Windows
Analysis Report
OBbrO5rwew.exe
Overview
General Information
Sample name: | OBbrO5rwew.exerenamed because original name is a hash value |
Original sample name: | bdcf37dcbb1947e5a3f6145d47fc67e8.exe |
Analysis ID: | 1466397 |
MD5: | bdcf37dcbb1947e5a3f6145d47fc67e8 |
SHA1: | cee0cf2eaf723c8980ce2f85b882f78be880da08 |
SHA256: | 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a |
Tags: | 32exe |
Infos: | |
Detection
LummaC, Poverty Stealer, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
OBbrO5rwew.exe (PID: 4712 cmdline:
"C:\Users\ user\Deskt op\OBbrO5r wew.exe" MD5: BDCF37DCBB1947E5A3F6145D47FC67E8) explorer.exe (PID: 1028 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 2391.exe (PID: 4164 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2391.ex e MD5: BD2EAC64CBDED877608468D86786594A) 4CC4.exe (PID: 6448 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\4CC4.ex e MD5: 60172CA946DE57C3529E9F05CC502870) setup.exe (PID: 5304 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\setup. exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60) 77CD.exe (PID: 6208 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\77CD.ex e MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1) GamePall.exe (PID: 2216 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE)
deetubv (PID: 5304 cmdline:
C:\Users\u ser\AppDat a\Roaming\ deetubv MD5: BDCF37DCBB1947E5A3F6145D47FC67E8) GamePall.exe (PID: 2584 cmdline:
C:\Users\u ser\AppDat a\Roaming\ GamePall\G amePall.ex e MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3472 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =gpu-proce ss --no-sa ndbox --lo g-severity =disable - -user-agen t="Mozilla /5.0 (Linu x; Android 9; SM-J73 0G) AppleW ebKit/537. 36 (KHTML, like Geck o) Chrome/ 126.0.6478 .122 Mobil e Safari/5 37.36" --l ang=en-US --user-dat a-dir="C:\ Users\user \AppData\L ocal\CEF\U ser Data" --gpu-pref erences=WA AAAAAAAADg AAAMAAAAAA AAAAAAAAAA AABgAAAAAA A4AAAAAAAA AAAAAAAEAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAGAAAAA AAAAAYAAAA AAAAAAgAAA AAAAAACAAA AAAAAAAIAA AAAAAAAA== --log-fil e="C:\User s\user\App Data\Roami ng\GamePal l\debug.lo g" --mojo- platform-c hannel-han dle=3400 - -field-tri al-handle= 3412,i,129 6340617067 9374430,90 9318394559 8996200,26 2144 --dis able-featu res=BackFo rwardCache ,Calculate NativeWinO cclusion,D ocumentPic tureInPict ureAPI /pr efetch:2 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2128 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=st orage.mojo m.StorageS ervice --l ang=en-US --service- sandbox-ty pe=service --no-sand box --log- severity=d isable --u ser-agent= "Mozilla/5 .0 (Linux; Android 9 ; SM-J730G ) AppleWeb Kit/537.36 (KHTML, l ike Gecko) Chrome/12 6.0.6478.1 22 Mobile Safari/537 .36" --lan g=en-US -- user-data- dir="C:\Us ers\user\A ppData\Loc al\CEF\Use r Data" -- log-file=" C:\Users\u ser\AppDat a\Roaming\ GamePall\d ebug.log" --mojo-pla tform-chan nel-handle =3976 --fi eld-trial- handle=341 2,i,129634 0617067937 4430,90931 8394559899 6200,26214 4 --disabl e-features =BackForwa rdCache,Ca lculateNat iveWinOccl usion,Docu mentPictur eInPicture API /prefe tch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6000 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-US --service- sandbox-ty pe=none -- no-sandbox --log-sev erity=disa ble --user -agent="Mo zilla/5.0 (Linux; An droid 9; S M-J730G) A ppleWebKit /537.36 (K HTML, like Gecko) Ch rome/126.0 .6478.122 Mobile Saf ari/537.36 " --lang=e n-US --use r-data-dir ="C:\Users \user\AppD ata\Local\ CEF\User D ata" --log -file="C:\ Users\user \AppData\R oaming\Gam ePall\debu g.log" --m ojo-platfo rm-channel -handle=40 12 --field -trial-han dle=3412,i ,129634061 7067937443 0,90931839 4559899620 0,262144 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,Documen tPictureIn PictureAPI /prefetch :8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 576 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 9; SM -J730G) Ap pleWebKit/ 537.36 (KH TML, like Gecko) Chr ome/126.0. 6478.122 M obile Safa ri/537.36" --user-da ta-dir="C: \Users\use r\AppData\ Local\CEF\ User Data" --first-r enderer-pr ocess --no -sandbox - -log-file= "C:\Users\ user\AppDa ta\Roaming \GamePall\ debug.log" --lang=en -US --devi ce-scale-f actor=1 -- num-raster -threads=2 --enable- main-frame -before-ac tivation - -renderer- client-id= 6 --time-t icks-at-un ix-epoch=- 1719944520 561396 --l aunch-time -ticks=532 9031925 -- mojo-platf orm-channe l-handle=4 048 --fiel d-trial-ha ndle=3412, i,12963406 1706793744 30,9093183 9455989962 00,262144 --disable- features=B ackForward Cache,Calc ulateNativ eWinOcclus ion,Docume ntPictureI nPictureAP I /prefetc h:1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 760 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 9; SM -J730G) Ap pleWebKit/ 537.36 (KH TML, like Gecko) Chr ome/126.0. 