Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Analysis ID: 1519702
MD5: aaf6f0c0f007e9462c8bf58acd555caf
SHA1: 0125e82a9f1ec4297c6d3bf8f541882b5531f5f6
SHA256: 927f2074ad7b76b46535cc94eb1fb357e528258dd0e55d828decb5ff5e70d2b9
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops large PE files
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://fragnantbui.shop/apip Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/O9 Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/0 Avira URL Cloud: Label: malware
Source: stogeneratmns.shop Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop//O9 Avira URL Cloud: Label: malware
Source: reinforcenh.shop Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/ Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/ Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/ Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api Avira URL Cloud: Label: malware
Source: fragnantbui.shop Avira URL Cloud: Label: malware
Source: drawzhotdog.shop Avira URL Cloud: Label: malware
Source: offensivedzvju.shop Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/g9 Avira URL Cloud: Label: malware
Source: vozmeatillu.shop Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/apip Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop:443/api Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/apiiU Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/ Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/ Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/7 Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/f Avira URL Cloud: Label: malware
Source: https://ballotnwu.site/api Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "fragnantbui.shop", "stogeneratmns.shop", "reinforcenh.shop", "vozmeatillu.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "sG8pjw--MagooBR"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe ReversingLabs: Detection: 18%
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String decryptor: sG8pjw--MagooBR
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49746 version: TLS 1.2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:54940 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:60290 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:61718 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:54999 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:52289 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:53409 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:53798 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49736 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:52359 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49738 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49744 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49741 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 172.67.128.144:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.128.144:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 172.67.162.108 172.67.162.108
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ogle.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' htt equals www.youtube.com (Youtube)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: om/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recap8| equals www.youtube.com (Youtube)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' htt equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: ballotnwu.site
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://piriform.com/go/app_cc_license_agreementPA
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: AviraOculus.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://www.piriform.com/ccleaner
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dcd
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/cP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/hP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site:443/apiprofiles/76561199724331900
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akam
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawzhotdog.shop/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fragnantbui.shop/apip
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/f
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/1
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recap8
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop//O9
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/7
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/apiiU
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop:443/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/g9
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/O9
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/api
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/apip
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe File dump: AviraOculus.exe.0.dr 976635604 Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B323E NtQueryDefaultLocale, 0_2_004B323E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3B60 NtQueryDefaultLocale, 0_2_004B3B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B4040 NtQueryDefaultLocale, 0_2_004B4040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B305B NtQueryDefaultLocale, 0_2_004B305B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3462 NtQueryDefaultLocale, 0_2_004B3462
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3C30 NtQueryDefaultLocale, 0_2_004B3C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3CFF NtQueryDefaultLocale, 0_2_004B3CFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B30F3 NtQueryDefaultLocale, 0_2_004B30F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3553 NtQueryDefaultLocale, 0_2_004B3553
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B3DAB NtQueryDefaultLocale, 0_2_004B3DAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A9F1 DebugActiveProcessStop,NtCreateThreadEx, 0_2_0087A9F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C4CF NtCreateThreadEx, 0_2_0087C4CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D018 NtCreateThreadEx, 0_2_0087D018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C46D NtCreateThreadEx, 0_2_0087C46D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085C99A NtCreateThreadEx, 0_2_0085C99A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D131 NtCreateThreadEx, 0_2_0087D131
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085D168 NtCreateThreadEx, 0_2_0085D168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D3AC NtCreateThreadEx, 0_2_0087D3AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087CBD0 NtCreateThreadEx, 0_2_0087CBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C7FF NtCreateThreadEx, 0_2_0087C7FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C37E NtCreateThreadEx, 0_2_0087C37E
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004B323E 0_2_004B323E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004BAB04 0_2_004BAB04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004A6168 0_2_004A6168
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004A560A 0_2_004A560A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004A56E8 0_2_004A56E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_004A636A 0_2_004A636A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833816 0_2_00833816
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082ED6C 0_2_0082ED6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00834097 0_2_00834097
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008330B1 0_2_008330B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008338B1 0_2_008338B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F4C8 0_2_0082F4C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008334C9 0_2_008334C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008338E3 0_2_008338E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833CFB 0_2_00833CFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833C0D 0_2_00833C0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F816 0_2_0082F816
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833830 0_2_00833830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00834040 0_2_00834040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00834072 0_2_00834072
