Windows Analysis Report
BW4pTs1x3V.exe

Overview

General Information

Sample name: BW4pTs1x3V.exe
renamed because original name is a hash value
Original sample name: 2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509.exe
Analysis ID: 1524036
MD5: 3677ebc159e92251f19020e9ab4b62ad
SHA1: 561483bb3f3ae9d384d21670f184a7c3fc9cf9c5
SHA256: 2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509
Tags: exeGuizhouSixuandaTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 93
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 3.2.BitLockerToGo.exe.2cd0000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["fragnantbui.shop", "gutterydhowi.shop", "vozmeatillu.shop", "dividenntykw.shop", "drawzhotdog.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "ghostreedmnu.shop"], "Build id": "c2CoW0--advert22"}
Multi AV Scanner detection for submitted file
Source: BW4pTs1x3V.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: dividenntykw.shop
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.1919231002.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp String decryptor: c2CoW0--advert22
Source: BW4pTs1x3V.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 172.67.188.210:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: BW4pTs1x3V.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h 3_2_02D15EB1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 3_2_02D15EB1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02CDCF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push 00000000h 3_2_02CF02C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_02CF02C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], ax 3_2_02CF02C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02CF1280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02CF1280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 3_2_02D17210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h 3_2_02D13230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 3_2_02CE20AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_02D19060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 3_2_02CD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ebx 3_2_02CD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0716B6A2h 3_2_02D0E000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7D006057h 3_2_02D0E000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 3_2_02CE301B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edx], 0000h 3_2_02CE51BD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_02D00140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 3_2_02CDA110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 3_2_02CDA110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_02D19650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_02D10670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_02CF6630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, byte ptr [esi+edi] 3_2_02CDC7C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_02D197E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02D16720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 3_2_02D16720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000188h] 3_2_02D014D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_02CFE457
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 3_2_02D0E449
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 3_2_02D0E449
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 3_2_02CE4471
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor eax, eax 3_2_02CE4471
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_02D1640A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000520h] 3_2_02D03430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D03430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 3_2_02D17430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 3_2_02D13430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc esi 3_2_02CD6420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 3_2_02CE2431
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_02CEA590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 3_2_02D0EA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 3_2_02D01A32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+68h] 3_2_02D01A32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 3_2_02D01A32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx esi, bl 3_2_02CDCA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_02CFFA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add eax, edi 3_2_02CF8BC3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02CECBE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_02CF8BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_02CF8BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 3_2_02D188F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_02CF88F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_02CF88F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_02CF6890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 3_2_02CDD860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 3_2_02D019D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D039C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D039C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D039C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+68h] 3_2_02D039C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D02994
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D02994
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_02D02994
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+68h] 3_2_02D02994
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_02CD59A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 3_2_02D19960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_02CD4970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 3_2_02D15EC4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [02D21244h] 3_2_02CFDE01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 3_2_02D13E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02D12F90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 3_2_02CECFA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_02CF7FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_02CF7FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 3_2_02CDBCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, ecx 3_2_02CE4CF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then xor eax, eax 3_2_02CFADC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h 3_2_02CFCD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], ax 3_2_02CEEDAD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_02D09D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 3_2_02D12D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 3_2_02D17D00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.8:60353 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.8:59623 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.8:59759 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.8:57693 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.8:63806 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.8:49364 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.8:64498 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.8:54180 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49718 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49716 -> 172.67.188.210:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49718 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49716 -> 172.67.188.210:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: dividenntykw.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: dividenntykw.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: BW4pTs1x3V.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: BW4pTs1x3V.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: BW4pTs1x3V.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: BW4pTs1x3V.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: BW4pTs1x3V.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: BW4pTs1x3V.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: BW4pTs1x3V.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: BW4pTs1x3V.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: BW4pTs1x3V.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: BW4pTs1x3V.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BW4pTs1x3V.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: BW4pTs1x3V.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstaticr
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/banners/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/channel-icons/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/guilds/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/icons/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/role-icons/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/splashes/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BW4pTs1x3V.exe String found in binary or memory: https://discord.com/MESSAGE_REACTION_ADDTHREAD_MEMBER_UPDATEunmarshall
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9//sticker-packs
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9//voice/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9//voice/regions
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/09Az~~
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/applications
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/channels/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/gateway
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/gateway/bot
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/guilds
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/guilds/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/guilds/https://discord.com/api/v9/channels/https://discord.com/api/v9/use
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/oauth2/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/oauth2/applications
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/stage-instances
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/stickers/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C000096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/webhooks/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dividenntykw.shop/api
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dividenntykw.shop/t
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawzhotdog.shop/api
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store:443/apifiles/76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/apiC
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/apii
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.json
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/active.jsonhttps://status.discord.com/api/v
Source: BW4pTs1x3V.exe, 00000000.00000002.1878415908.000000C0000E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://status.discord.com/api/v2/scheduled-maintenances/upcoming.json
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/A
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/apix
Source: BW4pTs1x3V.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: BW4pTs1x3V.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000003.00000003.1919145050.0000000003077000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1905526409.000000000306A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000003.00000003.1905526409.0000000003063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 172.67.188.210:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.8:49718 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D07C60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_02D07C60
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D07C60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_02D07C60
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D07DE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_02D07DE0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDF950 3_2_02CDF950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDFFE0 3_2_02CDFFE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD1293 3_2_02CD1293
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D18370 3_2_02D18370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD1000 3_2_02CD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CE301B 3_2_02CE301B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDB1C0 3_2_02CDB1C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD7150 3_2_02CD7150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDA110 3_2_02CDA110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD5130 3_2_02CD5130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDA660 3_2_02CDA660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D077C0 3_2_02D077C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CFC75E 3_2_02CFC75E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D16720 3_2_02D16720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D184C0 3_2_02D184C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD84F0 3_2_02CD84F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF74AA 3_2_02CF74AA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D0E449 3_2_02D0E449
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D13430 3_2_02D13430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CFB5B0 3_2_02CFB5B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD3570 3_2_02CD3570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CE0A8F 3_2_02CE0A8F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF2AA0 3_2_02CF2AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF7A42 3_2_02CF7A42
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF7A60 3_2_02CF7A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D07A00 3_2_02D07A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D01A32 3_2_02D01A32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF8BE0 3_2_02CF8BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CD7B50 3_2_02CD7B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF88F0 3_2_02CF88F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D0D850 3_2_02D0D850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D17800 3_2_02D17800
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CFB9F0 3_2_02CFB9F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CE0E50 3_2_02CE0E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF7E26 3_2_02CF7E26
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CECFA0 3_2_02CECFA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDBCD0 3_2_02CDBCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D0ECB0 3_2_02D0ECB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CF7C20 3_2_02CF7C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CFADC0 3_2_02CFADC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CFCD80 3_2_02CFCD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CEEDAD 3_2_02CEEDAD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D19D50 3_2_02D19D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D17D00 3_2_02D17D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02CDAD20 3_2_02CDAD20
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02CDEA20 appears 179 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02CDC7A0 appears 52 times
PE file contains more sections than normal
Source: BW4pTs1x3V.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
Source: BW4pTs1x3V.exe, 00000000.00000000.1453505977.00007FF67DB85000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameComparisonP. vs BW4pTs1x3V.exe
Source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
Source: BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
Source: BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs BW4pTs1x3V.exe
Source: BW4pTs1x3V.exe Binary or memory string: OriginalFilenameComparisonP. vs BW4pTs1x3V.exe
Yara signature match
Source: 00000000.00000002.1885915924.000000C000506000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal93.troj.evad.winEXE@3/0@11/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D0739F CoCreateInstance, 3_2_02D0739F
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe File created: C:\Users\Public\Libraries\icikh.scif Jump to behavior
Source: BW4pTs1x3V.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BW4pTs1x3V.exe ReversingLabs: Detection: 60%
Source: BW4pTs1x3V.exe String found in binary or memory: net/addrselect.go
Source: BW4pTs1x3V.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: BW4pTs1x3V.exe String found in binary or memory: OTbwLFHsAx/load.go
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe File read: C:\Users\user\Desktop\BW4pTs1x3V.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BW4pTs1x3V.exe "C:\Users\user\Desktop\BW4pTs1x3V.exe"
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: BW4pTs1x3V.exe Static PE information: certificate valid
Source: BW4pTs1x3V.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: BW4pTs1x3V.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: BW4pTs1x3V.exe Static file information: File size 13565176 > 1048576
Source: BW4pTs1x3V.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x53e600
Source: BW4pTs1x3V.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6e9200
Source: BW4pTs1x3V.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C000760000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1885915924.000000C00079A000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000003.1875683062.0000023FE0C20000.00000004.00001000.00020000.00000000.sdmp, BW4pTs1x3V.exe, 00000000.00000002.1886207178.000000C00080E000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: BW4pTs1x3V.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2020F pushad ; iretd 3_2_02D20212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2022F pushad ; iretd 3_2_02D20232
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D200FB pushad ; iretd 3_2_02D200FE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20093 push edx; iretd 3_2_02D20096
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20097 push edi; iretd 3_2_02D2009E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20087 push eax; iretd 3_2_02D2008E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2008F push ecx; iretd 3_2_02D20092
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D200AB pushad ; iretd 3_2_02D200AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20073 push edx; iretd 3_2_02D20076
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20077 push edx; iretd 3_2_02D2007A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2006F push ecx; iretd 3_2_02D20072
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20193 push ecx; iretd 3_2_02D20196
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20197 push eax; iretd 3_2_02D2019A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2019B push edi; iretd 3_2_02D201A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20183 push edx; iretd 3_2_02D20186
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D201BF pushad ; iretd 3_2_02D201C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20177 push ecx; iretd 3_2_02D2017E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2017F push ecx; iretd 3_2_02D20182
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2016F pushad ; iretd 3_2_02D20172
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D20133 push edi; iretd 3_2_02D2013A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D206DF pushfd ; iretd 3_2_02D206E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D2253B push cs; retf 3_2_02D2254A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D228B3 push ss; ret 3_2_02D22921
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3836 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1919363616.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BW4pTs1x3V.exe, 00000000.00000002.1886477830.0000023FBB607000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_02D15AD0 LdrInitializeThunk, 3_2_02D15AD0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: BW4pTs1x3V.exe, 00000000.00000003.1848932922.0000023FE0C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dividenntykw.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2CD0000 Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A2C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Users\user\Desktop\BW4pTs1x3V.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BW4pTs1x3V.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: BW4pTs1x3V.exe, type: SAMPLE
Source: Yara match File source: 0.0.BW4pTs1x3V.exe.7ff67ce60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BW4pTs1x3V.exe.7ff67ce60000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BW4pTs1x3V.exe PID: 1668, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: BW4pTs1x3V.exe, type: SAMPLE
Source: Yara match File source: 0.0.BW4pTs1x3V.exe.7ff67ce60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BW4pTs1x3V.exe.7ff67ce60000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1887668238.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1452154530.00007FF67D7C0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BW4pTs1x3V.exe PID: 1668, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524036 Sample: BW4pTs1x3V.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 93 13 vozmeatillu.shop 2->13 15 stogeneratmns.shop 2->15 17 9 other IPs or domains 2->17 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 7 other signatures 2->31 7 BW4pTs1x3V.exe 2 2->7         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 39 LummaC encrypted strings found 7->39 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 dividenntykw.shop 172.67.188.210, 443, 49716 CLOUDFLARENETUS United States 10->19 21 gravvitywio.store 172.67.209.193, 443, 49718 CLOUDFLARENETUS United States 10->21 23 steamcommunity.com 104.102.49.254, 443, 49717 AKAMAI-ASUS United States 10->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.209.193
 gravvitywio.store United States
13335 CLOUDFLARENETUS true
172.67.188.210
 dividenntykw.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
dividenntykw.shop 172.67.188.210 true
steamcommunity.com 104.102.49.254 true
gravvitywio.store 172.67.209.193 true
fragnantbui.shop unknown unknown
gutterydhowi.shop unknown unknown
offensivedzvju.shop unknown unknown
stogeneratmns.shop unknown unknown
reinforcenh.shop unknown unknown
drawzhotdog.shop unknown unknown
ghostreedmnu.shop unknown unknown
vozmeatillu.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
reinforcenh.shop true
    		unknown
    stogeneratmns.shop true
      		unknown
      ghostreedmnu.shop true
        		unknown
        https://dividenntykw.shop/api true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          fragnantbui.shop true
            		unknown
            offensivedzvju.shop true
              		unknown
              drawzhotdog.shop true
                		unknown
                vozmeatillu.shop true
                  		unknown