Source: locatedblsoqp.shop | URL Reputation: Label: phishing |
Source: locatedblsoqp.shop | URL Reputation: Label: phishing |
Source: traineiwnqo.shop | URL Reputation: Label: malware |
Source: traineiwnqo.shop | URL Reputation: Label: malware |
Source: condedqpwqm.shop | URL Reputation: Label: phishing |
Source: caffegclasiqwp.shop | URL Reputation: Label: malware |
Source: millyscroqwp.shop | URL Reputation: Label: malware |
Source: stagedchheiqwo.shop | URL Reputation: Label: phishing |
Source: https://locatedblsoqp.shop/api | URL Reputation: Label: malware |
Source: stamppreewntnq.shop | URL Reputation: Label: phishing |
Source: https://tenseddrywsqio.shop/api | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/api_ | Avira URL Cloud: Label: malware |
Source: https://locatedblsoqp.shop/6 | Avira URL Cloud: Label: phishing |
Source: https://traineiwnqo.shop/api | Avira URL Cloud: Label: malware |
Source: https://locatedblsoqp.shop/ | Avira URL Cloud: Label: phishing |
Source: https://traineiwnqo.shop/apibul | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/fXx | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/apiK | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/. | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop:443/apii | Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/ | Avira URL Cloud: Label: malware |
Source: 1.2.BitLockerToGo.exe.400000.0.unpack | Malware Configuration Extractor: LummaC {"C2 url": ["stamppreewntnq.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "tenseddrywsqio.shop", "millyscroqwp.shop", "traineiwnqo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop"], "Build id": "LPnhqo--nlczjrpfwadf"} |
Source: tenseddrywsqio.shop | Virustotal: Detection: 14% | Perma Link |
Source: tenseddrywsqio.shop | Virustotal: Detection: 14% | Perma Link |
Source: https://tenseddrywsqio.shop/api | Virustotal: Detection: 16% | Perma Link |
Source: https://traineiwnqo.shop/api | Virustotal: Detection: 21% | Perma Link |
Source: https://locatedblsoqp.shop/ | Virustotal: Detection: 16% | Perma Link |
Source: https://traineiwnqo.shop:443/apii | Virustotal: Detection: 11% | Perma Link |
Source: https://traineiwnqo.shop/ | Virustotal: Detection: 19% | Perma Link |
Source: https://traineiwnqo.shop/. | Virustotal: Detection: 19% | Perma Link |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: caffegclasiqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stamppreewntnq.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stagedchheiqwo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: millyscroqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: evoliutwoqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: condedqpwqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: traineiwnqo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: locatedblsoqp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: tenseddrywsqio.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: caffegclasiqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stamppreewntnq.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stagedchheiqwo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: millyscroqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: evoliutwoqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: condedqpwqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: traineiwnqo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: locatedblsoqp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: tenseddrywsqio.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: caffegclasiqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stamppreewntnq.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stagedchheiqwo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: millyscroqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: evoliutwoqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: condedqpwqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: traineiwnqo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: locatedblsoqp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: tenseddrywsqio.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: caffegclasiqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stamppreewntnq.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: stagedchheiqwo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: millyscroqwp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: evoliutwoqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: condedqpwqm.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: traineiwnqo.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: locatedblsoqp.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: tenseddrywsqio.shop |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: TeslaBrowser/5.5 |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: - Screen Resoluton: |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: - Physical Installed Memory: |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: Workgroup: - |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp | String decryptor: LPnhqo--nlczjrpfwadf |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 1_2_004321F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 1_2_004323E3 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov word ptr [eax], cx | 1_2_00419040 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx edx, word ptr [ecx+esi*2] | 1_2_0042D070 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00434030 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov ecx, dword ptr [esi+00000280h] | 1_2_0040D0D0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov ebx, dword ptr [edi+04h] | 1_2_004208E0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov byte ptr [eax], dl | 1_2_0040D978 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov ecx, dword ptr [esp] | 1_2_00434110 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00434110 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h] | 1_2_004089F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov dword ptr [ebx], 00000022h | 1_2_00420980 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx eax, word ptr [ebx] | 1_2_00435990 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp] | 1_2_00413A4A |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then add edi, 02h | 1_2_00413A4A |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov ecx, dword ptr [esp] | 1_2_0041FACE |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp] | 1_2_0041FACE |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h | 1_2_00435280 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx edx, byte ptr [esi+edi] | 1_2_00403290 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov edx, dword ptr [esp] | 1_2_004312A0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+1Ch] | 1_2_0040B310 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov word ptr [esi], cx | 1_2_0041BB22 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx edx, word ptr [ecx] | 1_2_0041BB22 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov edi, dword ptr [esp+40h] | 1_2_0041BB22 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, 00008000h | 1_2_004043C0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h | 1_2_004353C0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 1_2_0043238A |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] | 1_2_00433BA8 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00433C40 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00434450 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 1_2_004324BC |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx ebx, byte ptr [edx] | 1_2_00429540 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] | 1_2_004335D2 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h | 1_2_00418DE0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp] | 1_2_0040FDEB |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov ebp, eax | 1_2_0041EDFE |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00433D90 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov dword ptr [esi+08h], eax | 1_2_004235B0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov byte ptr [edi], al | 1_2_004235B0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov byte ptr [edi], dl | 1_2_004235B0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx eax, word ptr [esi+ecx] | 1_2_0042F6F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then movzx ebx, byte ptr [eax+edx] | 1_2_00431E80 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov esi, dword ptr [esp] | 1_2_00433F40 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov dword ptr [esp], 00000000h | 1_2_00412F50 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then cmp cl, 0000002Eh | 1_2_0041D752 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov byte ptr [ecx], al | 1_2_00414770 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then cmp byte ptr [ebx], 00000000h | 1_2_00412FA0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then mov eax, dword ptr [esp+000000B0h] | 1_2_0040F7AA |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then lea ebx, dword ptr [esp+08h] | 1_2_0041F7B2 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 4x nop then jmp eax | 1_2_004197B7 |