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00834986 0_2_00834986
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833DB2 0_2_00833DB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833DCD 0_2_00833DCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F9E3 0_2_0082F9E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FDF5 0_2_0082FDF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833908 0_2_00833908
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F90E 0_2_0082F90E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833D21 0_2_00833D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F946 0_2_0082F946
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833553 0_2_00833553
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F566 0_2_0082F566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833680 0_2_00833680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833E8E 0_2_00833E8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FA94 0_2_0082FA94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FAA5 0_2_0082FAA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082EEAD 0_2_0082EEAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008332B5 0_2_008332B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F6C3 0_2_0082F6C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FAC8 0_2_0082FAC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008342C8 0_2_008342C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082EECE 0_2_0082EECE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008336DA 0_2_008336DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008346DA 0_2_008346DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833EF3 0_2_00833EF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FA69 0_2_0082FA69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0083366E 0_2_0083366E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FE76 0_2_0082FE76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833B8F 0_2_00833B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833793 0_2_00833793
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FB99 0_2_0082FB99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F7E4 0_2_0082F7E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F3FC 0_2_0082F3FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008337FD 0_2_008337FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833F0C 0_2_00833F0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833315 0_2_00833315
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FF1D 0_2_0082FF1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833F27 0_2_00833F27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082F333 0_2_0082F333
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833336 0_2_00833336
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833B39 0_2_00833B39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FB42 0_2_0082FB42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00834B5B 0_2_00834B5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0082FB74 0_2_0082FB74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00833B7E 0_2_00833B7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0083C123 0_2_0083C123
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0083E752 0_2_0083E752
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0084536D 0_2_0084536D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0084559A 0_2_0084559A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008456F6 0_2_008456F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00845410 0_2_00845410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00845531 0_2_00845531
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0084565F 0_2_0084565F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A9F1 0_2_0087A9F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086E5FA 0_2_0086E5FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086BEA0 0_2_0086BEA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087920C 0_2_0087920C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086DB31 0_2_0086DB31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C4CF 0_2_0087C4CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087E417 0_2_0087E417
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087BC13 0_2_0087BC13
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D018 0_2_0087D018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A84D 0_2_0087A84D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086BC58 0_2_0086BC58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A467 0_2_0087A467
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C46D 0_2_0087C46D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00866473 0_2_00866473
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00864D8B 0_2_00864D8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008655AD 0_2_008655AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086E9C4 0_2_0086E9C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087BDD7 0_2_0087BDD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087B5D9 0_2_0087B5D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008799E4 0_2_008799E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085B9F6 0_2_0085B9F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087BD0E 0_2_0087BD0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087B509 0_2_0087B509
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086352E 0_2_0086352E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00855D31 0_2_00855D31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D131 0_2_0087D131
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086D945 0_2_0086D945
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A94E 0_2_0087A94E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00866977 0_2_00866977
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087AE8E 0_2_0087AE8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00863AC8 0_2_00863AC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087B2D3 0_2_0087B2D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00879ED3 0_2_00879ED3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00859AF2 0_2_00859AF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085B610 0_2_0085B610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087A219 0_2_0087A219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085BA29 0_2_0085BA29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085BA32 0_2_0085BA32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00867A51 0_2_00867A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00866386 0_2_00866386
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00852786 0_2_00852786
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00869789 0_2_00869789
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087DB88 0_2_0087DB88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00863B94 0_2_00863B94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00878B99 0_2_00878B99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087D3AC 0_2_0087D3AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087CBD0 0_2_0087CBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087B7DA 0_2_0087B7DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C7FF 0_2_0087C7FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00879B09 0_2_00879B09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085A33F 0_2_0085A33F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0087C37E 0_2_0087C37E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0086D37A 0_2_0086D37A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089A2D1 0_2_0089A2D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008AC0B3 0_2_008AC0B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0088801C 0_2_0088801C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089743B 0_2_0089743B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00897047 0_2_00897047
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089685E 0_2_0089685E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00896DBE 0_2_00896DBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00897506 0_2_00897506
