Windows Analysis Report
Setup-Premium.exe

Overview

General Information

Sample name: Setup-Premium.exe
Analysis ID: 1532359
MD5: 65ab8081d6a7f813a39bd06052fa5887
SHA1: 3a2724a4b2e33d1aeb93eadf4e0e2916b5c0450d
SHA256: 3dd3a9ee5cbe4e846be6f6921e8b1fe56317e5a292768625e8710061581d90ec
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 0.2.Setup-Premium.exe.2800000.2.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["vennurviot.sbs", "condifendteu.sbs", "mathcucom.sbs", "enlargkiw.sbs", "proclaimykn.buzz", "resinedyw.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "allocatinow.sbs"], "Build id": "tLYMe5--2"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: proclaimykn.buzz
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: proclaimykn.buzz
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp String decryptor: tLYMe5--2
Uses 32bit PE files
Source: Setup-Premium.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: Setup-Premium.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor byte ptr [esp+eax+0Ch], al 2_2_0043A2CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 2_2_0042D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 2_2_0042D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+08h], edx 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-5CFF4EA3h] 2_2_00429000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], cx 2_2_00426000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00426000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], cl 2_2_0040D0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_004370D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-4BD95CB5h] 2_2_0042C0F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 21912799h 2_2_0040E086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000F2h] 2_2_0041F0A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ecx], dx 2_2_004401EA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor byte ptr [esp+eax], al 2_2_0043E2C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp al, 2Eh 2_2_0042A2F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 2_2_00411333
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax], 0000h 2_2_004203A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esi+edx] 2_2_004013A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor byte ptr [esp+eax+000000C0h], al 2_2_00421490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004424B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh] 2_2_004424B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25B56195h] 2_2_0042C5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_0043C580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_00405640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esi+edx] 2_2_00401655
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp+10h] 2_2_00401655
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 2_2_0040F74C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004427C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh] 2_2_004427C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-18h] 2_2_0041D8C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0041D8C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 2_2_0042C8F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+08h], edx 2_2_004018F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00442880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh] 2_2_00442880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax+00000356h] 2_2_0042E940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 2_2_0042E940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], cl 2_2_0042E940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+6C7927FBh] 2_2_00442960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edi+edx-15h] 2_2_0042B984
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 2_2_00443A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+08h], edx 2_2_00401A7D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28D9FA8Bh] 2_2_00410A15
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 2_2_0041CA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 2_2_0040EB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor byte ptr [esp+edx+0Ch], dl 2_2_0043DB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi] 2_2_0043AB70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+ebp+04h] 2_2_0040EBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h 2_2_00420C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+edx], 0000h 2_2_00420C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+25B56195h] 2_2_0042CC9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 2_2_0042CC9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esi] 2_2_0042BCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_0042DD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 2_2_00425DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, edx 2_2_00427E23
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 2_2_00409EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], cx 2_2_0041CEB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, byte ptr [ecx+ebp] 2_2_00440F74

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.5:52356 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.5:57119 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.5:50968 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.5:49714 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.5:49707 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.5:63561 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.5:49729 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.5:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.5:54113 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.5:49710 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.5:49724 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.5:63184 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.5:60232 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.5:59139 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49729 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49729 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49714 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49714 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49744 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49724 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49724 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49751 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49751 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49757 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49757 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: proclaimykn.buzz
