Windows Analysis Report
Loader.exe

Overview

General Information

Sample name: Loader.exe
Analysis ID: 1532242
MD5: cb50acc9b951b52306b95eaf8d4e2048
SHA1: fd087d7b18d9dd37cb68f811f72de6c0dbbbfd31
SHA256: 16fd5c981d6da5cbd47293b35b0dd26c756493fe3f88d5613810a2f9b5159b39
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Loader.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Found malware configuration
Source: 3.2.Loader.exe.400000.1.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["condifendteu.sbs", "resinedyw.sbs", "drawwyobstacw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "widdensmoywi.sbs"], "Build id": "HpOoIh--@qjwo1"}
Multi AV Scanner detection for domain / URL
Source: vennurviot.sbs Virustotal: Detection: 16% Perma Link
Source: sergei-esenin.com Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: Loader.exe ReversingLabs: Detection: 42%
Source: Loader.exe Virustotal: Detection: 41% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for sample
Source: Loader.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: widdensmoywi.sbs
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.2304137041.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: HpOoIh--@qjwo1
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.8.37:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001A9DAA FindFirstFileExW, 0_2_001A9DAA
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001A9DAA FindFirstFileExW, 2_2_001A9DAA
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [edi], dl 0_2_001EE020
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, dword ptr [esp+38h] 0_2_001E8070
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_001DC080
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push 2CCA4B49h 0_2_001CC144
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h] 0_2_001F02BA
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h 0_2_002042E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 0_2_001EA3A5
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h 0_2_001DC3E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 0_2_001FE4F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_001EE56A
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 0_2_001FE650
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 0_2_001DC673
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, ecx 0_2_001CE672
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001DE6E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp eax 0_2_001CE7A8
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push esi 0_2_001EA813
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h 0_2_001FE9A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 0_2_001EC9F2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_001C4A90
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp dword ptr [0044EF6Ch] 0_2_001EAAD8
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h 0_2_00204B30
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 0_2_001EAB28
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h] 0_2_001FABBD
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h] 0_2_001FEBC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh 0_2_001FEBC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_001FCD00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh] 0_2_001CAD60
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh 0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 0_2_001DCE13
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh 0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebp, word ptr [eax] 0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then lea eax, dword ptr [esp+48h] 0_2_001E8E5D
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov esi, dword ptr [esp+18h] 0_2_001BEF00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh] 0_2_001CCFC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push eax 0_2_00200FD0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h 0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h] 0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_001ED1F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ecx, ebx 0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [edi+eax-17h] 0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_001E5250
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h 0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h] 0_2_001EB430
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edx, ecx 0_2_001E7490
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_001C35F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp eax 0_2_002017E4
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h] 0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h] 0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh] 0_2_001E97F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_001F77F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_001ED800
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [ecx] 0_2_001CD843
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh] 0_2_002018B5
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov eax, ebx 0_2_001CD8F6
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h 0_2_001DFA3E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 0_2_00203B77
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 0_2_00203EC4
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 0_2_001EBF45
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then lea edi, dword ptr [esp+04h] 0_2_001EBF45
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_001EBFD7
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [esi], cx 0_2_001DFFF7
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp edi 0_2_00201FD2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp eax 3_2_004438E4
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh] 3_2_004439B5
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h] 3_2_0043CCC5
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp edi 3_2_00443D4F
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh] 3_2_0040CE60
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 3_2_0042E049
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then lea edi, dword ptr [esp+04h] 3_2_0042E049
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov esi, dword ptr [esp+18h] 3_2_00401000
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh] 3_2_0040F0C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push eax 3_2_004430D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042E0D7
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h 3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h] 3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h] 3_2_004320A3
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_0041E180
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push 2CCA4B49h 3_2_0040E244
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ecx, ebx 3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [edi+eax-17h] 3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_0042C2EE
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_0042F2F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_00427350