6478.122 M obile Safa ri/537.36" --user-da ta-dir="C: \Users\use r\AppData\ Local\CEF\ User Data" --no-sand box --log- file="C:\U sers\user\ AppData\Ro aming\Game Pall\debug .log" --la ng=en-US - -device-sc ale-factor =1 --num-r aster-thre ads=2 --en able-main- frame-befo re-activat ion --rend erer-clien t-id=5 --t ime-ticks- at-unix-ep och=-17199 4452056139 6 --launch -time-tick s=53290564 79 --mojo- platform-c hannel-han dle=4108 - -field-tri al-handle= 3412,i,129 6340617067 9374430,90 9318394559 8996200,26 2144 --dis able-featu res=BackFo rwardCache ,Calculate NativeWinO cclusion,D ocumentPic tureInPict ureAPI /pr efetch:1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4164 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5528 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5416 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5756 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2664 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6820 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3196 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2508 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6560 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2924 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3308 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1776 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5992 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3860 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6168 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5708 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4824 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5660 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 616 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE)
deetubv (PID: 5360 cmdline:
C:\Users\u ser\AppDat a\Roaming\ deetubv MD5: BDCF37DCBB1947E5A3F6145D47FC67E8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}
{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
{"C2 url": "146.70.169.164:2227"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Click to see the 18 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Max Altgelt (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 9_2_038D1C94 |
Source: | Static PE information: |
Source: | Registry value created: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 8_2_00405B4A | |
Source: | Code function: | 8_2_004066FF | |
Source: | Code function: | 8_2_004027AA | |
Source: | Code function: | 9_2_00C424BD | |
Source: | Code function: | 9_2_038D1000 | |
Source: | Code function: | 9_2_038D4E27 | |
Source: | Code function: | 9_2_038D1D3C | |
Source: | Code function: | 9_2_038D40BA | |
Source: | Code function: | 9_2_038D3EFC |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | Code function: | 9_2_00BD5B80 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 8_2_004055E7 |
Source: | Code function: | 9_2_038D4BA2 |
Source: | Process created: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00401538 | |
Source: | Code function: | 0_2_00402FE9 | |
Source: | Code function: | 0_2_004014DE | |
Source: | Code function: | 0_2_00401496 | |
Source: | Code function: | 0_2_00401543 | |
Source: | Code function: | 0_2_00401565 | |
Source: | Code function: | 0_2_00401579 | |
Source: | Code function: | 0_2_0040157C | |
Source: | Code function: | 4_2_00401538 | |
Source: | Code function: | 4_2_00402FE9 | |
Source: | Code function: | 4_2_004014DE | |
Source: | Code function: | 4_2_00401496 | |
Source: | Code function: | 4_2_00401543 | |
Source: | Code function: | 4_2_00401565 | |
Source: | Code function: | 4_2_00401579 | |
Source: | Code function: | 4_2_0040157C | |
Source: | Code function: | 8_2_100010D0 |
Source: | Code function: | 8_2_004034CC |
Source: | Code function: | 8_2_00406A88 | |
Source: | Code function: | 9_2_00C31490 | |
Source: | Code function: | 9_2_00C3D515 | |
Source: | Code function: | 9_2_00C44775 | |
Source: | Code function: | 9_2_00C3BE09 |
Source: | Code function: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: |