Windows Analysis Report
N65c8rwdal.exe

Overview

General Information

Sample name:	N65c8rwdal.exe renamed because original name is a hash value
Original sample name:	660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745.exe
Analysis ID:	1524038
MD5:	ce773611c449cfa1f292fc805e532d2f
SHA1:	e566020de1c8557da9885dd36a6b7223c3567772
SHA256:	660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745
Tags:	exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.N65c8rwdal.exe.c000554000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["relaxatinownio.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tesecuuweqo.shop", "eemmbryequo.shop", "licenseodqwmqn.shop", "tendencctywop.shop", "reggwardssdqw.shop"], "Build id": "c2CoW0--1"}

Multi AV Scanner detection for submitted file

Source: N65c8rwdal.exe

ReversingLabs: Detection: 24%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tryyudjasudqo.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: eemmbryequo.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: reggwardssdqw.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: relaxatinownio.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tesecuuweqo.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tendencctywop.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: licenseodqwmqn.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: keennylrwmqlw.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tendencctywop.shop
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String decryptor: c2CoW0--1

Source: N65c8rwdal.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:53475 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:53478 version: TLS 1.2

Source: N65c8rwdal.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp, N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02DBF0CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor ebp, ebp	4_2_02D907BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02D9DAD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	4_2_02DBCAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02DBCAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_02D84AB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor esi, esi	4_2_02DA7A67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_02D90A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000C0h]	4_2_02D91BDF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	4_2_02D91BDF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_02DA6390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_02D85BA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	4_2_02D9332C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_02DABB20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02DA28F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	4_2_02DC28B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	4_2_02D87040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	4_2_02DAA067
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, byte ptr [ecx-01h]	4_2_02D81000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_02D8F1FC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02D92998
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_02DBA180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, ecx	4_2_02D9D9BE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_02DC2150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_02DA3108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02DA3108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	4_2_02D8E965
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_02DA3108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	4_2_02DA3108
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_02D8F134
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	4_2_02D94921
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_02DA2690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_02D996B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	4_2_02DA3E59
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push 00000000h	4_2_02D83660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_02DB4E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_02DB8630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_02DB8630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_02DABE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_02DBD7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	4_2_02D9279A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	4_2_02D92F92
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_02DC1790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor esi, esi	4_2_02DA7FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then xor esi, esi	4_2_02DA7750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	4_2_02D92C84
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea edx, dword ptr [eax+01h]	4_2_02DAB4BE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	4_2_02DA35E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	4_2_02D8DDB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_02DA3D0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], cl	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+68h]	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D4h]	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_02DAC500

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055887 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) : 192.168.2.4:54479 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055881 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) : 192.168.2.4:50101 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.2.4:59155 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055895 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) : 192.168.2.4:57213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055891 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) : 192.168.2.4:51181 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055893 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) : 192.168.2.4:64281 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055883 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) : 192.168.2.4:51307 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055885 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) : 192.168.2.4:52454 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:53478 -> 172.67.209.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:53478 -> 172.67.209.193:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: relaxatinownio.shop
Source: Malware configuration extractor	URLs: tryyudjasudqo.shop
Source: Malware configuration extractor	URLs: keennylrwmqlw.shop
Source: Malware configuration extractor	URLs: tesecuuweqo.shop
Source: Malware configuration extractor	URLs: eemmbryequo.shop
Source: Malware configuration extractor	URLs: licenseodqwmqn.shop
Source: Malware configuration extractor	URLs: tendencctywop.shop
Source: Malware configuration extractor	URLs: reggwardssdqw.shop

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.209.193 172.67.209.193

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: tendencctywop.shop
Source: global traffic	DNS traffic detected: DNS query: keennylrwmqlw.shop
Source: global traffic	DNS traffic detected: DNS query: licenseodqwmqn.shop
Source: global traffic	DNS traffic detected: DNS query: tesecuuweqo.shop
Source: global traffic	DNS traffic detected: DNS query: relaxatinownio.shop
Source: global traffic	DNS traffic detected: DNS query: reggwardssdqw.shop
Source: global traffic	DNS traffic detected: DNS query: eemmbryequo.shop
Source: global traffic	DNS traffic detected: DNS query: tryyudjasudqo.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: gravvitywio.store