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edx, ecx 3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, dword ptr [esp+38h] 3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h 3_2_004463E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h 3_2_0041E4E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h 3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edx, ecx 3_2_00429500
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h] 3_2_0042D530
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 3_2_004405F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_0041E670
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_004056F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 3_2_00440750
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, ecx 3_2_00410772
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042E7C2
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004207E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [ecx] 3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov eax, ebx 3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h] 3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h] 3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh] 3_2_0042B8F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_004398F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp eax 3_2_004108A8
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_0042F900
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then push esi 3_2_0042C913
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h 3_2_00421A60
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h 3_2_00440AA0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp dword ptr [0044EF6Ch] 3_2_0042CBDC
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_00406B90
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0042CC28
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h 3_2_00446C30
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h] 3_2_00440CC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh 3_2_00440CC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then lea eax, dword ptr [esp+48h] 3_2_0042AD00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp ecx 3_2_00445E70
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_0043EE00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh 3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh 3_2_00446F00
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebp, word ptr [eax] 3_2_00446F00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs) : 192.168.2.6:55988 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.6:50381 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.6:53786 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.6:50222 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.6:64493 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056573 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI) : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.6:63149 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.6:51843 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.6:58354 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.6:50135 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.8.37:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49720 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49718 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49721 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49744 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49755 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49755 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49761 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49732 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49761 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: widdensmoywi.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=P9r_mXsInYaSCDFf.Rj_aAUYNGZ0HMdPID1gWzVfqGI-1728765372-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: widdensmoywi.sbs
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/apis
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/piP
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/1w#U
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/api
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/api%U
Source: Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/apibs-
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api4
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/1w#U
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api%U
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api(
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/v
Source: Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs:443/apii
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2249637998.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://widdensmoywi.sbs/api
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Loader.exe, 00000003.00000003.2249637998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 104.21.8.37:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49761 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_00436F40
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_00436F40
Detected potential crypto function
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001EE020 0_2_001EE020
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001FA1A0 0_2_001FA1A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C6220 0_2_001C6220
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00202360 0_2_00202360
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001DA496 0_2_001DA496
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D8496 0_2_001D8496
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C84A0 0_2_001C84A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0019C62E 0_2_0019C62E
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001DE6E0 0_2_001DE6E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00202770 0_2_00202770
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F0892 0_2_001F0892
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D4882 0_2_001D4882
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00204890 0_2_00204890
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F4990 0_2_001F4990
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001ECA95 0_2_001ECA95
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00204B30 0_2_00204B30
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E0B00 0_2_001E0B00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C8B60 0_2_001C8B60
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F4C00 0_2_001F4C00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00202C60 0_2_00202C60
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CCC40 0_2_001CCC40
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C4DD0 0_2_001C4DD0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00204E00 0_2_00204E00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C2E50 0_2_001C2E50
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00196E6F 0_2_00196E6F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D6F0F 0_2_001D6F0F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BEF00 0_2_001BEF00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001EEFD9 0_2_001EEFD9