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=7dVCApaVSuJAHxS2hly8AvsgLmmtzBWUGr_DufxF.Bw-1728776664-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: proclaimykn.buzz
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
Source: Setup-Premium.exe String found in binary or memory: http://.css
Source: Setup-Premium.exe String found in binary or memory: http://.jpg
Source: Setup-Premium.exe String found in binary or memory: http://html4/loose.dtd
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/positiveInteger
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/positiveIntegerDefault0
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/definitions/stringArray
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/default
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/description
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/enum
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/exclusiveMaximum
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/exclusiveMinimum
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/maximum
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/minimum
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/multipleOf
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/pattern
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/title
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/type
Source: Setup-Premium.exe String found in binary or memory: http://json-schema.org/draft-04/schema#/properties/uniqueItems
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Setup-Premium.exe String found in binary or memory: http://swagger.io/v2/schema.json#
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://condifendteu.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/ht
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/M
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/api
Source: Setup-Premium.exe String found in binary or memory: https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
Source: Setup-Premium.exe String found in binary or memory: https://gorm.io/docs/hooks.htmlWarning:
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: Setup-Premium.exe String found in binary or memory: https://index.docker.io/v1/input
Source: BitLockerToGo.exe, 00000002.00000003.2183297651.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2193093217.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2183297651.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2193093217.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/%
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/-
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiM
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/E
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/m
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/apii
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F96000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-manag
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-managy
Source: BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-managyPHPgg
Source: BitLockerToGo.exe, 00000002.00000003.2288880798.0000000002FBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2282297159.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49757 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00435320 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00435320
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00435320 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00435320
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004354A0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,StretchBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject, 2_2_004354A0
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043A36A 2_2_0043A36A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00410F13 2_2_00410F13
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00442010 2_2_00442010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004350E0 2_2_004350E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041F0A0 2_2_0041F0A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004270A0 2_2_004270A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00433160 2_2_00433160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00444120 2_2_00444120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004081B0 2_2_004081B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004292C0 2_2_004292C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041D2F0 2_2_0041D2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042A2F3 2_2_0042A2F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040135D 2_2_0040135D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040D330 2_2_0040D330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004203A0 2_2_004203A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004013A7 2_2_004013A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040A410 2_2_0040A410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042D416 2_2_0042D416
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00411436 2_2_00411436
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004224C0 2_2_004224C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004394D0 2_2_004394D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00421490 2_2_00421490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004424B0 2_2_004424B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00411436 2_2_00411436
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043E650 2_2_0043E650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401655 2_2_00401655
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004266DB 2_2_004266DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004036E0 2_2_004036E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040F74C 2_2_0040F74C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00439730 2_2_00439730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004417C0 2_2_004417C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004427C0 2_2_004427C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004077D0 2_2_004077D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004107EB 2_2_004107EB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004117F1 2_2_004117F1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042B799 2_2_0042B799
