Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1435406
MD5: 7e37f8c945d005226870e60aa2baea93
SHA1: d8a457a032ead8cc0d692efd497914e8cc69e8a4
SHA256: d130f492c40697a34e2d1e7b1e9a5e3ba37c7f6b4271271fba6b5c1e9048af8b
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://shatterbreathepsw.shop:443/api Avira URL Cloud: Label: malware
Source: https://shatterbreathepsw.shop/api Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.3.file.exe.c00047c000.1.unpack Malware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "shatterbreathepsw.shop"], "Build id": "xpsGVF--GEIROPA"}
Multi AV Scanner detection for domain / URL
Source: shatterbreathepsw.shop Virustotal: Detection: 17% Perma Link
Source: tolerateilusidjukl.shop Virustotal: Detection: 14% Perma Link
Source: shortsvelventysjo.shop Virustotal: Detection: 19% Perma Link
Source: https://shatterbreathepsw.shop:443/api Virustotal: Detection: 19% Perma Link
Source: shatterbreathepsw.shop Virustotal: Detection: 17% Perma Link
Source: demonstationfukewko.shop Virustotal: Detection: 20% Perma Link
Source: https://shatterbreathepsw.shop/0 Virustotal: Detection: 15% Perma Link
Source: https://shatterbreathepsw.shop/apiT Virustotal: Detection: 16% Perma Link
Source: productivelookewr.shop Virustotal: Detection: 16% Perma Link
Source: incredibleextedwj.shop Virustotal: Detection: 14% Perma Link
Source: liabilitynighstjsko.shop Virustotal: Detection: 17% Perma Link
Source: alcojoldwograpciw.shop Virustotal: Detection: 20% Perma Link
Source: https://shatterbreathepsw.shop/api Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 34%
Source: file.exe Virustotal: Detection: 37% Perma Link
Sample uses string decryption to hide its real strings
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: demonstationfukewko.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: liabilitynighstjsko.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: alcojoldwograpciw.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: incredibleextedwj.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: shortsvelventysjo.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: shatterbreathepsw.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: tolerateilusidjukl.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: productivelookewr.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: shatterbreathepsw.shop
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String decryptor: xpsGVF--GEIROPA
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D05977 CryptUnprotectData, 5_2_02D05977
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 5_2_02D10352
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esi+08h] 5_2_02D0D343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 5_2_02D0633E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 73CEF4DDh 5_2_02D291A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 5_2_02D07AE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 5_2_02CF4BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 5_2_02CFAB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [esp+00000084h] 5_2_02D05977
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_02CF9E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+08h] 5_2_02CF9E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_02D13FD5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 18DC7455h 5_2_02D26CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 5_2_02D05D07
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 5_2_02D012DF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 5_2_02D012DF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 73CEF4DDh 5_2_02D292A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+edx], 0000h 5_2_02D0727D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7A1A689Fh 5_2_02D27220
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [eax+ecx], 00000000h 5_2_02D153B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D133B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000534h] 5_2_02D163BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 5_2_02D2934E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000534h] 5_2_02D16312
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_02D230D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 5_2_02D0A000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 5_2_02CF31D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D121A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D1515A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh 5_2_02D27110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D01114
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 5_2_02D026D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 5_2_02D186C5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx+eax+01h], 00000000h 5_2_02D136F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D2A6E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 5_2_02D16644
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 5_2_02D16647
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_02CF2610