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CCFC0 0_2_001CCFC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D2FC0 0_2_001D2FC0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C8FF0 0_2_001C8FF0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001FEFE0 0_2_001FEFE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CF000 0_2_001CF000
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001A9074 0_2_001A9074
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_002050F0 0_2_002050F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CF1A3 0_2_001CF1A3
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F31D0 0_2_001F31D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BF1F3 0_2_001BF1F3
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E31E2 0_2_001E31E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001EB227 0_2_001EB227
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BF24E 0_2_001BF24E
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D3397 0_2_001D3397
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CB3D0 0_2_001CB3D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E1410 0_2_001E1410
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E9400 0_2_001E9400
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F3400 0_2_001F3400
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BF437 0_2_001BF437
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BF4B1 0_2_001BF4B1
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E54B0 0_2_001E54B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001BF502 0_2_001BF502
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001EF5CE 0_2_001EF5CE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C1670 0_2_001C1670
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001AD7A5 0_2_001AD7A5
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C57D0 0_2_001C57D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CB7C0 0_2_001CB7C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001ED800 0_2_001ED800
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F9870 0_2_001F9870
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C78F6 0_2_001C78F6
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D99AE 0_2_001D99AE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001DFA3E 0_2_001DFA3E
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001F9AD0 0_2_001F9AD0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0019FB00 0_2_0019FB00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C9B00 0_2_001C9B00
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001E1B30 0_2_001E1B30
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00203B77 0_2_00203B77
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001CFB6A 0_2_001CFB6A
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001D9C73 0_2_001D9C73
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00191CD2 0_2_00191CD2
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00201E21 0_2_00201E21
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001ABE21 0_2_001ABE21
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00191F1A 0_2_00191F1A
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001A3F53 0_2_001A3F53
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001C7FE0 0_2_001C7FE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001A9074 2_2_001A9074
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_0019FB00 2_2_0019FB00
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00191CD2 2_2_00191CD2
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_0019C62E 2_2_0019C62E
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001ABE21 2_2_001ABE21
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00196E6F 2_2_00196E6F
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00191F1A 2_2_00191F1A
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001A3F53 2_2_001A3F53
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001AD7A5 2_2_001AD7A5
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004112A3 3_2_004112A3
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00443D4F 3_2_00443D4F
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041900F 3_2_0041900F
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040F0C0 3_2_0040F0C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004150C0 3_2_004150C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040A0E0 3_2_0040A0E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004410E0 3_2_004410E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040B0F0 3_2_0040B0F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004320A3 3_2_004320A3
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00411100 3_2_00411100
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00430120 3_2_00430120
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004471F0 3_2_004471F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00420233 3_2_00420233
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004352D0 3_2_004352D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004252E2 3_2_004252E2
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042C2EE 3_2_0042C2EE
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004012F3 3_2_004012F3
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0043C2A0 3_2_0043C2A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004452A0 3_2_004452A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004122B0 3_2_004122B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040134E 3_2_0040134E
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00429370 3_2_00429370
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00408320 3_2_00408320
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042D327 3_2_0042D327
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004453F0 3_2_004453F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00444460 3_2_00444460
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040D4D0 3_2_0040D4D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00415497 3_2_00415497
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042B500 3_2_0042B500
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00429500 3_2_00429500
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00435500 3_2_00435500
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00423510 3_2_00423510
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042D530 3_2_0042D530
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041A596 3_2_0041A596
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041C596 3_2_0041C596
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040A5A0 3_2_0040A5A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004275B0 3_2_004275B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004455B0 3_2_004455B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00401602 3_2_00401602
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004316CE 3_2_004316CE
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00403770 3_2_00403770
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00428770 3_2_00428770
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00445700 3_2_00445700
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042E7C2 3_2_0042E7C2
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004207E0 3_2_004207E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004457F0 3_2_004457F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00444870 3_2_00444870
