Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1532481
MD5: f1113fd6005b558b0a9624edd97dbd58
SHA1: 6a0b156e56f99d81e4567d5b4e0d296957f38746
SHA256: faaf64f9c081fdcf8715679549607bba7f70b594459167cf9f5a9b73664d89ba
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 0.2.Setup.exe.3dc2000.3.unpack Malware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "condifendteu.sbs", "mathcucom.sbs", "allocatinow.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "proclaimykn.buzz"], "Build id": "tLYMe5--222"}
Multi AV Scanner detection for domain / URL
Source: vennurviot.sbs Virustotal: Detection: 16% Perma Link
Source: sergei-esenin.com Virustotal: Detection: 17% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 19% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 19% Perma Link
Source: https://vennurviot.sbs/api Virustotal: Detection: 17% Perma Link
Source: https://sergei-esenin.com/r Virustotal: Detection: 16% Perma Link
Source: https://sergei-esenin.com:443/api Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for submitted file
Source: Setup.exe Virustotal: Detection: 19% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: proclaimykn.buzz
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp String decryptor: tLYMe5--222
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 1_2_0043C27A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 1_2_00442B8A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], bl 1_2_00410CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_00410CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+edi-000000ACh] 1_2_00442F74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebp+00h], ax 1_2_0040FF1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 1_2_00426040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, eax 1_2_00423050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 1_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [esi+04h] 1_2_0042C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], F3285E74h 1_2_00441010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h 1_2_00441010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 1_2_0042B030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h 1_2_004400E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [ebp-10h] 1_2_0042E108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 53F09CFAh 1_2_004201B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 07E776F1h 1_2_004201B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 07E776F1h 1_2_004201B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1Bh] 1_2_004402C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh 1_2_004402C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, byte ptr [esi+edx+77EAD70Ah] 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], cl 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+eax-40592EB2h] 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+00000414h] 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], cl 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebp, word ptr [eax] 1_2_00446310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_00427560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_0043E530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 64567875h 1_2_00440530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 1_2_004055D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-11h] 1_2_0042D676
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 1_2_0042D676
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 1_2_0042D676
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-6Ah] 1_2_00446600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_004396E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-416E7C15h] 1_2_004256A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 1_2_004256A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi], ecx 1_2_004116B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_0041E760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 1_2_0041E760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_0042F840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esp+04h] 1_2_00420870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 1_2_0043C800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000E1h] 1_2_004288F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx+18h] 1_2_0042C966
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [edx+ebx] 1_2_004439A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 1_2_0042BA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea esi, dword ptr [edx+ecx] 1_2_0042BA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h] 1_2_00444A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 1_2_0042DAC2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 1_2_0043CAD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebp], 00000000h 1_2_0042FB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, edx 1_2_0043FB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0001078Ah] 1_2_00444B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h] 1_2_00444B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [edi+eax*4] 1_2_0040BB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [0044DFA8h] 1_2_0042EB30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-11h] 1_2_0042EB30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-4Fh] 1_2_00421BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00421BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], ax 1_2_00421BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 1_2_00442C56
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+ebp-00010794h] 1_2_00444A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 1_2_0043FD10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edi-1Bh] 1_2_0043BD30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esp+esi-30034F32h] 1_2_0040EDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [esp+10h] 1_2_00442E5F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 1_2_0043FE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edi*8], DEF797A3h 1_2_0043FEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+ebx*8], 07E776F1h 1_2_0043FEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+54EFD247h] 1_2_0042BE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ecx 1_2_00441E9B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 1_2_0041DEB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-18h] 1_2_00444EB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:51189 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:55215 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:58064 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:57956 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:49709 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:58845 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49743 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49738 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49742 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:49501 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49740 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49739 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:58164 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49741 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49744 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49746 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: proclaimykn.buzz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 104.21.33.249 104.21.33.249
Source: Joe Sandbox View IP Address: 172.67.173.224 172.67.173.224
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=vKrz3Hq72H1UNZmiSDnI_ARtZuyd8ck1abtebasc0mE-1728813636-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=d8a5315e6278e0fd2506466e; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 13 Oct 2024 10:00:35 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: proclaimykn.buzz
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: proclaimykn.buzz
Source: Setup.exe String found in binary or memory: http://.css
Source: Setup.exe String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: Setup.exe String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/apis
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/pi
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/f
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/puN
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishc
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javY
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xT%
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/im
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.co
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/k
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.000000000062C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/l