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041D8C8 2_2_0041D8C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00442880 2_2_00442880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042E940 2_2_0042E940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00442960 2_2_00442960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00406A30 2_2_00406A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040BA80 2_2_0040BA80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040AAB0 2_2_0040AAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00441B40 2_2_00441B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040EBD0 2_2_0040EBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00443B80 2_2_00443B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00416CC1 2_2_00416CC1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00408C9E 2_2_00408C9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042BCB0 2_2_0042BCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00442CB0 2_2_00442CB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00410D40 2_2_00410D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00421D60 2_2_00421D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00406DD0 2_2_00406DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00438DEA 2_2_00438DEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00404DF0 2_2_00404DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042AD8C 2_2_0042AD8C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00426E68 2_2_00426E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00443E20 2_2_00443E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00426E2C 2_2_00426E2C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040DE3F 2_2_0040DE3F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00409EC0 2_2_00409EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00439EA0 2_2_00439EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041CEB0 2_2_0041CEB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040AF70 2_2_0040AF70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00440F74 2_2_00440F74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00432F30 2_2_00432F30
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040C570 appears 72 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040DD20 appears 190 times
Sample file is different than original file name gathered from version info
Source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup-Premium.exe
Uses 32bit PE files
Source: Setup-Premium.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@11/8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043A1B0 CoCreateInstance, 2_2_0043A1B0
Source: Setup-Premium.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup-Premium.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads
Source: Setup-Premium.exe String found in binary or memory: 2github.com/docker/docker-credential-helpers/client
Source: Setup-Premium.exe String found in binary or memory: 2github.com/klauspost/compress/zstd/internal/xxhash2github.com/docker/docker-credential-helpers/client
Source: Setup-Premium.exe String found in binary or memory: 7github.com/docker/docker-credential-helpers/credentials
Source: Setup-Premium.exe String found in binary or memory: StacktraceKey)json:"stacktraceKey" yaml:"stacktraceKey"7github.com/spf13/viper/internal/encoding/javaproperties7*map.bucket[protowire.Number]protoreflect.ExtensionType7*struct { F uintptr; X0 *int; X1 proto.MarshalOptions }7*func(context.Context, float64, ...metric.RecordOption)7github.com/docker/docker-credential-helpers/credentials7*func(kem.PublicKey, []uint8) ([]uint8, []uint8, error)7github.com/cloudflare/circl/pke/kyber/kyber512/internal7github.com/cloudflare/circl/pke/kyber/kyber768/internal8*func(string, ...nats.WatchOpt) (nats.KeyWatcher, error)8*func(*nats.ObjectStoreConfig) (nats.ObjectStore, error)8*func(string, []uint8, time.Duration) (*nats.Msg, error)8*struct { F uintptr; X0 *nats.js; X1 string; X2 string }
Source: Setup-Premium.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWboringcrypto: .WithoutCancel.WithDeadline(zero parameterinvalid syntax1907348632812595367431640625createLogEntrysearchLogQuerysignedTreeHeadintegratedTimedata truncatedinternal errorContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptable\.+*?()|[]{}^$x509ignoreCN=1validate.rulesreserved_rangefield_presenceunsafe.Pointer on zero Valuereflect.Value.unknown methodbad record MACunexpected EOF.in-addr.arpa.unknown mode: Accept-CharsetDkim-SignatureControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.go
Source: Setup-Premium.exe String found in binary or memory: invalid Trailer key already registeredProxy-Authorizationunknown status codeunexpected InstFailBLOB_UPLOAD_INVALIDjava_multiple_filescc_generic_servicespy_generic_servicesdeprecation_warningreflect.Value.Bytesreflect.Value.Fieldreflect.Value.Indexreflect.Value.Slicereflect.Value.Clearreflect.AppendSlice are not comparablerevoked certificateexpired certificateunknown certificateunknown cipher typeinvalid MAC addresscriterion too shortinvalid URL escape missing ']' in hostQueryServiceConfigWSetTokenInformationCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWMultiByteToWideCharResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowLoadKeyboardLayoutWGetFileVersionInfoWCanadian_AboriginalKhitan_Small_Scriptfile already existsfile does not existfile already closedexec: canceling Cmdinvalid blocklen %dinvalid data len %dmultipartmaxheaders20060102150405Z0700.docker/config.jsonmodulus must be oddContent-DispositionRawValueEncodeValueRawValueDecodeValuemail: no angle-addrconsumeAddrSpec: %qconsumePhrase: [%s]invalid UUID formatinvalid character 'while parsing a tagPrerelease is emptyno public key foundmime: no media typeevictCount overflow "(),/:;<=>?@[]\{}untrusted comment:
Source: Setup-Premium.exe String found in binary or memory: lock: lock countbad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWx509: invalid RDNSequencex509: invalid RSA modulusx509: malformed extensionx509: malformed signaturecontext deadline exceededjson: Unexpected key typereflect.Value.OverflowIntjson: unsupported value: not at beginning of valueecdsa: invalid public keyerror during PEM decoding2910383045673370361328125proposedContent.verifierscontent.payloadHash.valuefailure generating objectmissing signature contentmissing publicKey contentunknown Go type for sliceexplicit tag has no childinvalid object identifierhttp: invalid cookie namehttp2: Request.URI is niltext/plain; charset=utf-8http: invalid Cookie.Namehttp2: Framer %p: read %vframe_data_pad_byte_shortframe_settings_has_streamframe_headers_zero_streamframe_headers_pad_too_bigframe_priority_bad_lengthhttp2: invalid header: %vstrict-transport-securityhttp2: unsupported schemeread_frame_unexpected_eof{...} wildcard not at endhttp: invalid Host headerport number out of range invalid username/passwordmissing envelope propertybytes,1071,opt,name=rulesleading_detached_commentsreflect: Bits of nil Typereflect.StructOf: field "reflect.Value.SetMapIndextls: protocol is shutdownno answer from DNS serverno suitable address foundunexpected '[' in addressunexpected ']' in addressContent-Transfer-Encodingnet/url: invalid userinfoGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorSetSecurityDescriptorDaclSetSecurityDescriptorSaclFindNextVolumeMountPointWFindVolumeMountPointCloseQueryInformationJobObjectNtQueryInformationProcessSetupDiCallClassInstallerSetupDiGetDevicePropertyWSetupDiGetSelectedDriverWSetupDiSetSelectedDriverW with too many arguments inconsistent poll.fdMutexGODEBUG: can not enable "unsupported type %T, a %smail: unclosed angle-addrmail: leading dot in atomcharset not supported: %q^(?:[0-9]{9}X|[0-9]{10})$%s must be of type %s: %q%s should be less than %v%d error(s) decoding:
Source: Setup-Premium.exe String found in binary or memory: tableLog (%d) > maxTableLog (%d)unexpected null character (0x00)sha3: write to sponge after readSigEd25519 no Ed25519 collisionsblake2s: write to XOF after readMILESTONE_FIELD_NAME_REACHED_DATEjetstream not enabled for accountnats: context requires a deadlinerelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagescrypto: requested hash function #SigEd25519 no Ed25519 collisions
Source: Setup-Premium.exe String found in binary or memory: tableLog (%d) > maxTableLog (%d)unexpected null character (0x00)sha3: write to sponge after readSigEd25519 no Ed25519 collisionsblake2s: write to XOF after readMILESTONE_FIELD_NAME_REACHED_DATEjetstream not enabled for accountnats: context requires a deadlinerelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangex509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagescrypto: requested hash function #SigEd25519 no Ed25519 collisions
Source: Setup-Premium.exe String found in binary or memory: string field contains invalid UTF-8%v already implements proto.Messagemlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset expect [ or , or ] or n, but found invalid control character found: %dtransform: short destination bufferbytes,291403980,opt,name=field_infomessage %v cannot be extended by %v%s: none of the oneof fields is setcannot decode %v into a primitive.Dcannot decode %v into a string typecannot decode %v into a json.Numberbson.Element{[%s]"%s": <malformed>}missing EncodeTime in EncoderConfigchacha20: output smaller than inputcrypto/blake2b: cannot marshal MACsunsupported cipher in private key: Reserved for backward compatibilityfailed to set value %#v to field %sunpaired removeDep: no %T dep on %Tfile %q has a name conflict over %vfound wrong type: got %v, want enumfield match condition not found in BUG: accessing uninitialized bucket%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0Error while reading from Writer: %s%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32bad successive approximation valueshttp2: scheme must be http or https%d response missing Location headerhttp2: Framer %p: read %v. Type: %vPUSH_PROMISE frame with stream ID 0unknown compression method name: %sdelimiters may only be "{}" or "<>"truncated input (or invalid offset)incompatible period types %v and %vincompatible sample types %v and %vmultiple functions with same id: %dmultiple locations with same id: %dpprof: use of uninitialized Profileruntime/pprof: converting profile: mismatched profile records and tagsbasic strings cannot have new linesTLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_
Source: Setup-Premium.exe String found in binary or memory: string field contains invalid UTF-8%v already implements proto.Messagemlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset expect [ or , or ] or n, but found invalid control character found: %dtransform: short destination bufferbytes,291403980,opt,name=field_infomessage %v cannot be extended by %v%s: none of the oneof fields is setcannot decode %v into a primitive.Dcannot decode %v into a string typecannot decode %v into a json.Numberbson.Element{[%s]"%s": <malformed>}missing EncodeTime in EncoderConfigchacha20: output smaller than inputcrypto/blake2b: cannot marshal MACsunsupported cipher in private key: Reserved for backward compatibilityfailed to set value %#v to field %sunpaired removeDep: no %T dep on %Tfile %q has a name conflict over %vfound wrong type: got %v, want enumfield match condition not found in BUG: accessing uninitialized bucket%d extra bits on block, should be 0zero matchoff and matchlen (%d) > 0Error while reading from Writer: %s%s: unknown kind to decode into: %s%s: not an object type for map (%T)nanoseconds need at least one digitnumber cannot start with underscoretoml: cannot encode a nil interfaceshould not be called with empty keynumber %f does not fit in a float32bad successive approximation valueshttp2: scheme must be http or https%d response missing Location headerhttp2: Framer %p: read %v. Type: %vPUSH_PROMISE frame with stream ID 0unknown compression method name: %sdelimiters may only be "{}" or "<>"truncated input (or invalid offset)incompatible period types %v and %vincompatible sample types %v and %vmultiple functions with same id: %dmultiple locations with same id: %dpprof: use of uninitialized Profileruntime/pprof: converting profile: mismatched profile records and tagsbasic strings cannot have new linesTLS_KRB5_EXPORT_WITH_DES_CBC_40_SHATLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHATLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DH_anon_WITH_AES_128_CBC_SHA256TLS_DH_anon_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_GCM_SHA384TLS_DH_anon_WITH_AES_128_GCM_SHA256TLS_DH_anon_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_GCM_SHA256TLS_DHE_PSK_WITH_AES_256_GCM_SHA384TLS_RSA_PSK_WITH_AES_128_GCM_SHA256TLS_RSA_PSK_WITH_AES_256_GCM_SHA384TLS_DHE_PSK_WITH_AES_128_CBC_SHA256TLS_DHE_PSK_WITH_AES_256_CBC_SHA384TLS_RSA_PSK_WITH_AES_128_CBC_SHA256TLS_RSA_PSK_WITH_AES_256_CBC_SHA384TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_256_CBC_SHATLS_ECDH_anon_WITH_3DES_EDE_CBC_SHATLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHATLS_DH_DSS_WITH_ARIA_128_CBC_SHA256TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256TLS_DH_RSA_WITH_ARIA_256_