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store

Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: N65c8rwdal.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: N65c8rwdal.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: N65c8rwdal.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: N65c8rwdal.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: N65c8rwdal.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: N65c8rwdal.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: N65c8rwdal.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: N65c8rwdal.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: N65c8rwdal.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: N65c8rwdal.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: N65c8rwdal.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: N65c8rwdal.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2134186080.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122409679.0000000003380000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: N65c8rwdal.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: N65c8rwdal.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errorx509:
Source: BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/)
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/7
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/G
Source: BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003346000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store/api7
Source: BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gravvitywio.store:443/apifiles/76561199724331900
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: N65c8rwdal.exe	String found in binary or memory: https://management.azure.cominvalid
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/3y
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003312000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.0000000003312000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.0000000003312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997243319001
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2137184864.0000000003398000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000004.00000003.2133020363.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.00000000032F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tendencctywop.shop/
Source: N65c8rwdal.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: N65c8rwdal.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 00000004.00000003.2122376903.0000000003383000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2132935455.000000000338F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 00000004.00000003.2122433497.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 53478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53475 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53475
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53478

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:53475 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.193:443 -> 192.168.2.4:53478 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02DB2C80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02DB2C80

Contains functionality to read the clipboard data

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02DB2C80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_02DB2C80

Contains functionality to record screenshots

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02DB2DF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

4_2_02DB2DF0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Detected potential crypto function

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D900A0	4_2_02D900A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8D1F0	4_2_02D8D1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8F960	4_2_02D8F960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9DAD1	4_2_02D9DAD1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DAC2C0	4_2_02DAC2C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D942FE	4_2_02D942FE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DBCAF0	4_2_02DBCAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8F2E0	4_2_02D8F2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D812E7	4_2_02D812E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC2280	4_2_02DC2280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0AAF	4_2_02DC0AAF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA6A50	4_2_02DA6A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC727B	4_2_02DC727B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA7A67	4_2_02DA7A67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D90A10	4_2_02D90A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0A20	4_2_02DC0A20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D91BDF	4_2_02D91BDF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8CBF0	4_2_02D8CBF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8B390	4_2_02D8B390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0390	4_2_02DC0390
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA3B8F	4_2_02DA3B8F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8A380	4_2_02D8A380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D87380	4_2_02D87380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA4B80	4_2_02DA4B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9B35A	4_2_02D9B35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D91353	4_2_02D91353
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB7340	4_2_02DB7340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA7300	4_2_02DA7300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9332C	4_2_02D9332C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA28F0	4_2_02DA28F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC08B0	4_2_02DC08B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC28B0	4_2_02DC28B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB80A7	4_2_02DB80A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D99850	4_2_02D99850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DAA067	4_2_02DAA067
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D81000	4_2_02D81000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB89E0	4_2_02DB89E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D92998	4_2_02D92998
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D91190	4_2_02D91190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9D1A6	4_2_02D9D1A6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA395E	4_2_02DA395E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9E920	4_2_02D9E920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8BEA0	4_2_02D8BEA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA3E59	4_2_02DA3E59
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D83660	4_2_02D83660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D89E3D	4_2_02D89E3D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DBFE30	4_2_02DBFE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB8630	4_2_02DB8630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0E30	4_2_02DC0E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D93E28	4_2_02D93E28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9A623	4_2_02D9A623
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9A623	4_2_02D9A623
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB27C0	4_2_02DB27C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA7FB0	4_2_02DA7FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA7750	4_2_02DA7750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA8763	4_2_02DA8763
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8AF00	4_2_02D8AF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9FCFB	4_2_02D9FCFB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D89C5D	4_2_02D89C5D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA3445	4_2_02DA3445
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0C10	4_2_02DC0C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D89C0F	4_2_02D89C0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D9ADCF	4_2_02D9ADCF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D87DC0	4_2_02D87DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DBF5FC	4_2_02DBF5FC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA35E0	4_2_02DA35E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D8DDB0	4_2_02D8DDB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC25B0	4_2_02DC25B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DAB5A2	4_2_02DAB5A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA4D50	4_2_02DA4D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DB0D40	4_2_02DB0D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DAC500	4_2_02DAC500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DA8533	4_2_02DA8533
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC0D20	4_2_02DC0D20