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/
Source: BitLockerToGo.exe, 00000001.00000003.1964000369.00000000005FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/apii
Source: BitLockerToGo.exe, 00000001.00000003.1964000369.000000000062C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/k
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/U
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiS
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apie
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/r
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F765611997
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steamp
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampo
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009829565.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.0000000000656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/st
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016710572.0000000000649000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016726223.0000000000648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-manag
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-manag-s
Source: BitLockerToGo.exe, 00000001.00000003.2016662857.000000000064E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.0000000000659000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.2016662857.0000000000661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000001.00000003.2009765757.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49746 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00436E30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_00436E30
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00436E30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_00436E30
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00436FC0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 1_2_00436FC0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043C27A 1_2_0043C27A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040F340 1_2_0040F340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00410CE0 1_2_00410CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00423050 1_2_00423050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00427064 1_2_00427064
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00401000 1_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042C000 1_2_0042C000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040B010 1_2_0040B010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00441010 1_2_00441010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00446030 1_2_00446030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00430170 1_2_00430170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042E108 1_2_0042E108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00445190 1_2_00445190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043A24C 1_2_0043A24C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042B2D0 1_2_0042B2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040135C 1_2_0040135C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00430300 1_2_00430300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00401311 1_2_00401311
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00446310 1_2_00446310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041E330 1_2_0041E330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040D3D0 1_2_0040D3D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004433BA 1_2_004433BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041D440 1_2_0041D440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041243E 1_2_0041243E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004014C0 1_2_004014C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040A4F0 1_2_0040A4F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004444A0 1_2_004444A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042E4B2 1_2_0042E4B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004165C2 1_2_004165C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043B5A0 1_2_0043B5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00403660 1_2_00403660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00446600 1_2_00446600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041243E 1_2_0041243E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00440680 1_2_00440680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004256A6 1_2_004256A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004116B1 1_2_004116B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004096BA 1_2_004096BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041E760 1_2_0041E760
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004077C0 1_2_004077C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040D7A0 1_2_0040D7A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00420870 1_2_00420870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043B800 1_2_0043B800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00413896 1_2_00413896
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00414959 1_2_00414959
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00446920 1_2_00446920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044392C 1_2_0044392C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00423930 1_2_00423930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043A9AD 1_2_0043A9AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042BA60 1_2_0042BA60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00406A00 1_2_00406A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444A30 1_2_00444A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042DAC2 1_2_0042DAC2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00413AD0 1_2_00413AD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042FB40 1_2_0042FB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444B60 1_2_00444B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00416B1F 1_2_00416B1F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040BB20 1_2_0040BB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042EB30 1_2_0042EB30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00429B31 1_2_00429B31
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00421BC0 1_2_00421BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040AB80 1_2_0040AB80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00410B80 1_2_00410B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00414B82 1_2_00414B82
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040DC20 1_2_0040DC20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444A30 1_2_00444A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041CC89 1_2_0041CC89
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444D00 1_2_00444D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00404D10 1_2_00404D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00418D10 1_2_00418D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444DE0 1_2_00444DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040EDF0 1_2_0040EDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00406DA0 1_2_00406DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042DDA0 1_2_0042DDA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00427E5D 1_2_00427E5D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042CE10 1_2_0042CE10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043FEC0 1_2_0043FEC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00444EB0 1_2_00444EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00434F40 1_2_00434F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040DF6A 1_2_0040DF6A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00443FE0 1_2_00443FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00409F80 1_2_00409F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00423FA0 1_2_00423FA0
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040DE40 appears 187 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040C660 appears 57 times
One or more processes crash
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1919656324.0000000003CD6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/0@11/9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043C0AC CoCreateInstance, 1_2_0043C0AC
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ab153e92-85ab-4968-9838-9558fcb1e72f Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe Virustotal: Detection: 19%
