBsP3P/
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe String found in binary or memory: net/addrselect.go
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: BitLockerToGo.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MXpl6HFisn.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc= pcruntime: ggoroutine RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT for type pick_firstChannel %s:authoritygrpc.Recv.grpc.Sent."INTERNAL"OutOfRangeConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
Source: MXpl6HFisn.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: internal error.in-addr.arpa. mode: /log/filter.go/log/helper.godata truncated
Source: C:\Users\user\Desktop\MXpl6HFisn.exe File read: C:\Users\user\Desktop\MXpl6HFisn.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MXpl6HFisn.exe "C:\Users\user\Desktop\MXpl6HFisn.exe"
Source: unknown Process created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: unknown Process created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe "C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe"
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: MXpl6HFisn.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: MXpl6HFisn.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: MXpl6HFisn.exe Static file information: File size 21056512 > 1048576
Source: MXpl6HFisn.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6cbc00
Source: MXpl6HFisn.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc7ba00
Source: MXpl6HFisn.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: MXpl6HFisn.exe, 00000000.00000002.1764630027.000000C0001F5000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C002C22000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000003.1757024957.0000023CE79F0000.00000004.00001000.00020000.00000000.sdmp, MXpl6HFisn.exe, 00000000.00000002.1769068121.000000C00296C000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1871116463.000000C002814000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862067365.000001E67DB70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000003.1862099559.000001E67DB30000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002B4E000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936048127.0000027776D70000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1962242072.000000C002826000.00000004.00001000.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000003.1936018932.0000027776DB0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.00000000031CF000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3C720 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_02A3C720
PE file contains sections with non-standard names
Source: MXpl6HFisn.exe Static PE information: section name: .xdata
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADE4BA push ecx; ret 2_2_02ADE4CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508D06F push ecx; ret 2_2_0508D082
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050B3225 push esi; ret 2_2_050B322E
Drops PE files
Source: C:\Users\user\Desktop\MXpl6HFisn.exe File created: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A829B0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_02A829B0
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 2_2_02A62460
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 1595 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 1139 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Window / User API: threadDelayed 6510 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3804 Thread sleep time: -543000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460 Thread sleep time: -1595000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3804 Thread sleep time: -3417000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6460 Thread sleep time: -6510000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6880 Thread sleep count: 75 > 30 Jump to behavior
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A66760 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 02A66770h country: Upper Sorbian (hsb) 2_2_02A66760
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A930A0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 02A930F1h 2_2_02A930A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3E200 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 2_2_02A3E200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADC3BA FindClose,FindFirstFileExW,GetLastError, 2_2_02ADC3BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0E0B0 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 2_2_02A0E0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0A6B0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 2_2_02A0A6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A20CC3 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 2_2_02A20CC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADC440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_02ADC440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3FD60 FindFirstFileA, 2_2_02A3FD60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508A17B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_0508A17B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050590F0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,CopyFileA,FindNextFileA,FindClose,GetLastError, 2_2_050590F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_05059990 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError, 2_2_05059990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Thread delayed: delay time: 30000 Jump to behavior
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002B96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: BitLockerToGo.exe, 00000002.00000003.3882145503.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]]
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 00000002.00000003.1791900220.0000000002BF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: BitLockerToGo.exe, 00000002.00000003.1831701071.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&%
Source: BitLockerToGo.exe, 00000008.00000002.1999851047.00000000031B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: BitLockerToGo.exe, 00000002.00000003.1803412679.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4068012610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003242000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003242000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000002.1999895233.0000000003208000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000008.00000003.1999122763.0000000003208000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}et
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb
Source: BitLockerToGo.exe, 00000008.00000003.1969479982.0000000003219000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MXpl6HFisn.exe, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Binary or memory string: LAZ8i9NlUZ0lSPkzdHAg7kjRjkCnkH5aScnzZ0FLRc1HCl8Q+efVI91gv9Deb3GTYAJfB+FhRxsT7Jv//u2UkAKVUPsvpvijNnwUsTR98GVFC1yLAH9dfaCHlTb3Z3ZkP27Czki7TkW5TKALHxSHcPnVQvYyW/LygsnXcy92ZHGfShugzWK0nNUime6ySx5bkL6GpCGdzyz0hMhyFXSQ5pp4MJFYvJ+rBld0DtOfszB0z2XEyXUmRSOb8J/vYPKh/xrs
Source: BitLockerToGo.exe, 00000002.00000003.3882165826.0000000002C84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}exe [2424]
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002B96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!
