Windows Analysis Report
Google_Chrome.exe

Overview

General Information

Sample name: Google_Chrome.exe
Analysis ID: 1523595
MD5: b82c3d4143ea779b06ef4fbc965db624
SHA1: 52172ad1a88ea85f679d8bf13f2567145a64f24b
SHA256: b87ef5f2289241d1f437924bee4cccfbb16554a6a71d23f6fd930ff5c7c30dd8
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 0.2.Google_Chrome.exe.159a000.1.unpack Malware Configuration Extractor: LummaC {"C2 url": ["relaxatinownio.shop", "licenseodqwmqn.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "reggwardssdqw.shop", "tesecuuweqo.shop", "eemmbryequo.shop", "tendencctywop.shop"], "Build id": "05eF0T--Cpanel"}
Multi AV Scanner detection for submitted file
Source: Google_Chrome.exe ReversingLabs: Detection: 70%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Google_Chrome.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: tryyudjasudqo.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: eemmbryequo.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: reggwardssdqw.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: relaxatinownio.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: tesecuuweqo.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: tendencctywop.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: licenseodqwmqn.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: keennylrwmqlw.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: tendencctywop.shop
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.1962467736.0000000002C75000.00000002.00000400.00020000.00000000.sdmp String decryptor: 05eF0T--Cpanel
Uses 32bit PE files
Source: Google_Chrome.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: Google_Chrome.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Google_Chrome.exe, 00000000.00000002.1935422366.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Google_Chrome.exe, 00000000.00000002.1935422366.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-10h] 1_2_02C702B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h 1_2_02C702B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 1_2_02C6F9B1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esi+0Ch] 1_2_02C3F140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_02C72EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ecx], dx 1_2_02C6FF03
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh 1_2_02C6FF03
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-10h] 1_2_02C70477
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+48h] 1_2_02C4AAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+14h] 1_2_02C312F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C54A4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ecx] 1_2_02C54A4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, word ptr [edx] 1_2_02C54A4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_02C52200
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02C56230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 1_2_02C493C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_02C72380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C58B4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C3EB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C3EB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+01h], 00000000h 1_2_02C530CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 1_2_02C4B054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 1_2_02C4B054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02C4B054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02C4B054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+14h] 1_2_02C42001
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+48h] 1_2_02C4A1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+64h] 1_2_02C591C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+ebp+02h], 0000h 1_2_02C5998F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edx], bl 1_2_02C3D140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02C53940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 1_2_02C686C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ebx 1_2_02C3E6E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 1_2_02C6C696
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 1_2_02C736A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 1_2_02C6D630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_02C5AFD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+10h] 1_2_02C547E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+10h] 1_2_02C547E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ebp 1_2_02C39F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ebp 1_2_02C39F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C587AA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_02C657B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 1_2_02C35770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 1_2_02C4FCFF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02C52480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 1_2_02C4CC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ecx 1_2_02C4CC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02C6CC30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_02C6AD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-10h] 1_2_02C70554
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-10h] 1_2_02C70554
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h 1_2_02C70554
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [ebp-10h] 1_2_02C71D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 1_2_02C52D6A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, eax 1_2_02C52D6A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 1_2_02C5CD06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 1_2_02C5B510

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.2.4:55605 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055881 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) : 192.168.2.4:59926 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055887 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) : 192.168.2.4:56888 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055895 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) : 192.168.2.4:61554 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055891 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) : 192.168.2.4:60010 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055885 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) : 192.168.2.4:54907 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055883 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) : 192.168.2.4:62908 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055893 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) : 192.168.2.4:63406 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.209.193:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: relaxatinownio.shop
Source: Malware configuration extractor URLs: licenseodqwmqn.shop
Source: Malware configuration extractor URLs: tryyudjasudqo.shop
Source: Malware configuration extractor URLs: keennylrwmqlw.shop
Source: Malware configuration extractor URLs: reggwardssdqw.shop
Source: Malware configuration extractor URLs: tesecuuweqo.shop
Source: Malware configuration extractor URLs: eemmbryequo.shop
Source: Malware configuration extractor URLs: tendencctywop.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: om/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: tendencctywop.shop
Source: global traffic DNS traffic detected: DNS query: keennylrwmqlw.shop
Source: global traffic DNS traffic detected: DNS query: licenseodqwmqn.shop
Source: global traffic DNS traffic detected: DNS query: tesecuuweqo.shop
Source: global traffic DNS traffic detected: DNS query: relaxatinownio.shop
Source: global traffic DNS traffic detected: DNS query: reggwardssdqw.shop
Source: global traffic DNS traffic detected: DNS query: eemmbryequo.shop
Source: global traffic DNS traffic detected: DNS query: tryyudjasudqo.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampow
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=0qXC
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=TlXuhKjTdHfu&l=e
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/V
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store:443/api
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.st
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steamp
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000001.00000002.1962738078.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptc
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000001.00000003.1962305445.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949536021.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1949590183.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:49736 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C62D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_02C62D80
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C62D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_02C62D80
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C62EF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 1_2_02C62EF0
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3F140 1_2_02C3F140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3F7C0 1_2_02C3F7C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C392C5 1_2_02C392C5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C312F0 1_2_02C312F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C73AF0 1_2_02C73AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3BA90 1_2_02C3BA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C54A4F 1_2_02C54A4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C5BD10 1_2_02C5BD10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C72262 1_2_02C72262
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C40A70 1_2_02C40A70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C5E223 1_2_02C5E223
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C42A2C 1_2_02C42A2C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C40BE0 1_2_02C40BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C72380 1_2_02C72380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3138D 1_2_02C3138D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C36BB0 1_2_02C36BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C423B0 1_2_02C423B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C62B60 1_2_02C62B60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C44374 1_2_02C44374
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C57370 1_2_02C57370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C67B00 1_2_02C67B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3EB20 1_2_02C3EB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C71330 1_2_02C71330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C530CB 1_2_02C530CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C71840 1_2_02C71840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C4B054 1_2_02C4B054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C4E070 1_2_02C4E070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C31000 1_2_02C31000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C40000 1_2_02C40000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C42001 1_2_02C42001
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C4A1C0 1_2_02C4A1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C37980 1_2_02C37980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C55198 1_2_02C55198
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C599B5 1_2_02C599B5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C53940 1_2_02C53940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C68965 1_2_02C68965
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C39909 1_2_02C39909
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C74110 1_2_02C74110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3913D 1_2_02C3913D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C34EC0 1_2_02C34EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C726B0 1_2_02C726B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C53640 1_2_02C53640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C57640 1_2_02C57640
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C58E63 1_2_02C58E63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C53624 1_2_02C53624
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C6D630 1_2_02C6D630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3D7D0 1_2_02C3D7D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3FFDE 1_2_02C3FFDE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C737E0 1_2_02C737E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C70FE0 1_2_02C70FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3AF80 1_2_02C3AF80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C39F80 1_2_02C39F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C33790 1_2_02C33790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C5C752 1_2_02C5C752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C70750 1_2_02C70750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C36F70 1_2_02C36F70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C56F10 1_2_02C56F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C52480 1_2_02C52480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C4CC90 1_2_02C4CC90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C3A4A0 1_2_02C3A4A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C58C5E 1_2_02C58C5E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C42C3C 1_2_02C42C3C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C73DE0 1_2_02C73DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C565A2 1_2_02C565A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C71D50 1_2_02C71D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C52D6A 1_2_02C52D6A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C5CD06 1_2_02C5CD06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C5BD10 1_2_02C5BD10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C49D22 1_2_02C49D22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C43D23 1_2_02C43D23
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02C3C590 appears 47 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02C3DF50 appears 178 times
Sample file is different than original file name gathered from version info
Source: Google_Chrome.exe, 00000000.00000002.1934375018.0000000000D89000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameGoogle Chrome.exe DVarFileInfo$ vs Google_Chrome.exe
Source: Google_Chrome.exe, 00000000.00000002.1935422366.0000000001560000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Google_Chrome.exe
Source: Google_Chrome.exe Binary or memory string: OriginalFilenameGoogle Chrome.exe DVarFileInfo$ vs Google_Chrome.exe
Uses 32bit PE files
Source: Google_Chrome.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@10/2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C60AC0 CoCreateInstance, 1_2_02C60AC0
Source: Google_Chrome.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Google_Chrome.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Google_Chrome.exe ReversingLabs: Detection: 70%
Source: Google_Chrome.exe String found in binary or memory: net/addrselect.go
Source: Google_Chrome.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: unknown Process created: C:\Users\user\Desktop\Google_Chrome.exe "C:\Users\user\Desktop\Google_Chrome.exe"
Source: C:\Users\user\Desktop\Google_Chrome.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Google_Chrome.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: Google_Chrome.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Google_Chrome.exe Static file information: File size 4921344 > 1048576
Source: Google_Chrome.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x221c00
Source: Google_Chrome.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24ec00
Source: Google_Chrome.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Google_Chrome.exe, 00000000.00000002.1935422366.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Google_Chrome.exe, 00000000.00000002.1935422366.0000000001560000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: Google_Chrome.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\Google_Chrome.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6836 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpZ
Source: Google_Chrome.exe, 00000000.00000002.1934429611.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: BitLockerToGo.exe, 00000001.00000002.1962601858.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW"
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02C6F5F0 LdrInitializeThunk, 1_2_02C6F5F0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C30000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C30000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tryyudjasudqo.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eemmbryequo.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reggwardssdqw.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: relaxatinownio.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tesecuuweqo.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tendencctywop.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licenseodqwmqn.shop
Source: Google_Chrome.exe, 00000000.00000002.1934798769.00000000014D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: keennylrwmqlw.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A5B008 Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C30000 Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C31000 Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C75000 Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C78000 Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C88000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Google_Chrome.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Google_Chrome.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Google_Chrome.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523595 Sample: Google_Chrome.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 13 tryyudjasudqo.shop 2->13 15 tesecuuweqo.shop 2->15 17 8 other IPs or domains 2->17 23 Suricata IDS alerts for network traffic 2->23 25 Found malware configuration 2->25 27 Antivirus detection for URL or domain 2->27 29 6 other signatures 2->29 7 Google_Chrome.exe 2->7         started        signatures3 process4 signatures5 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Injects a PE file into a foreign processes 7->35 37 LummaC encrypted strings found 7->37 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 gravvitywio.store 172.67.209.193, 443, 49736 CLOUDFLARENETUS United States 10->19 21 steamcommunity.com 104.102.49.254, 443, 49733 AKAMAI-ASUS United States 10->21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.209.193
 gravvitywio.store United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
gravvitywio.store 172.67.209.193 true
tryyudjasudqo.shop unknown unknown
keennylrwmqlw.shop unknown unknown
reggwardssdqw.shop unknown unknown
tesecuuweqo.shop unknown unknown
tendencctywop.shop unknown unknown
eemmbryequo.shop unknown unknown
licenseodqwmqn.shop unknown unknown
relaxatinownio.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
relaxatinownio.shop true
    		unknown
    keennylrwmqlw.shop true
      		unknown
      tendencctywop.shop true
        		unknown
        tryyudjasudqo.shop true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          tesecuuweqo.shop true
            		unknown
            eemmbryequo.shop true
              		unknown
              reggwardssdqw.shop true
                		unknown
                licenseodqwmqn.shop true
                  		unknown
                  https://gravvitywio.store/api true
                    		unknown