Source: Setup-Premium.exe String found in binary or memory: x509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typeunable to process scalar node. Got %q. Expecting float content: %w[GET /api/v1/log/entries/{entryUUID}][%d] getLogEntryByUuidOK %+vaccepted signatures do not match threshold, Found: %d, Expected %dreflect: indirection through nil pointer to embedded struct field tls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensionpkcs7: signing time %q is outside of certificate validity %q to %qcryptobyte: high-tag number identifier octects not supported: 0x%xinternal error: attempted to parse unknown event (please report): If non-empty, use this log file (no effect when -logtostderr=true)If true, adds the file directory to the header of the log messagesDescriptor.Options called without importing the descriptor packagedocument end byte found before end of document. remaining bytes=%vinternal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)uconn.Extensions contains %v separate SupportedVersions extensionstls: writeToUConn is not implemented for the PreSharedKeyExtensiontls: InitializeByUtls failed: the session is not a tls 1.2 sessiontoml: key %s already exists as a %s, but should be an array tablecannot create a subscription for a consumer with a deliver group %q[POST /api/v1/log/entries/retrieve][%d] searchLogQuery default %+vtbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDatetls: server sent certificate containing RSA key larger than %d bitsif non-empty, httptest.NewServer serves on this address and blocks.field %v with invalid Mutable call on field with non-composite typeSliceDecodeValue can only decode a binary into a byte array, got %vSliceDecodeValue can only decode a string into a byte array, got %vtls: IsInitialized is not implemented for the PreSharedKeyExtension((a)naly|(b)a|(d)iagno|(p)arenthe|(p)rogno|(s)ynop|(t)he)(sis|ses)$FileAlignment lesser than 0x200 and different from section alignmentdamaged Import Table information. ILT and/or IAT appear to be broken2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061unable to process scalar node. Got %q. Expecting integer content: %w[GET /api/v1/log/entries/{entryUUID}][%d] getLogEntryByUuidNotFound padding bytes must all be zeros unless AllowIllegalWrites is enabledhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qx509: failed to unmarshal certificate list authority info access: %vreflect: reflect.Value.UnsafePointer on an invalid notinheap pointertls: internal error: sending non-handshake message to QUIC transportbig: invalid 2nd argument to Int.Jacobi: need odd integer bu
Source: Setup-Premium.exe String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.0h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
Source: Setup-Premium.exe String found in binary or memory: depgithub.com/go-openapi/loadsv0.22.0h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.init.0
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.(*loader).WithHead
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.(*loader).Load
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.JSONDoc
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.init.1
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.init.0.func1
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads.(*loader).Load-fm
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsNotFound.Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsNotFound.NotFound
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingServerURL.Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingServerURL.InvalidParameter
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingUsername.Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.errCredentialsMissingUsername.InvalidParameter
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsNotFound).Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsNotFound).NotFound
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingServerURL).Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingServerURL).InvalidParameter
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingUsername).Error
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.(*errCredentialsMissingUsername).InvalidParameter
Source: Setup-Premium.exe String found in binary or memory: type:.eq.github.com/docker/docker-credential-helpers/credentials.Credentials
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.Store
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.isValidCredsMessage
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsCredentialsMissingServerURLMessage
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsCredentialsMissingUsernameMessage
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.Get
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsErrCredentialsNotFoundMessage
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.Erase
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.List
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.createProgramCmdRedirectErr
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.(*Shell).Output
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.(*Shell).Input
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/credentials.IsErrCredentialsNotFound
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.NewShellProgramFunc
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers/client.NewShellProgramFuncWithEnv
Source: Setup-Premium.exe String found in binary or memory: net/addrselect.go
Source: Setup-Premium.exe String found in binary or memory: github.com/sigstore/sigstore@v1.8.9/pkg/signature/options/loadoptions.go
Source: Setup-Premium.exe String found in binary or memory: google.golang.org/genproto/googleapis/api@v0.0.0-20240827150818-7e3bb234dfed/launch_stage.pb.go
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/swag@v0.23.0/loading.go
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads@v0.22.0/loaders.go
Source: Setup-Premium.exe String found in binary or memory: github.com/go-openapi/loads@v0.22.0/spec.go
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/credentials/error.go
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/client/client.go
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/docker-credential-helpers@v0.8.0/client/command.go
Source: Setup-Premium.exe String found in binary or memory: github.com/docker/distribution@v2.8.3+incompatible/registry/client/auth/challenge/addr.go