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089751E 0_2_0089751E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089597E 0_2_0089597E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00897AC8 0_2_00897AC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008ABEC8 0_2_008ABEC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008AC640 0_2_008AC640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00895B80 0_2_00895B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089A7B6 0_2_0089A7B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008997CE 0_2_008997CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_008967C5 0_2_008967C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00898BD0 0_2_00898BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00896305 0_2_00896305
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00898369 0_2_00898369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0089777C 0_2_0089777C
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: AviraOculus.exe.0.dr Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670551878.0000000000693000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.00000000026D7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000767000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.00000000029D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.00000000006F7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.0000000002870000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.0000000002577000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Binary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Binary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@10/7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe File created: C:\Users\user\Music\AviraUpdater Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe String found in binary or memory: FileKey1=%CommonAppData%\Photodex\ProShow|photodex-presenter-install.log
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe String found in binary or memory: FileKey2=%CommonAppData%\Photodex\ProShow Producer|photodex-presenter-install.log
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: k7rn7l32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: ntd3ll.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Section loaded: dpapi.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static file information: File size 4547072 > 1048576
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_CURSOR
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_BITMAP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_ICON
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_MENU
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_DIALOG
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_STRING
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_ACCELERATOR
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: RT_GROUP_ICON
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x28f800
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b6400
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: real checksum: 0x3bbe17 should be: 0x456a52
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Static PE information: section name: .didata
Source: AviraOculus.exe.0.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856882 pushad ; retf 0_2_00856893
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856898 pushad ; retf 0_2_00856899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856D9B push esp; retf 0_2_00856D9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856DAA push eax; retf 0_2_00856DAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856D36 push esp; retf 0_2_00856D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_0085529B pushfd ; retf 0_2_0085529D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00855301 pushfd ; retf 0_2_00855303
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00856F53 push eax; retf 0_2_00856F55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00889C6A push esp; iretd 0_2_00889C6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00889C63 push esp; iretd 0_2_00889C65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00889C78 push eax; iretd 0_2_00889C7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Code function: 0_2_00889C73 push eax; iretd 0_2_00889C74
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe File created: C:\Users\user\Music\AviraUpdater\AviraOculus.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OculusAvira Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OculusAvira Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Dropped PE file which has not been started: C:\Users\user\Music\AviraUpdater\AviraOculus.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe API coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe TID: 1508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966172474.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW4
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe" Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe base: 8B0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.000000000296F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000706000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.000000000280F000.00000004.00000800.00020000.00000000.sdmp, AviraOculus.exe.0.dr Binary or memory string: DetectFile1=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.000000000296F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000706000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.000000000280F000.00000004.00000800.00020000.00000000.sdmp, AviraOculus.exe.0.dr Binary or memory string: DetectFile2=%ProgramFiles%\Malwarebytes Anti-Malware\mbam.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519702 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 16 vozmeatillu.shop 2->16 18 stogeneratmns.shop 2->18 20 8 other IPs or domains 2->20 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Antivirus detection for URL or domain 2->32 34 4 other signatures 2->34 7 SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe 1 2 2->7         started        signatures3 process4 file5 14 C:\Users\user\Music\...\AviraOculus.exe, PE32 7->14 dropped 36 Drops large PE files 7->36 38 Injects a PE file into a foreign processes 7->38 40 LummaC encrypted strings found 7->40 11 SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe 7->11         started        signatures6 process7 dnsIp8 22 gutterydhowi.shop 104.21.4.136, 443, 49736 CLOUDFLARENETUS United States 11->22 24 ballotnwu.site 172.67.128.144, 443, 49746 CLOUDFLARENETUS United States 11->24 26 5 other IPs or domains 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.4.136
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true
188.114.97.3
 fragnantbui.shop European Union
13335 CLOUDFLARENETUS true
172.67.162.108
 drawzhotdog.shop United States
13335 CLOUDFLARENETUS true
172.67.128.144
 ballotnwu.site United States
13335 CLOUDFLARENETUS true
188.114.96.3
 stogeneratmns.shop European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.208.139
 reinforcenh.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
fragnantbui.shop 188.114.97.3 true
gutterydhowi.shop 104.21.4.136 true
steamcommunity.com 104.102.49.254 true
offensivedzvju.shop 188.114.97.3 true
stogeneratmns.shop 188.114.96.3 true
reinforcenh.shop 172.67.208.139 true
drawzhotdog.shop 172.67.162.108 true
ghostreedmnu.shop 188.114.97.3 true
vozmeatillu.shop 188.114.96.3 true
ballotnwu.site 172.67.128.144 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
stogeneratmns.shop true
  • Avira URL Cloud: malware
 unknown
reinforcenh.shop true
  • Avira URL Cloud: malware
 unknown
https://reinforcenh.shop/api true
  • Avira URL Cloud: malware
 unknown
ghostreedmnu.shop true
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vozmeatillu.shop/api true
  • Avira URL Cloud: malware
 unknown
fragnantbui.shop true
  • Avira URL Cloud: malware
 unknown
https://offensivedzvju.shop/api true
  • Avira URL Cloud: malware
 unknown
offensivedzvju.shop true
  • Avira URL Cloud: malware
 unknown
drawzhotdog.shop true
  • Avira URL Cloud: malware
 unknown
vozmeatillu.shop true
  • Avira URL Cloud: malware
 unknown
https://drawzhotdog.shop/api true
  • Avira URL Cloud: malware
 unknown
https://gutterydhowi.shop/api true
  • Avira URL Cloud: malware
 unknown
https://ballotnwu.site/api true
  • Avira URL Cloud: malware
 unknown