Found potential string decryption / allocating functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02D8CA00 appears 66 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 02D9A000 appears 144 times

PE file contains more sections than normal

Source: N65c8rwdal.exe

Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
Source: N65c8rwdal.exe, 00000000.00000003.2091088218.000001CA7F5E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
Source: N65c8rwdal.exe, 00000000.00000003.2090871306.000001CA7F620000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C0005DE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N65c8rwdal.exe

Yara signature match

Source: 00000000.00000002.2108992608.000000C00080E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal93.troj.evad.winEXE@3/0@10/2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_02DA2690 CoCreateInstance,

4_2_02DA2690

Source: C:\Users\user\Desktop\N65c8rwdal.exe

File created: C:\Users\Public\Libraries\bopdb.scif

Source: N65c8rwdal.exe	String found in binary or memory: net/addrselect.go
Source: N65c8rwdal.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: N65c8rwdal.exe	String found in binary or memory: HuHatEoCKu/load.go

Source: unknown	Process created: C:\Users\user\Desktop\N65c8rwdal.exe "C:\Users\user\Desktop\N65c8rwdal.exe"
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\N65c8rwdal.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior

Source: N65c8rwdal.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x654e00
Source: N65c8rwdal.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xabe600

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC53C7 push edx; ret	4_2_02DC53C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D973B0 push esi; ret	4_2_02D973B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02D97378 push 0000001Ch; mov dword ptr [esp], esi	4_2_02D9737A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC56B0 push esp; retf	4_2_02DC56D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_02DC6F7B push ds; iretd	4_2_02DC6FA1

Source: BitLockerToGo.exe, 00000004.00000002.2135824425.00000000032B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000004.00000002.2135995706.000000000332E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2133020363.000000000332E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: N65c8rwdal.exe, 00000000.00000002.2109166550.000001CA7E068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@

Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tryyudjasudqo.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: eemmbryequo.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: reggwardssdqw.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: relaxatinownio.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tesecuuweqo.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: tendencctywop.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: licenseodqwmqn.shop
Source: N65c8rwdal.exe, 00000000.00000002.2108721596.000000C000554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keennylrwmqlw.shop

Source: C:\Users\user\Desktop\N65c8rwdal.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D80000			Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F29008			Jump to behavior

Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Users\user\Desktop\N65c8rwdal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\N65c8rwdal.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: Yara match	File source: N65c8rwdal.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1685275237.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2111216784.00007FF730241000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: N65c8rwdal.exe PID: 1848, type: MEMORYSTR

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.209.193	gravvitywio.store	United States		13335	CLOUDFLARENETUS	true

Name	Malicious	Antivirus Detection	Reputation
relaxatinownio.shop	true		unknown
keennylrwmqlw.shop	true		unknown
tendencctywop.shop	true		unknown
tryyudjasudqo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
tesecuuweqo.shop	true		unknown
eemmbryequo.shop	true		unknown
reggwardssdqw.shop	true		unknown
licenseodqwmqn.shop	true		unknown
https://gravvitywio.store/api	true		unknown

ID:	1524038
Product:	CloudBasic
Start time:	14:56:18
Start date:	02.10.2024
Sample:	N65c8rwdal.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ce773611c449cfa1f292fc805e532d2f
SHA1:	e566020de1c8557da9885dd36a6b7223c3567772
SHA256:	660b29ad23f61f5565629f60cf59f848fc54c2c6ebe29883976468232a693745
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report N65c8rwdal.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
N65c8rwdal.exe

Malware Threat Intel
Provided by