Windows Analysis Report
EKAHephXb2.exe

Overview

General Information

Sample name: EKAHephXb2.exe
renamed because original name is a hash value
Original sample name: c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf.exe
Analysis ID: 1524040
MD5: 6cf54ce259904e8ee54d521a8c85aff1
SHA1: 7ebab8469454f1954b8fec645b921f316eda9ddc
SHA256: c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf
Tags: exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 99
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Found malware configuration
Source: 0.2.EKAHephXb2.exe.c000830000.4.unpack Malware Configuration Extractor: LummaC {"C2 url": ["reggwardssdqw.shop", "eemmbryequo.shop", "tryyudjasudqo.shop", "keennylrwmqlw.shop", "tendencctywop.shop", "licenseodqwmqn.shop", "relaxatinownio.shop", "tesecuuweqo.shop"], "Build id": "c2CoW0--4"}
Multi AV Scanner detection for submitted file
Source: EKAHephXb2.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.9% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: tryyudjasudqo.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: eemmbryequo.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: reggwardssdqw.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: relaxatinownio.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: tesecuuweqo.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: tendencctywop.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: licenseodqwmqn.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: keennylrwmqlw.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: tendencctywop.shop
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp String decryptor: c2CoW0--4
Source: EKAHephXb2.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: EKAHephXb2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 68677325h 3_2_0045259A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh 3_2_00452844
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_0041FA80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_0043D040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 3_2_0042E010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042E010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ecx 3_2_0042E010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_004330D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_0044D0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0043C0DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push 00000040h 3_2_0042C143
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_00431170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-10h] 3_2_0043B1C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00448180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0044F260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00433330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [ebx] 3_2_00456330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [esp] 3_2_004203C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004203C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004203C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, ecx 3_2_004233D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, eax 3_2_0041E395
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042B450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+48h] 3_2_0042D425
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 3_2_0043D4F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 2EE8D390h 3_2_0044F530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec eax 3_2_004135E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_004155F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000130h] 3_2_004216C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h 3_2_0043A6A1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+30h], edi 3_2_004547C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esi+7Ch] 3_2_0043D7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0043D7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0043D7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_0042A7F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00437860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000178h] 3_2_0042B832
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_0041FA1F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_00416A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 3_2_0044FAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0044FAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_0043CAA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [ecx] 3_2_00439ABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, dword ptr [esp] 3_2_0041BB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 3_2_00452BCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esp] 3_2_00455B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 0633C81Dh 3_2_00433C4D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00453C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+48h] 3_2_0042BCC5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_00422CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [0045D7ECh] 3_2_0043ACB6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_00422D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, eax 3_2_00439D5A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-10h] 3_2_0043AD66
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_0041ED30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 3_2_00424E0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_00435EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_00435EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_00435EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_00435EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 3_2_00438EA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 3_2_00438EA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_00423F0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 3_2_00420F18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_00434FD0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055893 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) : 192.168.2.9:60539 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055885 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) : 192.168.2.9:51149 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055891 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) : 192.168.2.9:59173 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055881 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) : 192.168.2.9:63593 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.2.9:50213 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055895 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) : 192.168.2.9:49284 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055887 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) : 192.168.2.9:51217 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055883 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) : 192.168.2.9:60987 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49714 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49714 -> 104.21.16.12:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: reggwardssdqw.shop
