Windows
Analysis Report
NhWAWEhCi7.exe
Overview
General Information
Sample name: | NhWAWEhCi7.exerenamed because original name is a hash value |
Original sample name: | 1409b5a7ac2a6be45fa954730b058da4.exe |
Analysis ID: | 1465150 |
MD5: | 1409b5a7ac2a6be45fa954730b058da4 |
SHA1: | 00eab66887ff6ff4d6325d8a0e74adb624faf6de |
SHA256: | 1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688 |
Tags: | DofoilexeSmokeLoader |
Infos: | |
Detection
LummaC, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
NhWAWEhCi7.exe (PID: 7256 cmdline:
"C:\Users\ user\Deskt op\NhWAWEh Ci7.exe" MD5: 1409B5A7AC2A6BE45FA954730B058DA4) explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 9FC5.exe (PID: 7716 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\9FC5.ex e MD5: BD2EAC64CBDED877608468D86786594A) D57C.exe (PID: 7824 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\D57C.ex e MD5: 60172CA946DE57C3529E9F05CC502870) setup.exe (PID: 6848 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\setup. exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60) GamePall.exe (PID: 3524 cmdline:
C:\Users\u ser\AppDat a\Roaming\ GamePall\G amePall.ex e MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6576 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =gpu-proce ss --no-sa ndbox --lo g-severity =disable - -user-agen t="Mozilla /5.0 (Maci ntosh; CPU OS 17_5_1 like Mac OS X) Appl eWebKit/60 5.1.15 (KH TML, like Gecko) Ver sion/17.5. 1 Mobile/1 5E148 Safa ri/604.1" --lang=en- US --user- data-dir=" C:\Users\u ser\AppDat a\Local\CE F\User Dat a" --gpu-p references =WAAAAAAAA ADgAAAMAAA AAAAAAAAAA AAAAABgAAA AAAA4AAAAA AAAAAAAAAA EAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAGAA AAAAAAAAYA AAAAAAAAAg AAAAAAAAAC AAAAAAAAAA IAAAAAAAAA A== --log- file="C:\U sers\user\ AppData\Ro aming\Game Pall\debug .log" --mo jo-platfor m-channel- handle=317 6 --field- trial-hand le=3180,i, 1499813410 9693806898 ,132313831 7393721428 ,262144 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,Document PictureInP ictureAPI /prefetch: 2 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6552 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=st orage.mojo m.StorageS ervice --l ang=en-US --service- sandbox-ty pe=service --no-sand box --log- severity=d isable --u ser-agent= "Mozilla/5 .0 (Macint osh; CPU O S 17_5_1 l ike Mac OS X) AppleW ebKit/605. 1.15 (KHTM L, like Ge cko) Versi on/17.5.1 Mobile/15E 148 Safari /604.1" -- lang=en-US --user-da ta-dir="C: \Users\use r\AppData\ Local\CEF\ User Data" --log-fil e="C:\User s\user\App Data\Roami ng\GamePal l\debug.lo g" --mojo- platform-c hannel-han dle=3420 - -field-tri al-handle= 3180,i,149 9813410969 3806898,13 2313831739 3721428,26 2144 --dis able-featu res=BackFo rwardCache ,Calculate NativeWinO cclusion,D ocumentPic tureInPict ureAPI /pr efetch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7124 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-US --service- sandbox-ty pe=none -- no-sandbox --log-sev erity=disa ble --user -agent="Mo zilla/5.0 (Macintosh ; CPU OS 1 7_5_1 like Mac OS X) AppleWebK it/605.1.1 5 (KHTML, like Gecko ) Version/ 17.5.1 Mob ile/15E148 Safari/60 4.1" --lan g=en-US -- user-data- dir="C:\Us ers\user\A ppData\Loc al\CEF\Use r Data" -- log-file=" C:\Users\u ser\AppDat a\Roaming\ GamePall\d ebug.log" --mojo-pla tform-chan nel-handle =3784 --fi eld-trial- handle=318 0,i,149981 3410969380 6898,13231 3831739372 1428,26214 4 --disabl e-features =BackForwa rdCache,Ca lculateNat iveWinOccl usion,Docu mentPictur eInPicture API /prefe tch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6304 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Macintosh; CPU OS 17 _5_1 like Mac OS X) AppleWebKi t/605.1.15 (KHTML, l ike Gecko) Version/1 7.5.1 Mobi le/15E148 Safari/604 .1" --user -data-dir= "C:\Users\ user\AppDa ta\Local\C EF\User Da ta" --firs t-renderer -process - -no-sandbo x --log-fi le="C:\Use rs\user\Ap pData\Roam ing\GamePa ll\debug.l og" --lang =en-US --d evice-scal e-factor=1 --num-ras ter-thread s=2 --enab le-main-fr ame-before -activatio n --render er-client- id=6 --tim e-ticks-at -unix-epoc h=-1719821 616869761 --launch-t ime-ticks= 6013536112 --mojo-pl atform-cha nnel-handl e=4012 --f ield-trial -handle=31 80,i,14998 1341096938 06898,1323 1383173937 21428,2621 44 --disab le-feature s=BackForw ardCache,C alculateNa tiveWinOcc lusion,Doc umentPictu reInPictur eAPI /pref etch:1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1436 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Macintosh; CPU