Source: Network traffic | Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:65410 -> 1.1.1.1:53 |
Source: Network traffic | Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:64510 -> 1.1.1.1:53 |
Source: Network traffic | Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49733 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49732 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49731 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.96.3:443 |
Source: Network traffic | Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.69.149:443 |
Source: Network traffic | Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.69.149:443 |
Source: Malware configuration extractor | URLs: stamppreewntnq.shop |
Source: Malware configuration extractor | URLs: stagedchheiqwo.shop |
Source: Malware configuration extractor | URLs: locatedblsoqp.shop |
Source: Malware configuration extractor | URLs: tenseddrywsqio.shop |
Source: Malware configuration extractor | URLs: millyscroqwp.shop |
Source: Malware configuration extractor | URLs: traineiwnqo.shop |
Source: Malware configuration extractor | URLs: condedqpwqm.shop |
Source: Malware configuration extractor | URLs: caffegclasiqwp.shop |
Source: Malware configuration extractor | URLs: evoliutwoqm.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: traineiwnqo.shop |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.usencountered |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://locatedblsoqp.shop/ |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://locatedblsoqp.shop/6 |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://locatedblsoqp.shop/api |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://management.azure.comfailed |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cned25519: |
Source: BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://tenseddrywsqio.shop/M |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/ |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/. |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/api |
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/apiK |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/api_ |
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/apibul |
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027D2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop/fXx |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://traineiwnqo.shop:443/apii |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo |
Source: l5u4ezxr.u51.exe | String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi |
Source: BitLockerToGo.exe, 00000001.00000003.1785814274.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002850000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/5xx-error-landing |
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002870000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/ |
Source: unknown | Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth |
Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTR | Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004321F0 | 1_2_004321F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040C223 | 1_2_0040C223 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004323E3 | 1_2_004323E3 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0042D702 | 1_2_0042D702 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00404000 | 1_2_00404000 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041F011 | 1_2_0041F011 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00434030 | 1_2_00434030 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0042C890 | 1_2_0042C890 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040D978 | 1_2_0040D978 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040B900 | 1_2_0040B900 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00434110 | 1_2_00434110 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004061F0 | 1_2_004061F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004089F0 | 1_2_004089F0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00420980 | 1_2_00420980 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00435990 | 1_2_00435990 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00413A4A | 1_2_00413A4A |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040E20B | 1_2_0040E20B |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041CA10 | 1_2_0041CA10 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00419A1F | 1_2_00419A1F |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00407A30 | 1_2_00407A30 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00401AD5 | 1_2_00401AD5 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041D290 | 1_2_0041D290 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041BB22 | 1_2_0041BB22 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041A330 | 1_2_0041A330 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004043C0 | 1_2_004043C0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004353C0 | 1_2_004353C0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0043238A | 1_2_0043238A |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00433BA8 | 1_2_00433BA8 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00433C40 | 1_2_00433C40 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00434450 | 1_2_00434450 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00402410 | 1_2_00402410 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00414420 | 1_2_00414420 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00411CDA | 1_2_00411CDA |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004324BC | 1_2_004324BC |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041AD70 | 1_2_0041AD70 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004335D2 | 1_2_004335D2 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00404DE0 | 1_2_00404DE0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041EDFE | 1_2_0041EDFE |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00433D90 | 1_2_00433D90 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004235B0 | 1_2_004235B0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00420E60 | 1_2_00420E60 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040FE01 | 1_2_0040FE01 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00401618 | 1_2_00401618 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00406ED0 | 1_2_00406ED0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00407EE0 | 1_2_00407EE0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00431E80 | 1_2_00431E80 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004096A0 | 1_2_004096A0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_004356B0 | 1_2_004356B0 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00433F40 | 1_2_00433F40 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0041D752 | 1_2_0041D752 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_0040CF60 | 1_2_0040CF60 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00414770 | 1_2_00414770 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00431710 | 1_2_00431710 |
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | Code function: 1_2_00405780 | 1_2_00405780 |
Source: l5u4ezxr.u51.exe, 00000000.00000002.1759379021.00000000015E4000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe |
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs l5u4ezxr.u51.exe |
Source: l5u4ezxr.u51.exe | Binary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe |
Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research |
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research |
Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTR | Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research |