Source: MXpl6HFisn.exe, 00000000.00000002.1778270791.0000023CC2374000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000001.00000002.1873704360.000001E65847C000.00000004.00000020.00020000.00000000.sdmp, (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe, 00000004.00000002.1965180617.000002773172F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002B5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7D9421B6M
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7D9421B6
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: BitLockerToGo.exe, 00000005.00000003.1890881232.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
Source: BitLockerToGo.exe, 00000002.00000003.3882223341.0000000002C31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ntEK\History\Firefox_fqs92o4p.default-release.txtl
Source: BitLockerToGo.exe, 00000005.00000003.1890881232.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Binary or memory string: fDvj1yreL7RfHuqV3C2PUy8owhmOA+mCYLiETYIkDcTHBTrmX+wpLezG9YdaDHr5cGnuEo5uEiXCaky47RoK/bChyJEW8jCuhk0aFdyQMUoc5jMY9pXAd5S+9cgnKo0TT1IMuNG02lx46KKqpDU5dsQWx9sExIa7NSHGDDbBP93PLYhRsNMkCBklZVvmCi+FdsT8bWRGD9u3K8O6qmB6HAcWy5V6iF6kPQBBtPN7IxxvZanQWddbsZJJFtVb0Kepu3SW
Source: BitLockerToGo.exe, 00000005.00000002.1920564820.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1919146241.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWz8_x
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ntEKn(
Source: BitLockerToGo.exe, 00000002.00000002.4067895125.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A143F0 IsDebuggerPresent,IsProcessorFeaturePresent,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegCloseKey,GetComputerNameA, 2_2_02A143F0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 2_2_02A62F97
Contains functionality to dynamically determine API calls
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3C720 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_02A3C720
Contains functionality to read the PEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h] 2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62460 mov eax, dword ptr fs:[00000030h] 2_2_02A62460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62460 mov eax, dword ptr fs:[00000030h] 2_2_02A62460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h] 2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h] 2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h] 2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A6286B mov eax, dword ptr fs:[00000030h] 2_2_02A6286B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov ecx, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A62F97 mov eax, dword ptr fs:[00000030h] 2_2_02A62F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A3D840 mov eax, dword ptr fs:[00000030h] 2_2_02A3D840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h] 2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A141E0 mov eax, dword ptr fs:[00000030h] 2_2_02A141E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A641C3 mov eax, dword ptr fs:[00000030h] 2_2_02A641C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A64405 mov eax, dword ptr fs:[00000030h] 2_2_02A64405
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14840 mov eax, dword ptr fs:[00000030h] 2_2_02A14840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h] 2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A14D29 mov eax, dword ptr fs:[00000030h] 2_2_02A14D29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A153F8 mov eax, dword ptr fs:[00000030h] 2_2_02A153F8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h] 2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A63058 mov eax, dword ptr fs:[00000030h] 2_2_02A63058
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A15718 mov eax, dword ptr fs:[00000030h] 2_2_02A15718
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1C000 mov eax, dword ptr fs:[00000030h] 2_2_02A1C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A638E8 mov eax, dword ptr fs:[00000030h] 2_2_02A638E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A15970 mov ecx, dword ptr fs:[00000030h] 2_2_02A15970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A1FF70 mov eax, dword ptr fs:[00000030h] 2_2_02A1FF70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A089A0 GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree, 2_2_02A089A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADE6E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_02ADE6E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADEA8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_02ADEA8D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02AE2FC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_02AE2FC4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508D469 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0508D469
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_050964F5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_050964F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0508D756 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0508D756

