Windows Analysis Report
https://finalstepgetshere.com/uploads/beta111.zip

Overview

General Information

Sample URL: https://finalstepgetshere.com/uploads/beta111.zip
Analysis ID: 1523594
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Downloads suspicious files via Chrome
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 14.3.pen-drive-rec.exe.2aefa790000.3.unpack Malware Configuration Extractor: LummaC {"C2 url": ["metallygaricwo.shop", "chickerkuso.shop", "carrtychaintnyw.shop", "milldymarskwom.shop", "puredoffustow.shop", "achievenmtynwjq.shop", "quotamkdsdqo.shop", "opponnentduei.shop"], "Build id": "tLYMe5--rui111"}
Sample uses string decryption to hide its real strings
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: opponnentduei.shop
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: puredoffustow.shop
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: achievenmtynwjq.shop
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: chickerkuso.shop
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: milldymarskwom.shop
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000012.00000002.2439532524.0000000002F5F000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.18:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.18:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.160.22:443 -> 192.168.2.18:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.18:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.18:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.18:49713 version: TLS 1.2
Source: Binary string: BitLockerToGo.pdb source: pen-drive-rec.exe, 0000000E.00000003.2391178772.000002AEFA6D0000.00000004.00001000.00020000.00000000.sdmp, pen-drive-rec.exe, 0000000E.00000003.2390818672.000002AEFA710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: pen-drive-rec.exe, 0000000E.00000003.2391178772.000002AEFA6D0000.00000004.00001000.00020000.00000000.sdmp, pen-drive-rec.exe, 0000000E.00000003.2390818672.000002AEFA710000.00000004.00001000.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056016 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (milldymarskwom .shop) : 192.168.2.18:63347 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056020 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (puredoffustow .shop) : 192.168.2.18:57762 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056006 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carrtychaintnyw .shop) : 192.168.2.18:52063 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056004 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (achievenmtynwjq .shop) : 192.168.2.18:55345 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056024 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quotamkdsdqo .shop) : 192.168.2.18:57419 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056018 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opponnentduei .shop) : 192.168.2.18:55666 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056014 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (metallygaricwo .shop) : 192.168.2.18:63452 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056008 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chickerkuso .shop) : 192.168.2.18:63332 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.18:49713 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.18:49713 -> 172.67.209.193:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: metallygaricwo.shop
Source: Malware configuration extractor URLs: chickerkuso.shop
Source: Malware configuration extractor URLs: carrtychaintnyw.shop
Source: Malware configuration extractor URLs: milldymarskwom.shop
Source: Malware configuration extractor URLs: puredoffustow.shop
Source: Malware configuration extractor URLs: achievenmtynwjq.shop
Source: Malware configuration extractor URLs: quotamkdsdqo.shop
Source: Malware configuration extractor URLs: opponnentduei.shop