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040F819 3_2_0040F819
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040D8C0 3_2_0040D8C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_004078D0 3_2_004078D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042C8DA 3_2_0042C8DA
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0043B970 3_2_0043B970
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042F900 3_2_0042F900
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042C931 3_2_0042C931
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00416982 3_2_00416982
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00432992 3_2_00432992
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00446990 3_2_00446990
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00421A60 3_2_00421A60
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041FAC9 3_2_0041FAC9
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042BAF1 3_2_0042BAF1
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00436A90 3_2_00436A90
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041BAAE 3_2_0041BAAE
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00445B20 3_2_00445B20
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0043BBD0 3_2_0043BBD0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00411C5B 3_2_00411C5B
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040AC60 3_2_0040AC60
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00427C6E 3_2_00427C6E
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040BC00 3_2_0040BC00
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00422C00 3_2_00422C00
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0043CC17 3_2_0043CC17
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00423C30 3_2_00423C30
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00446C30 3_2_00446C30
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0040ED40 3_2_0040ED40
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00444D60 3_2_00444D60
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00408D70 3_2_00408D70
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041BD73 3_2_0041BD73
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0042AD00 3_2_0042AD00
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00436D00 3_2_00436D00
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00404E60 3_2_00404E60
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0041EE2E 3_2_0041EE2E
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00406ED0 3_2_00406ED0
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00446F00 3_2_00446F00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 0019B301 appears 32 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 001A35FA appears 34 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 001CA620 appears 99 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 0019D545 appears 42 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 0040C720 appears 70 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 001CBE70 appears 198 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 0040DF70 appears 198 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 00197760 appears 104 times
One or more processes crash
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284
PE / OLE file has an invalid certificate
Source: Loader.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Loader.exe Static PE information: Section: .data ZLIB complexity 0.9913109893578643
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/13@11/9
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_0043C754 CoCreateInstance,CoCreateInstance, 3_2_0043C754
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7096
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5200
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d8f5f5e-7da6-4e0d-9db7-4cbc689c2b24 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Command line argument: MZx 0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe Command line argument: MZx 0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe Command line argument: MZx 0_2_00192198
Source: Loader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Loader.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Loader.exe ReversingLabs: Detection: 42%
Source: Loader.exe Virustotal: Detection: 41%
Source: C:\Users\user\Desktop\Loader.exe File read: C:\Users\user\Desktop\Loader.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 284
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1884
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1904
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe" Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe" Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Loader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: Loader.exe Static PE information: real checksum: 0x8f2e3 should be: 0x9c6d3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00192198 push eax; ret 0_2_001922BF
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00196D75 push ecx; ret 0_2_00196D88
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0020718D push esp; ret 0_2_0020718E
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00192198 push eax; ret 2_2_001922BF
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00196D75 push ecx; ret 2_2_00196D88
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00449C8D push esp; ret 3_2_00449C8E
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Loader.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Users\user\Desktop\Loader.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Loader.exe API coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Loader.exe TID: 612 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Loader.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001A9DAA FindFirstFileExW, 0_2_001A9DAA
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001A9DAA FindFirstFileExW, 2_2_001A9DAA
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Loader.exe, 00000003.00000002.2304373806.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178667434.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2188377647.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2169209036.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000002.2304373806.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2178802585.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000003.00000003.2168816833.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Loader.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Loader.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Loader.exe Code function: 3_2_00443090 LdrInitializeThunk, 3_2_00443090
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0019D1AF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00192198 mov edi, dword ptr fs:[00000030h] 0_2_00192198
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001AA937 mov eax, dword ptr fs:[00000030h] 0_2_001AA937
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001A0D89 mov ecx, dword ptr fs:[00000030h] 0_2_001A0D89
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001AA937 mov eax, dword ptr fs:[00000030h] 2_2_001AA937
