Windows
Analysis Report
37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
Overview
General Information
Detection
LummaC, Poverty Stealer, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe (PID: 7260 cmdline:
"C:\Users\ user\Deskt op\37e6e5d 8b399fefb9 ae774516ff 6367e800c6 9a272e18a6 54bb84ccff 2d7c67a_du mp.exe" MD5: C280B435AE8E9BCF43B221DF43E9FC65) explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) DBD3.exe (PID: 7704 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\DBD3.ex e MD5: BD2EAC64CBDED877608468D86786594A) FD47.exe (PID: 7772 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\FD47.ex e MD5: 60172CA946DE57C3529E9F05CC502870) setup.exe (PID: 5236 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\setup. exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60) GamePall.exe (PID: 7564 cmdline:
C:\Users\u ser\AppDat a\Roaming\ GamePall\G amePall.ex e MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1144 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =gpu-proce ss --no-sa ndbox --lo g-severity =disable - -user-agen t="Mozilla /5.0 (Linu x; Android 10; K) Ap pleWebKit/ 537.36 (KH TML, like Gecko) Chr ome/126.0. 6478.127 M obile Safa ri/537.36" --lang=en -US --user -data-dir= "C:\Users\ user\AppDa ta\Local\C EF\User Da ta" --gpu- preference s=WAAAAAAA AADgAAAMAA AAAAAAAAAA AAAAAABgAA AAAAA4AAAA AAAAAAAAAA AEAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAGA AAAAAAAAAY AAAAAAAAAA gAAAAAAAAA CAAAAAAAAA AIAAAAAAAA AA== --log -file="C:\ Users\user \AppData\R oaming\Gam ePall\debu g.log" --m ojo-platfo rm-channel -handle=33 00 --field -trial-han dle=3304,i ,194975133 2316853400 ,132272872 0675468314 3,262144 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,Documen tPictureIn PictureAPI /prefetch :2 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5076 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=st orage.mojo m.StorageS ervice --l ang=en-US --service- sandbox-ty pe=service --no-sand box --log- severity=d isable --u ser-agent= "Mozilla/5 .0 (Linux; Android 1 0; K) Appl eWebKit/53 7.36 (KHTM L, like Ge cko) Chrom e/126.0.64 78.127 Mob ile Safari /537.36" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Use rs\user\Ap pData\Roam ing\GamePa ll\debug.l og" --mojo -platform- channel-ha ndle=3972 --field-tr ial-handle =3304,i,19 4975133231 6853400,13 2272872067 54683143,2 62144 --di sable-feat ures=BackF orwardCach e,Calculat eNativeWin Occlusion, DocumentPi ctureInPic tureAPI /p refetch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3052 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-US --service- sandbox-ty pe=none -- no-sandbox --log-sev erity=disa ble --user -agent="Mo zilla/5.0 (Linux; An droid 10; K) AppleWe bKit/537.3 6 (KHTML, like Gecko ) Chrome/1 26.0.6478. 127 Mobile Safari/53 7.36" --la ng=en-US - -user-data -dir="C:\U sers\user\ AppData\Lo cal\CEF\Us er Data" - -log-file= "C:\Users\ user\AppDa ta\Roaming \GamePall\ debug.log" --mojo-pl atform-cha nnel-handl e=3996 --f ield-trial -handle=33 04,i,19497 5133231685 3400,13227 2872067546 83143,2621 44 --disab le-feature s=BackForw ardCache,C alculateNa tiveWinOcc lusion,Doc umentPictu reInPictur eAPI /pref etch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3632 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 10; K ) AppleWeb Kit/537.36 (KHTML, l ike Gecko) Chrome/12 6.0.6478.1 27 Mobile Safari/537 .36" --use r-data-dir ="C:\Users \user\AppD ata\Local\ CEF\User D ata" --fir st-rendere r-process --no-sandb ox --log-f ile="C:\Us ers\user\A ppData\Roa ming\GameP all\debug. log" --lan g=en-US -- device-sca le-factor= 1 --num-ra ster-threa ds=2 --ena ble-main-f rame-befor e-activati on --rende rer-client -id=6 --ti me-ticks-a t-unix-epo ch=-171995 8699492342 --launch- time-ticks =517116564 7 --mojo-p latform-ch annel-hand le=4028 -- field-tria l-handle=3 304,i,1949 7513323168 53400,1322 7287206754 683143,262 144 --disa ble-featur es=BackFor wardCache, CalculateN ativeWinOc clusion,Do cumentPict ureInPictu reAPI /pre fetch:1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 10; K ) AppleWeb Kit/537.36 (KHTML, l ike Gecko) Chrome/12 6.0.6478.1 27 Mobile Safari/537 .36" --use r-data-dir ="C:\Users \user\AppD ata\Local\ CEF\User D ata" --no- sandbox -- log-file=" C:\Users\u ser\AppDat a\Roaming\ GamePall\d ebug.log" --lang=en- US --devic e-scale-fa ctor=1 --n um-raster- threads=2 --enable-m ain-frame- before-act ivation -- renderer-c lient-id=5 --time-ti cks-at-uni x-epoch=-1 7199586994 92342 --la unch-time- ticks=5171 215235 --m ojo-platfo rm-channel -handle=41 64 --field -trial-han dle=3304,i ,194975133 2316853400 ,132272872 0675468314 3,262144 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,Documen tPictureIn PictureAPI /prefetch :1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2344 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7732 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7112 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6264 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4556 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7008 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5576 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1896 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5224 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3368 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5932 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5812 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1028 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6260 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7900 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6820 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 7164 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2112 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3020 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2484 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) 1B6E.exe (PID: 7888 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1B6E.ex e MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1) GamePall.exe (PID: 5124 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6332 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE)
etvjrtf (PID: 7568 cmdline:
C:\Users\u ser\AppDat a\Roaming\ etvjrtf MD5: C280B435AE8E9BCF43B221DF43E9FC65)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
{"C2 url": "146.70.169.164:2227"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Click to see the 13 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Max Altgelt (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 9_2_03CD1C94 |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Directory queried: |
Source: | Code function: | 7_2_00405B4A | |
Source: | Code function: | 7_2_004066FF | |
Source: | Code function: | 7_2_004027AA | |
Source: | Code function: | 9_2_00A924BD | |
Source: | Code function: | 11_2_00405B4A | |
Source: | Code function: | 11_2_004066FF | |
Source: | Code function: | 11_2_004027AA |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 7_2_004055E7 |
Source: | Process created: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00401538 | |
Source: | Code function: | 0_2_00402FE9 | |
Source: | Code function: | 0_2_004014DE | |
Source: | Code function: | 0_2_00401496 | |
Source: | Code function: | 0_2_00401543 | |
Source: | Code function: | 0_2_00401565 | |
Source: | Code function: | 0_2_00401579 | |
Source: | Code function: | 0_2_0040157C | |
Source: | Code function: | 7_2_100010D0 |
Source: | Code function: | 7_2_004034CC | |
Source: | Code function: | 11_2_004034CC |
Source: | Code function: | 7_2_00406A88 | |
Source: | Code function: | 9_2_00A81490 | |
Source: | Code function: | 9_2_00A8D515 | |
Source: | Code function: | 9_2_00A94775 | |
Source: | Code function: | 9_2_00A8BE09 | |
Source: | Code function: | 11_2_00406A88 | |
Source: | Code function: | 12_2_02564F58 | |
Source: | Code function: | 12_2_02561049 | |
Source: | Code function: | 12_2_059F6608 | |
Source: | Code function: | 12_2_06A90790 | |
Source: | Code function: | 12_2_06A9D650 | |
Source: | Code function: | 12_2_63CE1D27 | |
Source: | Code function: | 12_2_635714C0 | |
Source: | Code function: | 12_2_63C44960 | |
Source: | Code function: | 12_2_63D37460 | |
Source: | Code function: | 12_2_63D37C50 | |
Source: | Code function: | 12_2_61E89120 | |
Source: | Code function: | 12_2_63CA4003 | |
Source: | Code function: | 12_2_61D342A0 |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: |