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: global traffic HTTP traffic detected: GET /uploads/beta111.zip HTTP/1.1Host: finalstepgetshere.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C7UWYbLfaxMdzn1&MD=OMxUXF4o HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A410900B03DX-BM-WindowsFlights: FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12E85C75X-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAUyGQrdwdXyotILYfbEmgo1Y7vTjJpPA1pFt%2BMApleNS3phwBkbgrsZs3hg1BxJEKjguxtFRAPL6Q%2BPstWKrohcJhwbTbFTV37fL/8038xhSX2GeA%2Bh7wdUQbQn%2B0QCCFFi0WWViPotFub19qazn756UKFlrmpZTQxsRBSUTYmAjS6tdfVvVrkEBxF5A8r7cm5/RLqkK4SqZ7Dq%2BD2950Wj48dmuuu0ixR9CTN2yBH00FCHMIzbV2ouLA1yIWeBiIyHlioCLgaMBkMS/2qmiiQ9zq32EQ/PCq7FfwYMDj4mLs4I2Tp1aIvP/Lu4XjOAgVhNgiRIvXyn6onc6cQoxcTMQZgAAEHnC74PDEq7hgDCDfF2DB1ewAVFVmq38TrbgMt4l30z6J8xu5zXiCGk7EMdgintmLNABg74sfYh54WvFLEDgyAR2F2weYAJK0yEv35UgLMME0S0o6orVDPH/ZgaEtZ2V8E%2B59thGDpN1eauLfUNc2uk299voG3UazLvRuIHj%2BvrxaYBbfkEqtP8xo/N2LR8hgw9VX2NNzZoarwq4rroHJCwLyJujSRuxWbtj56oT0jtdSracJ8woUlzsZLH2u2b4gqNOsnXl9zdOtzKi%2B6KfZKLcrAhpl5e9VmGqcMcPddwISyoDhsULo9AkXwY2ktxhAXrifH7GKjU1Y7C79O943Mvj6IlhFJGyXLaekox%2B7c2o7%2BZ5HfZ6H7O/Rt485eM1F8Dm8KB3DGD9A051jzCA2TQIrVMrU6yOoZGgTlAY9k0P3o2C6BP2yF8V226FwEijGdGTnMGgq2Ud4UV02L2lbJsYVnhsrWrDXaSI9bcIvElqOw9/vJ3rdJmecAszVwlg7Rsg7oSZ9JZVJmRxH9P8iUKjefrVNz9WVMOCpf52bVifFfjQ6Ve71/zKXREU4wSHgN/tdbUC3QhBt5zhImvDdn/JLtcB%26p%3DX-Agent-DeviceId: 01000A410900B03DX-BM-CBT: 1727806418User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 43AF71310F4447109D5B95C0B0035C41X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=B4BB39E5F80E411D94C438C0FA7ACF94&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&LUT=1707317051026&IPMH=6b344233&IPMID=1707317270835&HV=1707317277; ANON=A=680C1B1A649CBD64DD40EBFCFFFFFFFF; MUID=BC76BB0020D345C1A049A4820CB4C03C; MUIDB=BC76BB0020D345C1A049A4820CB4C03C
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C7UWYbLfaxMdzn1&MD=OMxUXF4o HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: finalstepgetshere.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: milldymarskwom.shop
Source: global traffic DNS traffic detected: DNS query: chickerkuso.shop
Source: global traffic DNS traffic detected: DNS query: achievenmtynwjq.shop
Source: global traffic DNS traffic detected: DNS query: puredoffustow.shop
Source: global traffic DNS traffic detected: DNS query: opponnentduei.shop
Source: global traffic DNS traffic detected: DNS query: metallygaricwo.shop
Source: global traffic DNS traffic detected: DNS query: quotamkdsdqo.shop
Source: global traffic DNS traffic detected: DNS query: carrtychaintnyw.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4828Host: login.live.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://feross.org
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://getify.mit-license.org
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://syntheti.cc
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.bootstraptoggle.com
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000012.00000003.2438671698.000000000352E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://achievenmtynwjq.shop/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://chart-studio.plotly.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=0qXC
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=TlXuhKjTdHfu&l=e
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://feross.org
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://fontawesome.com
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://fontawesome.com/license/free
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://getbootstrap.com/)
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/arl/statsviz
Source: pen-drive-rec.exe, 0000000E.00000000.1937201719.00007FF6696E4000.00000008.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/gabomdq/SDL_GameControllerDB
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsCumulative
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-modepkcs7:
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/voidqk/polybooljs
Source: BitLockerToGo.exe, 00000012.00000003.2438186570.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440896031.00000000035A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003547000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440354805.0000000003548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/T
Source: BitLockerToGo.exe, 00000012.00000003.2438186570.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440896031.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438186570.000000000359A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440896031.000000000359D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000012.00000002.2440354805.0000000003557000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/apiM