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 5_2_02D27620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 5_2_02D017DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 5_2_02D117EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esi+20h] 5_2_02D047A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D2A720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 5_2_02CF64E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000534h] 5_2_02D162C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h 5_2_02D03B97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D068DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D068F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_02D13880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 5_2_02D15F0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], cl 5_2_02D06983
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], cl 5_2_02D06983
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebx, dword ptr [edi+ecx] 5_2_02D11FA1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+60h] 5_2_02D14F56
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 5_2_02D15F13
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 5_2_02D11CC6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 5_2_02D0CCF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc ebx 5_2_02D04C00

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052217 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (shatterbreathepsw .shop) 192.168.2.6:51308 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49718 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49719 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49720 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49721 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49722 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49723 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49724 -> 104.21.95.19:443
Source: Traffic Snort IDS: 2052224 ET TROJAN Observed Lumma Stealer Related Domain (shatterbreathepsw .shop in TLS SNI) 192.168.2.6:49726 -> 104.21.95.19:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: demonstationfukewko.shop
Source: Malware configuration extractor URLs: liabilitynighstjsko.shop
Source: Malware configuration extractor URLs: alcojoldwograpciw.shop
Source: Malware configuration extractor URLs: incredibleextedwj.shop
Source: Malware configuration extractor URLs: shortsvelventysjo.shop
Source: Malware configuration extractor URLs: shatterbreathepsw.shop
Source: Malware configuration extractor URLs: tolerateilusidjukl.shop
Source: Malware configuration extractor URLs: productivelookewr.shop
Source: Malware configuration extractor URLs: shatterbreathepsw.shop
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 56Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12861Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15107Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19965Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3802Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1365Host: shatterbreathepsw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 556486Host: shatterbreathepsw.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: shatterbreathepsw.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: shatterbreathepsw.shop
Source: file.exe String found in binary or memory: http://.css
Source: file.exe String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000005.00000003.2421315426.000000000526D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe String found in binary or memory: https://database.usgovcloudapi.net/unsupported
Source: file.exe String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe String found in binary or memory: https://gallery.azure.com/https://graph.windows.net/mariadb.database.azure.comhttps://storage.azure.
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe String found in binary or memory: https://manage.chinacloudapi.com/publishsettings/indexhttps://manage.microsoftazure.de/publishsettin
Source: file.exe String found in binary or memory: https://manage.windowsazure.com/publishsettings/indexnon-CONNECT
Source: file.exe String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexMaximum
Source: file.exe String found in binary or memory: https://management.azure.com/https://managedhsm.azure.net/https://servicebus.azure.net/https://datab
Source: file.exe String found in binary or memory: https://management.azure.comINVALID
Source: file.exe String found in binary or memory: https://management.chinacloudapi.cntoo
Source: file.exe String found in binary or memory: https://management.core.usgovcloudapi.net/https://dev.azuresynapse.usgovcloudapi.netbad
Source: file.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictLZMA
Source: BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/
Source: BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/&6
Source: BitLockerToGo.exe, 00000005.00000003.2462485236.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/0
Source: BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/?6a
Source: BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398470292.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/D7
Source: BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2531513795.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/api
Source: BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/apiT
Source: BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/apiar
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/apihort
Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2398248173.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/apii
Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419422712.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462610333.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/apizen
Source: BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/w6
Source: BitLockerToGo.exe, 00000005.00000003.2398142344.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397680492.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397264679.0000000002F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/y7
Source: BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop/~6
Source: BitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2420113247.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2463146392.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483801676.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418852252.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2470403875.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2483094012.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2419343297.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2418983675.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop:443/api
Source: BitLockerToGo.exe, 00000005.00000003.2531309021.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2532039828.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop:443/api-release/key4.dbPK
Source: BitLockerToGo.exe, 00000005.00000003.2490547443.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shatterbreathepsw.shop:443/apirosoft
Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comjson:
Source: file.exe String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000005.00000003.2389832770.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000005.00000003.2462415774.000000000526A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: BitLockerToGo.exe, 00000005.00000003.2462415774.000000000526A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BitLockerToGo.exe, 00000005.00000003.2454550554.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000005.00000003.2462513783.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.19:443 -> 192.168.2.6:49726 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1E8E0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02D1E8E0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1E8E0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02D1E8E0
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1F713 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 5_2_02D1F713

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D10352 5_2_02D10352
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF1750 5_2_02CF1750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D10AD0 5_2_02D10AD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF4BB0 5_2_02CF4BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF3390 5_2_02CF3390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D153B0 5_2_02D153B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF41C0 5_2_02CF41C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF8160 5_2_02CF8160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1863B 5_2_02D1863B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D27620 5_2_02D27620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF3780 5_2_02CF3780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF5760 5_2_02CF5760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF64E0 5_2_02CF64E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1BBF2 5_2_02D1BBF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D17B8C 5_2_02D17B8C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CF6B00 5_2_02CF6B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D15F0E 5_2_02D15F0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D2C9C0 5_2_02D2C9C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D249C0 5_2_02D249C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D11FA1 5_2_02D11FA1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D0CCF0 5_2_02D0CCF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02CFFDE0 5_2_02CFFDE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D2CD00 5_2_02D2CD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D18D3B 5_2_02D18D3B
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02CF8B40 appears 64 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02CF9430 appears 186 times
PE file contains more sections than normal
Source: file.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2357283198.00007FF67A133000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Source: file.exe Binary or memory string: OriginalFileName vs file.exe
Yara signature match
Source: 00000000.00000002.2354687188.000000C000326000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D1D4D1 CoCreateInstance, 5_2_02D1D4D1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\Libraries\lhlip.scif Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\system32\2bac949abffefe65784249a736b77326ada5ae81bd7dd8b644174f400402909eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 34%
Source: file.exe Virustotal: Detection: 37%