Source: Setup-Premium.exe String found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
Source: Setup-Premium.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Setup-Premium.exe String found in binary or memory: google/api/launch_stage.proto
Source: Setup-Premium.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: C:\Users\user\Desktop\Setup-Premium.exe File read: C:\Users\user\Desktop\Setup-Premium.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup-Premium.exe "C:\Users\user\Desktop\Setup-Premium.exe"
Source: C:\Users\user\Desktop\Setup-Premium.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Setup-Premium.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Setup-Premium.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup-Premium.exe Static file information: File size 22590464 > 1048576
Source: Setup-Premium.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xa0cc00
Source: Setup-Premium.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa44800
Source: Setup-Premium.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup-Premium.exe, 00000000.00000002.2172857628.00000000027A6000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: Setup-Premium.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0044876C push esp; retf 0047h 2_2_0044876D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00448770 push esp; retf 0047h 2_2_00448771
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043DA60 push eax; mov dword ptr [esp], 37363908h 2_2_0043DA65
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00448C8B push esp; retf 0047h 2_2_00448C95
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00448D4B push eax; retf 2_2_00448D4D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00449E6E push ebx; retf 2_2_00449E6F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043DE30 push eax; mov dword ptr [esp], FCFDFEFFh 2_2_0043DE3A
Source: C:\Users\user\Desktop\Setup-Premium.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4308 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000003.2250209476.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2288941580.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2300154573.0000000002F28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWz'
Source: Setup-Premium.exe, 00000000.00000002.2171311067.0000000001F2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043ACB0 LdrInitializeThunk, 2_2_0043ACB0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawwyobstacw.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condifendteu.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ehticsprocw.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vennurviot.sbsz
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: resinedyw.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: enlargkiw.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: allocatinow.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mathcucom.sbs
Source: Setup-Premium.exe, 00000000.00000002.2171424437.0000000002584000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: proclaimykn.buzz
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C9C008 Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000 Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 458000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup-Premium.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Users\user\Desktop\Setup-Premium.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup-Premium.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup-Premium.exe.2800000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup-Premium.exe.2800000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 2.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup-Premium.exe.2800000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup-Premium.exe.2800000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2299589275.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2173525211.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2173525211.00000000029BF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532359 Sample: Setup-Premium.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 14 vennurviot.sbs 2->14 16 steamcommunity.com 2->16 18 9 other IPs or domains 2->18 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Antivirus detection for URL or domain 2->30 32 4 other signatures 2->32 7 Setup-Premium.exe 2->7         started        signatures3 process4 signatures5 34 Writes to foreign memory regions 7->34 36 Allocates memory in foreign processes 7->36 38 Injects a PE file into a foreign processes 7->38 40 LummaC encrypted strings found 7->40 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 20 sergei-esenin.com 104.21.53.8, 443, 49751, 49757 CLOUDFLARENETUS United States 10->20 22 condifendteu.sbs 104.21.79.35, 443, 49729 CLOUDFLARENETUS United States 10->22 24 6 other IPs or domains 10->24 42 Found evasive API chain checking for user administrative privileges 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
172.67.173.224
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
188.114.96.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
172.67.152.13
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.205.156
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true
104.21.79.35
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 104.21.79.35 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.96.3 true
mathcucom.sbs 188.114.96.3 true
proclaimykn.buzz 188.114.96.3 true
sergei-esenin.com 104.21.53.8 true
ehticsprocw.sbs 172.67.173.224 true
resinedyw.sbs 172.67.205.156 true
enlargkiw.sbs 172.67.152.13 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true
    		unknown
    allocatinow.sbs true
      		unknown
      drawwyobstacw.sbs true
        		unknown
        mathcucom.sbs true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          https://vennurviot.sbs/api true
            		unknown
            ehticsprocw.sbs true
              		unknown
              condifendteu.sbs true
                		unknown
                https://drawwyobstacw.sbs/api true
                  		unknown
                  https://resinedyw.sbs/api true
                    		unknown
                    https://mathcucom.sbs/api true
                      		unknown
                      resinedyw.sbs true
                        		unknown
                        vennurviot.sbs true
                          		unknown