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://pkg.go.dev/runtime/metrics#hdr-Supported_metrics
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438186570.00000000035B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003560000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440683697.0000000003560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2439987401.0000000003523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003560000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000002.2440683697.0000000003560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900s
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438116950.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438671698.0000000003528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000012.00000003.2427245550.00000000035C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.00000000035B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.18:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.18:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.160.22:443 -> 192.168.2.18:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.18:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.18:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.18:49713 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: directInput8Create memstr_308b38fc-d
Installs a raw input device (often for capturing keystrokes)
Source: pen-drive-rec.exe, 0000000E.00000000.1938068932.00007FF669816000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: array of objectnumber(integer)value of objectvalue of stringNtResumeProcessMETRICS_HEADERSMETRICS_TIMEOUTheap_idle_bytesstack_sys_bytesmspan_sys_bytesother_sys_bytesprocess_max_fdsTRACES_ENDPOINTTRACES_INSECUREAuthInfo: <nil>15:04:05.000000/debug/requestscontenteditablehtml/template: invalid port %dwglGetCurrentDCDragAcceptFilesCreateWindowExWGetActiveWindowGetDpiForWindowGetRawInputDataTrackMouseEventWindowFromPointinterned stringdecoding failedWrite CommittedRepeatable ReadIsolationLevel(query statementcache statementsimple protocolclient_encodingunknown typtypeconnect_timeoutfailed GSS authpipeline closed(%s,%s),(%s,%s)jsonb too shortbig5_chinese_cilatin2_czech_csdec8_swedish_ciswe7_swedish_cieuckr_korean_ciutf8_general_cicp1250_czech_csutf8_tolower_ciutf8_unicode_ciutf8_latvian_ciutf8_spanish_ciutf8_swedish_ciutf8_turkish_ciutf8_persian_ciutf8_sinhala_ciutf8_german2_ciGo-MySQL-Driver/tmp/mysql.sockclientFoundRowsmultiStatementsUNSIGNED BIGINTREPEATABLE READinvalid_grantorsubstring_errorcheck_violationwindowing_errorundefined_tableduplicate_tableduplicate_aliasambiguous_aliasraise_exceptionindex_corruptedinvalid patternstack underflowGET /debug/varsproto://%s@hostbuildCustomCertUnknown type %sDSA PRIVATE KEYregexReplaceAllcannot uniq nilcannot rest nilcannot last nildatacontenttypeunknown value: CommandCompleteCopyOutResponsetoo many valuesParameterStatusPasswordMessagePortalSuspendedtoo many fieldsPG_AUTH_MEMBERSinvalid big int-- is not validreadObjectStartreadEscapedChar0123456789abcdeftime: bad [0-9]*DuplicateTokenExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWSetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectDnsNameCompare_WConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWFlushFileBuffersGetComputerNameWGetFullPathNameWGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassRemoveDirectoryWSetDllDirectoryWSetFileValidDataSetPriorityClassTerminateProcessVirtualProtectExNetApiBufferFreeRtlGetCurrentPebEnumChildWindowsGetDesktopWindowGetGUIThreadInfoWinVerifyTrustExreflect.MakeFunc: value of type getprotobynumberWSCEnumProtocolsSysReAllocStringSafeArrayDestroyVarFormatPercentSysStringByteLenBSTR_UserMarshalVARIANT_UserSizeVARIANT_UserFreeLPSAFEARRAY_SizeOACreateTypeLib2VarDateFromUdateVarUdateFromDateGetAltMonthNamesOleLoadPictureExManifestResourceTrack Debug Data32-Bit PreferredUWOP_PUSH_NONVOLUWOP_ALLOC_SMALLUWOP_SAVE_NONVOLUWOP_SAVE_XMM128no imports foundLineNumsStrippedBytesReservedLowGreenlandic (kl)Kinyarwanda (rw)Mapudungun (arn)Sindhi (sd-Arab)Initialized DataAlign 1024-BytesAlign 2048-BytesAlign 4096-BytesAlign 8192-Bytesapplication/jsoninteger overflowinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerEx23841857910156250123456789ABCDEFGODEBUG: value "gcshrinkstackofftracefpunwindoffGC scavenge waitGC worker (idle)page trace flush out of bounds [/gc/gogc:percent, not a functiongc: unswept span KiB work (b memstr_e70935aa-9