Source: Malware configuration extractor URLs: eemmbryequo.shop
Source: Malware configuration extractor URLs: tryyudjasudqo.shop
Source: Malware configuration extractor URLs: keennylrwmqlw.shop
Source: Malware configuration extractor URLs: tendencctywop.shop
Source: Malware configuration extractor URLs: licenseodqwmqn.shop
Source: Malware configuration extractor URLs: relaxatinownio.shop
Source: Malware configuration extractor URLs: tesecuuweqo.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 104.21.16.12 104.21.16.12
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: tendencctywop.shop
Source: global traffic DNS traffic detected: DNS query: keennylrwmqlw.shop
Source: global traffic DNS traffic detected: DNS query: licenseodqwmqn.shop
Source: global traffic DNS traffic detected: DNS query: tesecuuweqo.shop
Source: global traffic DNS traffic detected: DNS query: relaxatinownio.shop
Source: global traffic DNS traffic detected: DNS query: reggwardssdqw.shop
Source: global traffic DNS traffic detected: DNS query: eemmbryequo.shop
Source: global traffic DNS traffic detected: DNS query: tryyudjasudqo.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: EKAHephXb2.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: EKAHephXb2.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: EKAHephXb2.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: EKAHephXb2.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: EKAHephXb2.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.0
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.1
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.2
Source: EKAHephXb2.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: EKAHephXb2.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: EKAHephXb2.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: EKAHephXb2.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: EKAHephXb2.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: EKAHephXb2.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: EKAHephXb2.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: EKAHephXb2.exe String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C00015A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.2
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/kml/2.2
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C000106000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: EKAHephXb2.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/apib
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: EKAHephXb2.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictCount
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847574186.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847749596.00000000005CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900p
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000592000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.0000000000625000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848237703.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: EKAHephXb2.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: EKAHephXb2.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000003.00000003.1847540143.0000000000635000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1838124879.000000000062B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.9:49714 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004443D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004443D0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004443D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004443D0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1825888626.000000C000644000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041F3E0 3_2_0041F3E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041FA80 3_2_0041FA80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041CD30 3_2_0041CD30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041FF36 3_2_0041FF36
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00411000 3_2_00411000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042E010 3_2_0042E010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00456010 3_2_00456010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00418140 3_2_00418140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0044A160 3_2_0044A160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0044B122 3_2_0044B122
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043B1C3 3_2_0043B1C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00453180 3_2_00453180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00454212 3_2_00454212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004112DD 3_2_004112DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004382B0 3_2_004382B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00450340 3_2_00450340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433330 3_2_00433330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00456330 3_2_00456330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004203C0 3_2_004203C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004233D8 3_2_004233D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041A3F0 3_2_0041A3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004533B0 3_2_004533B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00424444 3_2_00424444
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043946D 3_2_0043946D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043948B 3_2_0043948B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042F490 3_2_0042F490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004135E0 3_2_004135E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0044B650 3_2_0044B650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004546D0 3_2_004546D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004536F0 3_2_004536F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00456690 3_2_00456690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004547C0 3_2_004547C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043D7E0 3_2_0043D7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004557E0 3_2_004557E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00434780 3_2_00434780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004177A0 3_2_004177A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004357AE 3_2_004357AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00437860 3_2_00437860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042B832 3_2_0042B832