Source: Setup.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine <no value>value for arg %d: %w(BADINDEX)%!(NOVERB)complex128t.Kind == 12207031256103515625ParseFloatINT2VECTOR_OIDVECTOR_TINTERVAL_TIMESTAMP_REFCURSORANYELEMENT_GTSVECTOR_REGCONFIG_INT4RANGE_TSTZRANGE_DATERANGE_INT8RANGEmyhostname.localhostunixpacketwsarecvmsgwsasendmsgIP address netGo = ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra,c=biws,r=res binderres masterresumptionexp masterSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1execerrdotSYSTEMROOTBackupReadConnectionKeep-Alivelocal-addrimage/webpimage/jpegRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookiekeep-aliveconnectionequivalentHost: %s
Source: Setup.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWlen of type %s.WithoutCancel.WithDeadline(Read Committedunsafe.Pointer on zero Valuereflect.Value.unknown methodinvalid syntax1907348632812595367431640625PG_DDL_COMMAND_TXID_SNAPSHOT_REGDICTIONARYunexpected EOFinternal error.in-addr.arpa.unknown mode: \.+*?()|[]{}^$bad record MACboringcrypto:
Source: Setup.exe String found in binary or memory: gogoproto.unsafe_unmarshaler_allgogoproto.goproto_extensions_mapvarint,64028,opt,name=protosizervarint,65012,opt,name=wktpointersha3: write to sponge after readgoogle.protobuf.EnumValueOptions&descriptor.FileDescriptorProto{&descriptor.EnumDescriptorProto{&descriptor.UninterpretedOption{SigEd25519 no Ed25519 collisionsblake2b: write to XOF after readblake2s: write to XOF after readinvalid_indicator_parameter_valueinvalid_row_count_in_limit_clausenull_value_no_indicator_parametersequence_generator_limit_exceededbranch_transaction_already_activefdw_invalid_data_type_descriptorsmissing character after backslashfailed to get Kerberos ticket: %qunexpected DataRow after error %s ISOLATION LEVEL READ UNCOMMITTEDunknown response for CopyFail: %qcouldn't parse pem in sslrootcertapplication/x-www-form-urlencoded/memory/classes/heap/unused:bytesmaximum of %d attributes exceededrelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeincompatible types for comparisoncannot index slice/array with nilsql: connection is already closedreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125go package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesunsupported compression format %sError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledinvalid header field value for %qpad size
Source: Setup.exe String found in binary or memory: gogoproto.unsafe_unmarshaler_allgogoproto.goproto_extensions_mapvarint,64028,opt,name=protosizervarint,65012,opt,name=wktpointersha3: write to sponge after readgoogle.protobuf.EnumValueOptions&descriptor.FileDescriptorProto{&descriptor.EnumDescriptorProto{&descriptor.UninterpretedOption{SigEd25519 no Ed25519 collisionsblake2b: write to XOF after readblake2s: write to XOF after readinvalid_indicator_parameter_valueinvalid_row_count_in_limit_clausenull_value_no_indicator_parametersequence_generator_limit_exceededbranch_transaction_already_activefdw_invalid_data_type_descriptorsmissing character after backslashfailed to get Kerberos ticket: %qunexpected DataRow after error %s ISOLATION LEVEL READ UNCOMMITTEDunknown response for CopyFail: %qcouldn't parse pem in sslrootcertapplication/x-www-form-urlencoded/memory/classes/heap/unused:bytesmaximum of %d attributes exceededrelease of handle with refcount 0crypto/aes: output not full blockbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %ssync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeincompatible types for comparisoncannot index slice/array with nilsql: connection is already closedreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length 142108547152020037174224853515625710542735760100185871124267578125go package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesunsupported compression format %sError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledinvalid header field value for %qpad size
Source: Setup.exe String found in binary or memory: net/addrselect.go
Source: Setup.exe String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: Setup.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Setup.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1648
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup.exe Static file information: File size 19250176 > 1048576
Source: Setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8af000
Source: Setup.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x890a00
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.1918803772.00000000038B6000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: Setup.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041A2AB push edx; iretd 1_2_0041A2AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043FE30 push eax; mov dword ptr [esp], E0E7E6E5h 1_2_0043FE3E
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 5016 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000001.00000003.1944436767.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000001.00000002.2029983019.00000000005BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0Q_%SystemRoot%\system32\mswsock.dll
Source: Setup.exe, 00000000.00000002.1915546297.000000000061A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Setup.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004425F0 LdrInitializeThunk, 1_2_004425F0
Enables debug privileges
Source: C:\Users\user\Desktop\Setup.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Setup.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawwyobstacw.sbs
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condifendteu.sbs
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ehticsprocw.sbs
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vennurviot.sbs
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: resinedyw.sbsy
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: enlargkiw.sbsy
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: allocatinow.sbs
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mathcucom.sbsy
Source: Setup.exe, 00000000.00000002.1918803772.0000000003892000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: proclaimykn.buzz
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2800008 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44A000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45A000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Users\user\Desktop\Setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.Setup.exe.3e18000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3dc2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3dc2000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.Setup.exe.3e18000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3dc2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3dc2000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.3e18000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1919656324.0000000003E18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2029871925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1919656324.0000000003D6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1919656324.0000000003DC2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532481 Sample: Setup.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 17 vennurviot.sbs 2->17 19 steamcommunity.com 2->19 21 9 other IPs or domains 2->21 29 Multi AV Scanner detection for domain / URL 2->29 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 7 other signatures 2->35 8 Setup.exe 2->8         started        signatures3 process4 signatures5 37 Writes to foreign memory regions 8->37 39 Allocates memory in foreign processes 8->39 41 Injects a PE file into a foreign processes 8->41 43 LummaC encrypted strings found 8->43 11 BitLockerToGo.exe 8->11         started        process6 dnsIp7 23 enlargkiw.sbs 104.21.33.249, 443, 49738 CLOUDFLARENETUS United States 11->23 25 resinedyw.sbs 104.21.77.78, 443, 49739 CLOUDFLARENETUS United States 11->25 27 7 other IPs or domains 11->27 45 Found evasive API chain checking for user administrative privileges 11->45 15 WerFault.exe 2 11->15         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
104.21.33.249
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
172.67.173.224
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
188.114.96.3
 mathcucom.sbs European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true
104.21.77.78
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
104.21.79.35
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 104.21.79.35 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.97.3 true
mathcucom.sbs 188.114.96.3 true
proclaimykn.buzz 188.114.97.3 true
sergei-esenin.com 172.67.206.204 true
ehticsprocw.sbs 172.67.173.224 true
resinedyw.sbs 104.21.77.78 true
enlargkiw.sbs 104.21.33.249 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true unknown
allocatinow.sbs true unknown
drawwyobstacw.sbs true unknown
mathcucom.sbs true unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vennurviot.sbs/api true unknown
ehticsprocw.sbs true unknown
condifendteu.sbs true
    		unknown
    https://resinedyw.sbs/api true
      		unknown