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.2424767496.000000C000B52000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Downloads suspicious files via Chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File dump: C:\Users\user\Downloads\beta111.zip (copy) Jump to dropped file
Yara signature match
Source: 0000000E.00000002.2424767496.000000C000B52000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.win@23/10@14/6
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\d68a1e1b-bdea-44a7-a9ec-2e7ec14846bf.tmp Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2004,i,5079889322829463843,17366028058288366952,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://finalstepgetshere.com/uploads/beta111.zip"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Downloads\beta111\pen-drive-rec.exe "C:\Users\user\Downloads\beta111\pen-drive-rec.exe"
Source: unknown Process created: C:\Users\user\Downloads\beta111\pen-drive-rec.exe "C:\Users\user\Downloads\beta111\pen-drive-rec.exe"
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2004,i,5079889322829463843,17366028058288366952,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Google Drive.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: BitLockerToGo.pdb source: pen-drive-rec.exe, 0000000E.00000003.2391178772.000002AEFA6D0000.00000004.00001000.00020000.00000000.sdmp, pen-drive-rec.exe, 0000000E.00000003.2390818672.000002AEFA710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: pen-drive-rec.exe, 0000000E.00000003.2391178772.000002AEFA6D0000.00000004.00001000.00020000.00000000.sdmp, pen-drive-rec.exe, 0000000E.00000003.2390818672.000002AEFA710000.00000004.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 14_2_000000D743FFED00 push es; iretd 14_2_000000D743FFEE6B
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 14_2_000000D743FFD898 push ecx; retf 14_2_000000D743FFD899
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 17_2_0000004A7A9FCBB8 push ecx; retf 17_2_0000004A7A9FCBB9
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 17_2_0000004A7A9FD6A8 push ecx; retf 17_2_0000004A7A9FD6A9
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 17_2_0000004A7A9FD308 push ecx; retf 17_2_0000004A7A9FD309
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Code function: 17_2_0000004A7A9FDA58 push ecx; retf 17_2_0000004A7A9FDA59
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1976 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000012.00000003.2427575430.000000000357F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000012.00000003.2438186570.0000000003588000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000012.00000002.2439987401.0000000003508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pen-drive-rec.exe, 0000000E.00000002.2428415834.000002AEF34CC000.00000004.00000020.00020000.00000000.sdmp, pen-drive-rec.exe, 00000011.00000002.2492830932.000001EAB0D1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F10000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F10000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: carrtychaintnyw.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: quotamkdsdqo.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: milldymarskwom.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: metallygaricwo.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: opponnentduei.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: puredoffustow.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: achievenmtynwjq.shop
Source: pen-drive-rec.exe, 0000000E.00000003.2411561411.000002AEFA790000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: chickerkuso.shop
Writes to foreign memory regions
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F10000 Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31AB008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Users\user\Downloads\beta111\pen-drive-rec.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\beta111\pen-drive-rec.exe Queries volume information: C:\Users\user\Downloads\beta111\pen-drive-rec.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: 0000000E.00000000.1938068932.00007FF66A463000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pen-drive-rec.exe PID: 3204, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: 0000000E.00000000.1938068932.00007FF66A463000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pen-drive-rec.exe PID: 3204, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523594 URL: https://finalstepgetshere.c... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 25 puredoffustow.shop 2->25 27 opponnentduei.shop 2->27 29 7 other IPs or domains 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 7 pen-drive-rec.exe 2 2->7         started        10 chrome.exe 20 2->10         started        14 pen-drive-rec.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Injects a PE file into a foreign processes 7->57 59 LummaC encrypted strings found 7->59 18 BitLockerToGo.exe 7->18         started        41 192.168.2.18, 137, 138, 443 unknown unknown 10->41 43 239.255.255.250 unknown Reserved 10->43 23 C:\Users\user\Downloads\beta111.zip (copy), Zip 10->23 dropped 21 chrome.exe 10->21         started        file6 signatures7 process8 dnsIp9 31 gravvitywio.store 172.67.209.193, 443, 49713 CLOUDFLARENETUS United States 18->31 33 steamcommunity.com 104.102.49.254, 443, 49712 AKAMAI-ASUS United States 18->33 35 quotamkdsdqo.shop 21->35 37 finalstepgetshere.com 185.255.122.133, 443, 49699, 49700 ICMESE Netherlands 21->37 39 www.google.com 142.250.184.196, 443, 49704, 49710 GOOGLEUS United States 21->39
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.255.122.133
 finalstepgetshere.com Netherlands
42237 ICMESE false
142.250.184.196
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.209.193
 gravvitywio.store United States
13335 CLOUDFLARENETUS true

Private

IP
192.168.2.18

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
finalstepgetshere.com 185.255.122.133 true
gravvitywio.store 172.67.209.193 true
www.google.com 142.250.184.196 true
milldymarskwom.shop unknown unknown
chickerkuso.shop unknown unknown
opponnentduei.shop unknown unknown
carrtychaintnyw.shop unknown unknown
quotamkdsdqo.shop unknown unknown
puredoffustow.shop unknown unknown
achievenmtynwjq.shop unknown unknown
metallygaricwo.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
opponnentduei.shop true
    		unknown
    achievenmtynwjq.shop true
      		unknown
      milldymarskwom.shop true
        		unknown
        https://steamcommunity.com/profiles/76561199724331900 true
        • URL Reputation: malware
        		 unknown
        quotamkdsdqo.shop true
          		unknown
          chickerkuso.shop true
            		unknown
            metallygaricwo.shop true
              		unknown
              https://finalstepgetshere.com/uploads/beta111.zip false
                		unknown
                https://gravvitywio.store/api true
                  		unknown
                  carrtychaintnyw.shop true
                    		unknown