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00192198 mov edi, dword ptr fs:[00000030h] 2_2_00192198
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001A0D89 mov ecx, dword ptr fs:[00000030h] 2_2_001A0D89
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001ACF36 GetProcessHeap, 0_2_001ACF36
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0019D1AF
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_001971E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001971E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00197508 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00197508
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00197695 SetUnhandledExceptionFilter, 0_2_00197695
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_0019D1AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0019D1AF
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_001971E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_001971E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00197508 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00197508
Source: C:\Users\user\Desktop\Loader.exe Code function: 2_2_00197695 SetUnhandledExceptionFilter, 2_2_00197695

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Loader.exe String found in binary or memory: drawwyobstacw.sbs
Source: Loader.exe String found in binary or memory: condifendteu.sbs
Source: Loader.exe String found in binary or memory: ehticsprocw.sbs
Source: Loader.exe String found in binary or memory: vennurviot.sbs
Source: Loader.exe String found in binary or memory: resinedyw.sbs
Source: Loader.exe String found in binary or memory: enlargkiw.sbs
Source: Loader.exe String found in binary or memory: allocatinow.sbs
Source: Loader.exe String found in binary or memory: mathcucom.sbs
Source: Loader.exe String found in binary or memory: widdensmoywi.sbs
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe" Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Loader.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_001AC370
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_001AC612
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_001AC65D
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_001AC6F8
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_001AC783
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_001AC9D6
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_001ACAFF
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_001ACC05
Source: C:\Users\user\Desktop\Loader.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_001ACCD4
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 0_2_001A3366
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 0_2_001A3810
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 2_2_001A3810
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 2_2_001AC9D6
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_001ACAFF
Source: C:\Users\user\Desktop\Loader.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_001AC370
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 2_2_001A3366
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW, 2_2_001ACC05
Source: C:\Users\user\Desktop\Loader.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_001ACCD4
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 2_2_001AC612
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 2_2_001AC65D
Source: C:\Users\user\Desktop\Loader.exe Code function: EnumSystemLocalesW, 2_2_001AC6F8
Source: C:\Users\user\Desktop\Loader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_001AC783
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Loader.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00197402 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00197402
Source: C:\Users\user\Desktop\Loader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532242 Sample: Loader.exe Startdate: 12/10/2024 Architecture: WINDOWS Score: 100 30 widdensmoywi.sbs 2->30 32 vennurviot.sbs 2->32 34 9 other IPs or domains 2->34 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 9 other signatures 2->48 8 Loader.exe 2->8         started        signatures3 process4 signatures5 50 Injects a PE file into a foreign processes 8->50 52 Found evasive API chain checking for user administrative privileges 8->52 11 Loader.exe 8->11         started        14 WerFault.exe 22 16 8->14         started        17 Loader.exe 8->17         started        process6 dnsIp7 36 enlargkiw.sbs 104.21.33.249, 443, 49715 CLOUDFLARENETUS United States 11->36 38 condifendteu.sbs 104.21.79.35, 443, 49732 CLOUDFLARENETUS United States 11->38 40 7 other IPs or domains 11->40 19 WerFault.exe 16 11->19         started        22 WerFault.exe 2 16 11->22         started        28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->28 dropped file8 process9 file10 24 C:\ProgramData\Microsoft\...\Report.wer, data 19->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, data 22->26 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.33.249
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
172.67.173.224
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
188.114.96.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.205.156
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true
104.21.79.35
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
104.21.8.37
 widdensmoywi.sbs United States
13335 CLOUDFLARENETUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 104.21.79.35 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.96.3 true
mathcucom.sbs 188.114.96.3 true
widdensmoywi.sbs 104.21.8.37 true
sergei-esenin.com 172.67.206.204 true
ehticsprocw.sbs 172.67.173.224 true
resinedyw.sbs 172.67.205.156 true
enlargkiw.sbs 104.21.33.249 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true
    		unknown
    allocatinow.sbs true
      		unknown
      drawwyobstacw.sbs true
        		unknown
        https://widdensmoywi.sbs/api true
          		unknown
          mathcucom.sbs true
            		unknown
            https://steamcommunity.com/profiles/76561199724331900 true
            • URL Reputation: malware
            		 unknown
            https://vennurviot.sbs/api true
              		unknown
              ehticsprocw.sbs true
                		unknown
                condifendteu.sbs true
                  		unknown
                  https://drawwyobstacw.sbs/api true
                    		unknown
                    widdensmoywi.sbs true
                      		unknown
                      https://resinedyw.sbs/api true
                        		unknown
                        https://mathcucom.sbs/api true
                          		unknown
                          resinedyw.sbs true
                            		unknown
                            vennurviot.sbs true
                              		unknown
                              https://condifendteu.sbs/api true
                                		unknown
                                https://enlargkiw.sbs/api true
                                  		unknown
                                  https://sergei-esenin.com/api true
                                    		unknown
                                    https://ehticsprocw.sbs/api true
                                      		unknown