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043A8AD 3_2_0043A8AD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041D8B0 3_2_0041D8B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043B970 3_2_0043B970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043890E 3_2_0043890E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00419A5B 3_2_00419A5B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041FA1F 3_2_0041FA1F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0044FAC0 3_2_0044FAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00454AF0 3_2_00454AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041AA90 3_2_0041AA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00439ABB 3_2_00439ABB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041BB00 3_2_0041BB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00418B20 3_2_00418B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00452BCC 3_2_00452BCC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00424B8D 3_2_00424B8D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433C4D 3_2_00433C4D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042DC23 3_2_0042DC23
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00453C20 3_2_00453C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042BCC5 3_2_0042BCC5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00455CD0 3_2_00455CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00420CE0 3_2_00420CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00422CA0 3_2_00422CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00422D50 3_2_00422D50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00439D5A 3_2_00439D5A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00414D00 3_2_00414D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041ED30 3_2_0041ED30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00418DFD 3_2_00418DFD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00416D80 3_2_00416D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00424E0F 3_2_00424E0F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00419E80 3_2_00419E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00435EA0 3_2_00435EA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00438EA9 3_2_00438EA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00423F0E 3_2_00423F0E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041AFF0 3_2_0041AFF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0044EFB0 3_2_0044EFB0
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0041E010 appears 182 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0041C640 appears 64 times
PE file contains more sections than normal
Source: EKAHephXb2.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
Source: EKAHephXb2.exe, 00000000.00000000.1358938721.00007FF6CD3C8000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProjectOverviewP. vs EKAHephXb2.exe
Source: EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
Source: EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs EKAHephXb2.exe
Source: EKAHephXb2.exe Binary or memory string: OriginalFilenameProjectOverviewP. vs EKAHephXb2.exe
Yara signature match
Source: 00000000.00000002.1825888626.000000C000644000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal99.troj.evad.winEXE@3/0@10/2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004330D0 CoCreateInstance, 3_2_004330D0
Source: C:\Users\user\Desktop\EKAHephXb2.exe File created: C:\Users\Public\Libraries\egabm.scif Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe File opened: C:\Windows\system32\65a273b3cd66a6a4bd7cab6abfe637daac675d2498d30b024507bdf6a671ab50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: EKAHephXb2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EKAHephXb2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EKAHephXb2.exe, 00000000.00000000.1357843651.00007FF6CC9F5000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SelectExprDprotobuf:"bytes,5,opt,name=select_expr,json=selectExpr,proto3,oneof"P*func(context.Context, string, *net.TCPAddr, *net.TCPAddr) (*net.TCPConn, error)P*struct { *promhttp.responseWriterDelegator; http.Hijacker; http.CloseNotifier }P*struct { *promhttp.responseWriterDelegator; io.ReaderFrom; http.CloseNotifier }P*func([]uint8, protoreflect.Value, uint64, impl.marshalOptions) ([]uint8, error)P*struct { F uintptr; X0 impl.Converter; X1 impl.offset; X2 reflect.StructField }P*struct { F uintptr; X0 impl.offset; X1 reflect.StructField; X2 impl.Converter }P*struct { F uintptr; X0 reflect.Type; X1 map[reflect.Type]*impl.coderFieldInfo }P*struct { F uintptr; X0 reflect.Type; X1 reflect.Type; X2 *impl.coderFieldInfo }
Source: EKAHephXb2.exe ReversingLabs: Detection: 47%
Source: EKAHephXb2.exe String found in binary or memory: EyzcLWJeHl/load.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/brianvoe/gofakeit@v3.18.0+incompatible/data/address.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/xo/terminfo@v0.0.0-20210125001918-ca9a967f8778/load.go
Source: EKAHephXb2.exe String found in binary or memory: net/addrselect.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: EKAHephXb2.exe String found in binary or memory: 0-9a-zA-Z]^data:((?:\w+\/(?:([^;]|;[^;]).)+)?)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: EKAHephXb2.exe String found in binary or memory: 0-9a-zA-Z]^data:((?:\w+\/(?:([^;]|;[^;]).)+)?)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: EKAHephXb2.exe String found in binary or memory: net/addrselect.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/brianvoe/gofakeit@v3.18.0+incompatible/data/address.go
Source: EKAHephXb2.exe String found in binary or memory: github.com/xo/terminfo@v0.0.0-20210125001918-ca9a967f8778/load.go
Source: EKAHephXb2.exe String found in binary or memory: EyzcLWJeHl/load.go
Source: C:\Users\user\Desktop\EKAHephXb2.exe File read: C:\Users\user\Desktop\EKAHephXb2.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\EKAHephXb2.exe "C:\Users\user\Desktop\EKAHephXb2.exe"
Source: C:\Users\user\Desktop\EKAHephXb2.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\EKAHephXb2.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: EKAHephXb2.exe Static PE information: certificate valid
Source: EKAHephXb2.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: EKAHephXb2.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: EKAHephXb2.exe Static file information: File size 14931192 > 1048576
Source: EKAHephXb2.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x47da00
Source: EKAHephXb2.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x8f1600