Source: file.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: file.exe String found in binary or memory: failed to construct HKDF label: %scrypto/rsa: missing public moduluscrypto/des: invalid buffer overlapinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizebad tag in lazy extension decodingmismatching field: got %v, want %vlzma: wrong uncompressed data size" is unexported but missing PkgPathreflect.MakeSlice of non-slice typecrypto/md5: invalid hash state sizeencoding/hex: odd length hex string2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativepostgres.database.usgovcloudapi.nethttps://database.usgovcloudapi.net/unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKhttps://management.chinacloudapi.cntoo many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natmime: bogus characters after %%: %qhash/crc32: invalid hash state sizeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitydelimiters may only be "{}" or "<>"file %q has a name conflict over %vchacha20: output smaller than inputstring field contains invalid UTF-8%v already implements proto.Messagelzma: unsupported chunk header byteop is neither a match nor a literalnewRangeDecoder: d.code >= d.nrange%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0truncated input (or invalid offset)crypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point support6ba7b810-9dad-11d1-80b4-00c04fd430c86ba7b811-9dad-11d1-80b4-00c04fd430c86ba7b812-9dad-11d1-80b4-00c04fd430c86ba7b814-9dad-11d1-80b4-00c04fd430c8accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called w
Source: file.exe String found in binary or memory: failed to construct HKDF label: %scrypto/rsa: missing public moduluscrypto/des: invalid buffer overlapinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rc4: invalid buffer overlapGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizebad tag in lazy extension decodingmismatching field: got %v, want %vlzma: wrong uncompressed data size" is unexported but missing PkgPathreflect.MakeSlice of non-slice typecrypto/md5: invalid hash state sizeencoding/hex: odd length hex string2006-01-02T15:04:05.999999999Z07:00SubscribeServiceChangeNotificationsCOFF symbols count is absurdly highnot a PE file, smaller than tiny PE` SizeOfRawData is larger than filenetwork dropped connection on resettransport endpoint is not connected1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlinex509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesssuperfluous leading zeros in lengthexecutable file not found in %PATH%ber2der: BER tag length is negativepostgres.database.usgovcloudapi.nethttps://database.usgovcloudapi.net/unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKhttps://management.chinacloudapi.cntoo many Questions to pack (>65535)transform: short destination buffer'_' must separate successive digitsbigmod: modulus is smaller than natmime: bogus characters after %%: %qhash/crc32: invalid hash state sizeflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitydelimiters may only be "{}" or "<>"file %q has a name conflict over %vchacha20: output smaller than inputstring field contains invalid UTF-8%v already implements proto.Messagelzma: unsupported chunk header byteop is neither a match nor a literalnewRangeDecoder: d.code >= d.nrange%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0truncated input (or invalid offset)crypto/cipher: input not full blocksmethod ABI and value ABI don't alignTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point support6ba7b810-9dad-11d1-80b4-00c04fd430c86ba7b811-9dad-11d1-80b4-00c04fd430c86ba7b812-9dad-11d1-80b4-00c04fd430c86ba7b814-9dad-11d1-80b4-00c04fd430c8accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called w
Source: file.exe String found in binary or memory: net/addrselect.go
Source: file.exe String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 9048064 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3a5e00
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x445800
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.2354687188.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C0001D7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354687188.000000C000212000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342735024.000001E6FBA50000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D31CCA pushfd ; retf 5_2_02D31CD1
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1768 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5388 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005268000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000002.2355600805.000001E6D4DD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWi]
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BitLockerToGo.exe, 00000005.00000003.2398825174.0000000005263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02D28E70 LdrInitializeThunk, 5_2_02D28E70

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: demonstationfukewko.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: liabilitynighstjsko.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: alcojoldwograpciw.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: incredibleextedwj.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: shortsvelventysjo.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: shatterbreathepsw.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tolerateilusidjukl.shop