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A19EB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 2_2_02A19EB0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29BD008 Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26B0000 Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29DA008 Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2EA0000 Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C4C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02ADE2E6 cpuid 2_2_02ADE2E6
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoEx,FormatMessageA, 2_2_02ADC1B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_02AFE6DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_02AFEAF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_02AFEA6D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_02AFE8E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_02AFE987
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_02AFE9D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_02AFEE74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_02AFEF7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_02AFED4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_02AFF050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_02AF596A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_02AF5EED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_050A841C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_050A8117
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_050A8346
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_050A8240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_050A7D53
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_050A7D51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_050A7D9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW, 2_2_0509BD97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoEx,FormatMessageA, 2_2_05089F98
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_050A7E39
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_050A7EC4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: EnumSystemLocalesW, 2_2_0509B82B
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Users\user\Desktop\MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Users\user\Desktop\MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A0C390 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_02A0C390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_02A92B40 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 2_2_02A92B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 00000002.00000003.1831664218.0000000004F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: BitLockerToGo.exe, 00000002.00000003.1831664218.0000000004F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: MXpl6HFisn.exe String found in binary or memory: xLto3LGtv5CKXSSE5+nVIVaYPjAXXGgqV6cjexCM4VtMBfGvXcNh7/76oyR9jWbgZkloaUNL4OwebNCXz0RIHaVzY6vRG03qCgbw7IYhmoT4V5OP/xcFjPgrZNZB8YMIQdGec81HD/fLYV4cOYssg9TbUjN7/mEKRq1lKBntR05T5l4BXNuC3o/CAO6dFIgqDSiSrME85itPr1HsR8pMwsntWSCnOw9awPz9NljR+I3n3EcUKlAAB16Ge1MzHCgJVktU
Source: BitLockerToGo.exe, 00000002.00000003.1834309967.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000003.1834309967.0000000004F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000002.00000003.1836476956.0000000005203000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4068353569.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gC7STejDE3WmjzylxWa3QT6.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417443 Sample: MXpl6HFisn.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 28 ipinfo.io 2->28 30 db-ip.com 2->30 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 7 MXpl6HFisn.exe 1 3 2->7         started        11 (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe 2 2->11         started        13 (0aadbca2d0a26b8f90fd4f31cb7f2ffc)MXpl6HFisn.exe 2 2->13         started        signatures3 process4 file5 26 (0aadbca2d0a26b8f9...2ffc)MXpl6HFisn.exe, PE32+ 7->26 dropped 54 Creates autostart registry keys with suspicious names 7->54 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 15 BitLockerToGo.exe 81 7->15         started        60 Multi AV Scanner detection for dropped file 11->60 62 Injects a PE file into a foreign processes 11->62 20 BitLockerToGo.exe 2 11->20         started        22 BitLockerToGo.exe 2 13->22         started        signatures6 process7 dnsIp8 32 95.216.41.236, 49730, 49739, 49740 HETZNER-ASDE Germany 15->32 34 ipinfo.io 34.117.186.192, 443, 49732, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->34 36 db-ip.com 104.26.5.15, 443, 49734, 49742 CLOUDFLARENETUS United States 15->36 24 C:\Users\user\...\gC7STejDE3WmjzylxWa3QT6.zip, Zip 15->24 dropped 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Found many strings related to Crypto-Wallets (likely being stolen) 15->40 42 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->42 44 3 other signatures 15->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
95.216.41.236
 unknown Germany
24940 HETZNER-ASDE true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43 false
    		high
    https://ipinfo.io/widget/demo/102.165.48.43 false
      		high