Source: EKAHephXb2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: EKAHephXb2.exe, 00000000.00000002.1824849229.000000C0004C8000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000002.1822420580.000000C0001F7000.00000004.00001000.00020000.00000000.sdmp, EKAHephXb2.exe, 00000000.00000003.1814431335.00000145E3200000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: EKAHephXb2.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\EKAHephXb2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7636 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: EKAHephXb2.exe, 00000000.00000002.1827188067.00000145BDA68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEEH
Source: BitLockerToGo.exe, 00000003.00000003.1847574186.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1848156519.00000000005E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: EKAHephXb2.exe Binary or memory string: depgithub.com/vmware/govmomiv0.43.0h1:7Kg3Bkdly+TrE67BYXzRq7ZrDnn7xqpKX95uEh2f9Go=
Source: BitLockerToGo.exe, 00000003.00000002.1848029410.0000000000578000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXl^%SystemRoot%\system32\mswsock.dllll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00451C60 LdrInitializeThunk, 3_2_00451C60

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\EKAHephXb2.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\EKAHephXb2.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tryyudjasudqo.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eemmbryequo.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reggwardssdqw.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: relaxatinownio.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tesecuuweqo.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tendencctywop.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licenseodqwmqn.shop
Source: EKAHephXb2.exe, 00000000.00000002.1826819388.000000C000800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: keennylrwmqlw.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\EKAHephXb2.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 410000 Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 36C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EKAHephXb2.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Users\user\Desktop\EKAHephXb2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EKAHephXb2.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: EKAHephXb2.exe, type: SAMPLE
Source: Yara match File source: 0.2.EKAHephXb2.exe.7ff6cc510000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.EKAHephXb2.exe.7ff6cc510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1831653920.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1357843651.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EKAHephXb2.exe PID: 7256, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 3.2.BitLockerToGo.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c000830000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e31a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BitLockerToGo.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0007da000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c000830000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0009f8000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e3200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0009f8000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e31a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: EKAHephXb2.exe, type: SAMPLE
Source: Yara match File source: 0.2.EKAHephXb2.exe.7ff6cc510000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.EKAHephXb2.exe.7ff6cc510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1831653920.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1357843651.00007FF6CD034000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EKAHephXb2.exe PID: 7256, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 3.2.BitLockerToGo.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c000830000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e31a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BitLockerToGo.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0007da000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c000830000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0009f8000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e3200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.EKAHephXb2.exe.c0009f8000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e31a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.EKAHephXb2.exe.145e3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1826819388.000000C000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1798475742.00000145E3200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1847888919.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1822185696.00000145E31A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1826819388.000000C0009F8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1826819388.000000C000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524040 Sample: EKAHephXb2.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 99 13 tryyudjasudqo.shop 2->13 15 tesecuuweqo.shop 2->15 17 8 other IPs or domains 2->17 23 Suricata IDS alerts for network traffic 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 7 other signatures 2->29 7 EKAHephXb2.exe 2 2->7         started        signatures3 process4 signatures5 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Injects a PE file into a foreign processes 7->35 37 LummaC encrypted strings found 7->37 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 gravvitywio.store 104.21.16.12, 443, 49714 CLOUDFLARENETUS United States 10->19 21 steamcommunity.com 104.102.49.254, 443, 49713 AKAMAI-ASUS United States 10->21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
104.21.16.12
 gravvitywio.store United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
gravvitywio.store 104.21.16.12 true
tryyudjasudqo.shop unknown unknown
keennylrwmqlw.shop unknown unknown
reggwardssdqw.shop unknown unknown
tesecuuweqo.shop unknown unknown
tendencctywop.shop unknown unknown
eemmbryequo.shop unknown unknown
licenseodqwmqn.shop unknown unknown
relaxatinownio.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
reggwardssdqw.shop true
    		unknown
    licenseodqwmqn.shop true
      		unknown
      relaxatinownio.shop true
        		unknown
        keennylrwmqlw.shop true
          		unknown
          tendencctywop.shop true
            		unknown
            https://gravvitywio.store/api true
              		unknown
              tryyudjasudqo.shop true
                		unknown
                https://steamcommunity.com/profiles/76561199724331900 true
                • URL Reputation: malware
                		 unknown
                tesecuuweqo.shop true
                  		unknown
                  eemmbryequo.shop true
                    		unknown