OS 17 _5_1 like Mac OS X) AppleWebKi t/605.1.15 (KHTML, l ike Gecko) Version/1 7.5.1 Mobi le/15E148 Safari/604 .1" --user -data-dir= "C:\Users\ user\AppDa ta\Local\C EF\User Da ta" --no-s andbox --l og-file="C :\Users\us er\AppData \Roaming\G amePall\de bug.log" - -lang=en-U S --device -scale-fac tor=1 --nu m-raster-t hreads=2 - -enable-ma in-frame-b efore-acti vation --r enderer-cl ient-id=5 --time-tic ks-at-unix -epoch=-17 1982161686 9761 --lau nch-time-t icks=60135 52940 --mo jo-platfor m-channel- handle=409 2 --field- trial-hand le=3180,i, 1499813410 9693806898 ,132313831 7393721428 ,262144 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,Document PictureInP ictureAPI /prefetch: 1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3468 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7488 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5264 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6472 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6924 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7452 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3584 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6744 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6968 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7448 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6092 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 732 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3120 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4940 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4584 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3844 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3872 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7800 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6780 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7004 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7428 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5768 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2112 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3192 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE)
bbehcjh (PID: 7648 cmdline:
C:\Users\u ser\AppDat a\Roaming\ bbehcjh MD5: 1409B5A7AC2A6BE45FA954730B058DA4)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Click to see the 11 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Max Altgelt (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Directory queried: |
Source: | Code function: | 9_2_00405B4A | |
Source: | Code function: | 9_2_004066FF | |
Source: | Code function: | 9_2_004027AA |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 9_2_004055E7 |
Source: | Process created: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00401538 | |
Source: | Code function: | 0_2_00402FE9 | |
Source: | Code function: | 0_2_004014DE | |
Source: | Code function: | 0_2_00401496 | |
Source: | Code function: | 0_2_00401543 | |
Source: | Code function: | 0_2_00401565 | |
Source: | Code function: | 0_2_00401579 | |
Source: | Code function: | 0_2_0040157C | |
Source: | Code function: | 5_2_00401538 | |
Source: | Code function: | 5_2_00402FE9 | |
Source: | Code function: | 5_2_004014DE | |
Source: | Code function: | 5_2_00401496 | |
Source: | Code function: | 5_2_00401543 | |
Source: | Code function: | 5_2_00401565 | |
Source: | Code function: | 5_2_00401579 | |
Source: | Code function: | 5_2_0040157C |
Source: | Code function: | 9_2_004034CC |
Source: | Code function: | 9_2_00406A88 | |
Source: | Code function: | 10_2_00EE4F58 | |
Source: | Code function: | 10_2_053E5F38 | |
Source: | Code function: | 10_2_053E6808 | |
Source: | Code function: | 10_2_053E57F0 | |
Source: | Code function: | 10_2_053E7A38 | |
Source: | Code function: | 10_2_053E7A28 | |
Source: | Code function: | 12_2_02BB1049 | |
Source: | Code function: | 13_2_02244F58 | |
Source: | Code function: | 13_2_02243860 | |
Source: | Code function: | 14_2_012A4E20 | |
Source: | Code function: | 14_2_012A1049 | |
Source: | Code function: | 16_2_01204F58 | |
Source: | Code function: | 16_2_01203860 | |
Source: | Code function: | 16_2_01201049 | |
Source: | Code function: | 18_2_031E4F58 | |
Source: | Code function: | 18_2_031E3860 | |
Source: | Code function: | 18_2_031E1049 | |
Source: | Code function: | 19_2_017B0EE4 | |
Source: | Code function: | 22_2_01124F58 | |
Source: | Code function: | 22_2_01123860 | |
Source: | Code function: | 29_2_01624F58 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: |