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: productivelookewr.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CF0000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A23008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: file.exe, 00000000.00000003.2265990913.000000C00047C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: MiOoaQbCwVRxfJcnwQBVQAJCvyPEJWQdURbufaRDGZmblicvqTnbSxrEmpUnCeUsCdBQozPJWsYKoPDbfqlRvUUyqDTovvNjNjNfgObhOQpauDXfROlelpGCZbwjEquQcWQEvcVrvDGpPskzeUbJfBLStHUsSLppQlerEymraBpTmKBjzFSsmjNOLLhjsaKVKeiqtVtqzXWRXaOaasQWcgvoUrCyoIUqzMjOTRMvKwZSwfxefwMdekKPxUWUeuMbhPxMRLjAxxPAGobEIWgebEsXDFwewkfpzcTbjpsLgfgTeudESshSsBAFOKkcuYgFpAllqTDnoveNRQFswFIZuZvJtKCKSyDUngBdjHtcPiDnKilFiPAaNVKRuvGszqBFGINNRjzEJOTMRzxwpHoEzUSgxykAAiMfzaJsLVlWYEsjRaozqfPTZLgBVIDXYUCmDbgRlDOUDhpFvRiJPSsUeBKCiPulYlxwnPpuPJgwuRfUVizEoonZdIeBKhZAyPbofZhAnTzaKRyvPTlgJakGGARYzgObaKfrhMAuCxzAIYzdfPluENPWxYLxlTEqYLOujXequKlMGpolehAjiWByAYyUqFQkThkUAkTkQXCuFNKHVVnZLPErEvkqAFonkBlgxjLhbgzSQHYSAeoRyTJiMKOLwEDXRLtCAtaDFpDOzYKaqekuYmRGnFVBcuvNEhMEIFNxIbuVrNlXByBVaqgrhtHNyBTwxrjkhhZpXavggqHMDLLBSobXycBbepMzFMyqrsGRZSZHFCaOlBABvArWmCjkouCQwAPxNtrfeBQrxYYncrnIJAlDcYotukZNLZfKgNCkNkuwUMnDwwswtxaLdfblGfLVGsiHBGJVLJzyrgIYyVoTsipwPiVHZbRhRCMpbgQNGXhTwjatjogFahDekenPfDKttjlDUJfZcqAFJArvNYdPJKtufbZybbIDyTBaBAqDoiHLlGHfxrMUtKGctUSPSYfmQEdJgqGAdGASeTomVVNbuwLyjsgSgSRiVRtMCCjNSKBbhYafAwNqwgOGeguxSiABIqOGeCsebbwpTgZAkEMgpfQvGOeBISjzzzNAaBwCmKullzHxylEWZtoiTtnHfvnMsyKxXBAPECHocecBPtztknmRvDHAFHJIJgmXiTfuwokDizHWWcXTdtcQMUusMaABHAlRDexXrwQwHuPqcTsuAYKhAckRkzmMeAugCDVLUHXglMIgaoSOQfuxZabKTATujJyLFHukiuplYRtFTGYeDPyslRUWxHsHYQZPuuCrONJFsRTJPHmTBVjxtONEvCMhmObYWLfxjyDLkdHEZLNOWkTzyJqVspDYRtrvoovOwbwMtqEokMbGrcyVFpnbAzZmLWBVpFNobuDSjHkanvZgApZNsqoyIhxzEgQnNBsqVOwHyDVMBWOVaVxhsmIEpJOsyEpFihDsCJSRfaEXXZyEpEQcEUHZBVpvJkdwaLTYRaAdzSyLHVWNpuCnvPQXKFvcJpDwVivCugUxTvwEkRoyTioFQYMuOlkoOeLTpkrAknYDZqEIhEiJAOrHUplmjbuUCqIpuuzxhDcBkdkLzAJvIfOyTbPwmSRyjEvUGfnXHAevqiCavEvMuaNFIewCFkabIDbfiBPrhIrXadEclzPADeORWvSvCmLSqEbeISubqqhKhkHHGSmIVfzZHBpezkdumpZOwxyKupxvGWgOEdApBxSxLQqXmsoyvIZwIsWXhOjmFEZGqKgnKPfpdbcILjBKRUTeHuOYCGsZYreTHGijrzYhxqzGauWdeYJSfSIFbjvtOfBnJJyNRaURCXfjFldJjCnLOYblQRYZAuiXiXfauqRbyjPxEFauuzmQEEpyvjOqohxKGhIAJexaqBxdEJrcRvuQgWTeUTmOtzTQJUxDbTALIxmNzokQRmxLmJdXqzJFakQKgeUARerumHNAZKjbbXQBXSUxDFoJXGaPgPxqQVUGCjSAUGLSnIYQxonTRplchwUeUWqzLIIQPXPtWdGfMJAvrcIaFzIBNGydHirTCfeglNNkIoKCyWOrqVRBsphgigTUEDeBYVVPzlizRGdNZNgbzLBLtFahcdymgfqefqlxbjPlEVwtmMWCjrSOisilTaMlllYHBSkgxhDf
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000005.00000003.2398752168.0000000002F03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb391
Source: BitLockerToGo.exe, 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance88+X
Source: BitLockerToGo.exe, 00000005.00000002.2531924515.0000000002E93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000005.00000003.2470610228.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000003.2397981986.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2389056869.0000000002E93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2483917008.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2532039828.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2483286988.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2531513795.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7060, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435406 Sample: file.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 14 shatterbreathepsw.shop 2->14 18 Snort IDS alert for network traffic 2->18 20 Multi AV Scanner detection for domain / URL 2->20 22 Found malware configuration 2->22 24 6 other signatures 2->24 7 file.exe 2 2->7         started        signatures3 process4 signatures5 26 Found many strings related to Crypto-Wallets (likely being stolen) 7->26 28 Writes to foreign memory regions 7->28 30 Allocates memory in foreign processes 7->30 32 2 other signatures 7->32 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 16 shatterbreathepsw.shop 104.21.95.19, 443, 49718, 49719 CLOUDFLARENETUS United States 10->16 34 Query firmware table information (likely to detect VMs) 10->34 36 Found many strings related to Crypto-Wallets (likely being stolen) 10->36 38 Tries to harvest and steal browser information (history, passwords, etc) 10->38 40 Tries to steal Crypto Currency Wallets 10->40 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.95.19
 shatterbreathepsw.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
shatterbreathepsw.shop 104.21.95.19 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
shortsvelventysjo.shop true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
tolerateilusidjukl.shop true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
shatterbreathepsw.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
demonstationfukewko.shop true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
productivelookewr.shop true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
alcojoldwograpciw.shop true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
incredibleextedwj.shop true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
liabilitynighstjsko.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://shatterbreathepsw.shop/api true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown