Windows Analysis Report
7wN7BF7WfX.exe

Overview

General Information

Sample name: 7wN7BF7WfX.exe
renamed because original name is a hash value
Original sample name: cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74.exe
Analysis ID: 1524037
MD5: a0339542baa3175d220c11a7fe75d0fc
SHA1: ea0462e2d20878937b02d9bc99c3fc6a05150fc9
SHA256: cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74
Tags: exeGuizhouSixuandaTechnologyCoLtduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 93
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 0.2.7wN7BF7WfX.exe.c00055a000.3.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["abortinoiwiam.shop", "surroundeocw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "dividenntykw.shop", "racedsuitreow.shop", "covvercilverow.shop", "priooozekw.shop"], "Build id": "c2CoW0--adverting2"}
Multi AV Scanner detection for submitted file
Source: 7wN7BF7WfX.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.6% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: covvercilverow.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: surroundeocw.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: abortinoiwiam.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: pumpkinkwquo.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: priooozekw.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: deallyharvenw.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: defenddsouneuw.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: racedsuitreow.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: dividenntykw.shop
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String decryptor: c2CoW0--adverting2
Source: 7wN7BF7WfX.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 104.21.8.235:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: 7wN7BF7WfX.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B48070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02B104E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B47A0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B478BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B29298
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02B29298
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B29298
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 4_2_02B4B210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 4_2_02B45260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 4_2_02B4826A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 4_2_02B4B3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 4_2_02B273F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 4_2_02B1E320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B34322
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 4_2_02B34322
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B34322
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01311
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01361
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01359
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B330F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 4_2_02B3C0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 4_2_02B34024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B34024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ebx 4_2_02B01000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 4_2_02B01000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ecx+esi] 4_2_02B07070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B3314F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esi+00000148h] 4_2_02B13682
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 4_2_02B13682
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B33609
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 4_2_02B27650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 4_2_02B27650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 4_2_02B47652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 4_2_02B47652
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+45h] 4_2_02B087B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 4_2_02B407BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 4_2_02B49790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B017CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 4_2_02B48736
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 4_2_02B1B710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000410h] 4_2_02B20770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01775
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 4_2_02B42480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [02B535A8h] 4_2_02B30485
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 4_2_02B0A4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B015C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 4_2_02B4B520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02B2E577
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01AE5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 4_2_02B2EAE4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 4_2_02B2CA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 4_2_02B2CA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 4_2_02B05BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 4_2_02B31BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B01B25
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 4_2_02B04B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 4_2_02B44B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 4_2_02B019C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx eax, byte ptr [edx+ecx] 4_2_02B0F930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 4_2_02B13944
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 4_2_02B13944
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+68h] 4_2_02B48EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [ebp-5Ch] 4_2_02B2EE02
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02B2CE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 4_2_02B05E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B34E6E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 4_2_02B30FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 4_2_02B1FF10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B3314F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B47CB5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B12CB4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 4_2_02B48C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 4_2_02B45DB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056070 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pumpkinkwquo .shop) : 192.168.2.7:49954 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056072 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (priooozekw .shop) : 192.168.2.7:51550 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056068 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abortinoiwiam .shop) : 192.168.2.7:57213 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056064 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surroundeocw .shop) : 192.168.2.7:64801 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056076 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop) : 192.168.2.7:49618 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.7:58273 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056074 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deallyharvenw .shop) : 192.168.2.7:55722 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056066 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covvercilverow .shop) : 192.168.2.7:56787 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49711 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49711 -> 172.67.209.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49709 -> 104.21.8.235:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49709 -> 104.21.8.235:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: abortinoiwiam.shop
Source: Malware configuration extractor URLs: surroundeocw.shop
Source: Malware configuration extractor URLs: defenddsouneuw.shop
Source: Malware configuration extractor URLs: pumpkinkwquo.shop
Source: Malware configuration extractor URLs: deallyharvenw.shop
Source: Malware configuration extractor URLs: dividenntykw.shop
Source: Malware configuration extractor URLs: racedsuitreow.shop
Source: Malware configuration extractor URLs: covvercilverow.shop
Source: Malware configuration extractor URLs: priooozekw.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 172.67.209.193 172.67.209.193
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2b82286952de39ddee451a4d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 02 Oct 2024 13:01:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: dividenntykw.shop
Source: global traffic DNS traffic detected: DNS query: racedsuitreow.shop
Source: global traffic DNS traffic detected: DNS query: defenddsouneuw.shop
Source: global traffic DNS traffic detected: DNS query: deallyharvenw.shop
Source: global traffic DNS traffic detected: DNS query: priooozekw.shop
Source: global traffic DNS traffic detected: DNS query: pumpkinkwquo.shop
Source: global traffic DNS traffic detected: DNS query: abortinoiwiam.shop
Source: global traffic DNS traffic detected: DNS query: surroundeocw.shop
Source: global traffic DNS traffic detected: DNS query: covvercilverow.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dividenntykw.shop
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 7wN7BF7WfX.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: 7wN7BF7WfX.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: 7wN7BF7WfX.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: 7wN7BF7WfX.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 7wN7BF7WfX.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 7wN7BF7WfX.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 7wN7BF7WfX.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 7wN7BF7WfX.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: 7wN7BF7WfX.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: 7wN7BF7WfX.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 7wN7BF7WfX.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: 7wN7BF7WfX.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://covvercilverow.shop/
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://covvercilverow.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://covvercilverow.shop/t
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deallyharvenw.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/pi3
Source: BitLockerToGo.exe, 00000004.00000002.2041483138.0000000002C02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dividenntykw.shop/Y
Source: BitLockerToGo.exe, 00000004.00000002.2041483138.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dividenntykw.shop/api
Source: 7wN7BF7WfX.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000004.00000003.1765698684.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/e
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/~7
Source: BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765923337.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store:443/api
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 7wN7BF7WfX.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pumpkinkwquo.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/&7
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/.7
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/N7
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/V7
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.1739688628.0000000002C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api_
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041744613.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/e
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900N
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/~7
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000004.00000002.2041942999.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C06000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765638924.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C3F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surroundeocw.shop/api
Source: 7wN7BF7WfX.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: 7wN7BF7WfX.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.1753285132.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1765558076.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000004.00000003.1753398287.0000000002C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown HTTPS traffic detected: 104.21.8.235:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.7:49711 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B39500 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02B39500
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B39500 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02B39500

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B104E0 4_2_02B104E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0FE90 4_2_02B0FE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B49290 4_2_02B49290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4A2F0 4_2_02B4A2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B052D0 4_2_02B052D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B112D0 4_2_02B112D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2C227 4_2_02B2C227
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B45260 4_2_02B45260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4826A 4_2_02B4826A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B073B0 4_2_02B073B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B01311 4_2_02B01311
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2E37B 4_2_02B2E37B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0B0B0 4_2_02B0B0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B01000 4_2_02B01000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B39070 4_2_02B39070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4A060 4_2_02B4A060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0C050 4_2_02B0C050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B33609 4_2_02B33609
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B087B0 4_2_02B087B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B49790 4_2_02B49790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B03730 4_2_02B03730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B48736 4_2_02B48736
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B20770 4_2_02B20770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4A740 4_2_02B4A740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0A4D0 4_2_02B0A4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4A410 4_2_02B4A410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2E58F 4_2_02B2E58F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0E530 4_2_02B0E530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B28554 4_2_02B28554
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0B540 4_2_02B0B540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2AAFA 4_2_02B2AAFA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0AA20 4_2_02B0AA20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2CA40 4_2_02B2CA40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B10BD3 4_2_02B10BD3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B289F0 4_2_02B289F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B289D2 4_2_02B289D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B3F910 4_2_02B3F910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B4B910 4_2_02B4B910
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B13944 4_2_02B13944
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B06EB0 4_2_02B06EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B49E80 4_2_02B49E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B09E3C 4_2_02B09E3C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B07E10 4_2_02B07E10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B2CE70 4_2_02B2CE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B10C00 4_2_02B10C00
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02B1DEA0 appears 171 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02B0CB30 appears 47 times
PE file contains more sections than normal
Source: 7wN7BF7WfX.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
Source: 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 7wN7BF7WfX.exe
Yara signature match
Source: 00000000.00000002.1736916326.000000C000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1736585848.000000C000480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 7wN7BF7WfX.exe Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setjson: unsupported type: Invalid Semantic Versioninvalid pattern syntax: address string too shortresource length too longunpacking Question.Classidna: disallowed rune %U^[a-zA-Z_][a-zA-Z0-9_]*$unable to resolve %s: %vunable to resolve %v: %qgoogle.protobuf.Duration\Device\NamedPipe\cygwinAsia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.ca-west-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.compi.us-gov-east-1.api.awspi.us-gov-west-1.api.awsrds.{region}.{dnsSuffix}sqs.{region}.{dnsSuffix}ssm.{region}.{dnsSuffix}sts.{region}.{dnsSuffix}flate: maxBits too largestreamSafe was not resetmismatching enum lengthsGODEBUG sys/cpu: value "", required CPU feature
Source: classification engine Classification label: mal93.troj.evad.winEXE@3/0@11/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B273F0 CoCreateInstance, 4_2_02B273F0
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe File created: C:\Users\Public\Libraries\ckkih.scif Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe File opened: C:\Windows\system32\e2d5521d9292b68b83bceb8b9b97cda812fa9566cbe25e6a1115af684d3a4beaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: 7wN7BF7WfX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7wN7BF7WfX.exe ReversingLabs: Detection: 36%
Source: 7wN7BF7WfX.exe String found in binary or memory: net/addrselect.go
Source: 7wN7BF7WfX.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: 7wN7BF7WfX.exe String found in binary or memory: cGLtrQzJjn/load.go
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe File read: C:\Users\user\Desktop\7wN7BF7WfX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7wN7BF7WfX.exe "C:\Users\user\Desktop\7wN7BF7WfX.exe"
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: 7wN7BF7WfX.exe Static PE information: certificate valid
Source: 7wN7BF7WfX.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 7wN7BF7WfX.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 7wN7BF7WfX.exe Static file information: File size 14180600 > 1048576
Source: 7wN7BF7WfX.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x460a00
Source: 7wN7BF7WfX.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x89ce00
Source: 7wN7BF7WfX.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 7wN7BF7WfX.exe, 00000000.00000003.1709351969.00000182F7E00000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000003.1709321267.00000182F7E40000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736916326.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0006A2000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: 7wN7BF7WfX.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7864 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000004.00000002.2039890403.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1766159958.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2041862232.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1753315845.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 7wN7BF7WfX.exe, 00000000.00000002.1737047471.00000182B27E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B47590 LdrInitializeThunk, 4_2_02B47590

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: covvercilverow.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: surroundeocw.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: abortinoiwiam.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pumpkinkwquo.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: priooozekw.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: deallyharvenw.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: defenddsouneuw.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: racedsuitreow.shop
Source: 7wN7BF7WfX.exe, 00000000.00000002.1736585848.000000C0005B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dividenntykw.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2B00000 Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2923008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Users\user\Desktop\7wN7BF7WfX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7wN7BF7WfX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: 7wN7BF7WfX.exe, type: SAMPLE
Source: Yara match File source: 0.0.7wN7BF7WfX.exe.7ff7a1880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7wN7BF7WfX.exe.7ff7a1880000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7wN7BF7WfX.exe PID: 7428, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: 7wN7BF7WfX.exe, type: SAMPLE
Source: Yara match File source: 0.0.7wN7BF7WfX.exe.7ff7a1880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7wN7BF7WfX.exe.7ff7a1880000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1738001301.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1305930689.00007FF7A234A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7wN7BF7WfX.exe PID: 7428, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524037 Sample: 7wN7BF7WfX.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 93 13 surroundeocw.shop 2->13 15 racedsuitreow.shop 2->15 17 9 other IPs or domains 2->17 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 7 other signatures 2->31 7 7wN7BF7WfX.exe 2 2->7         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 39 LummaC encrypted strings found 7->39 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 dividenntykw.shop 104.21.8.235, 443, 49709 CLOUDFLARENETUS United States 10->19 21 gravvitywio.store 172.67.209.193, 443, 49711 CLOUDFLARENETUS United States 10->21 23 steamcommunity.com 104.102.49.254, 443, 49710 AKAMAI-ASUS United States 10->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.8.235
 dividenntykw.shop United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.209.193
 gravvitywio.store United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
dividenntykw.shop 104.21.8.235 true
steamcommunity.com 104.102.49.254 true
gravvitywio.store 172.67.209.193 true
priooozekw.shop unknown unknown
pumpkinkwquo.shop unknown unknown
abortinoiwiam.shop unknown unknown
deallyharvenw.shop unknown unknown
surroundeocw.shop unknown unknown
racedsuitreow.shop unknown unknown
defenddsouneuw.shop unknown unknown
covvercilverow.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
abortinoiwiam.shop true
    		unknown
    defenddsouneuw.shop true
      		unknown
      priooozekw.shop true
        		unknown
        surroundeocw.shop true
          		unknown
          https://dividenntykw.shop/api true
            		unknown
            https://steamcommunity.com/profiles/76561199724331900 true
            • URL Reputation: malware
            		 unknown
            racedsuitreow.shop true
              		unknown
              covvercilverow.shop true
                		unknown
                pumpkinkwquo.shop true
                  		unknown
                  deallyharvenw.shop true
                    		unknown
                    https://gravvitywio.store/api true
                      		unknown