Windows
Analysis Report
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
Overview
General Information
Detection
LummaC, Poverty Stealer, SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe (PID: 5884 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. W32.Trojan .FWF.gen.E ldorado.28 50.19434.e xe" MD5: 17CB739C8FD07235FD29FBAAB85E7777) explorer.exe (PID: 1028 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 53FF.exe (PID: 3176 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\53FF.ex e MD5: BD2EAC64CBDED877608468D86786594A) 7719.exe (PID: 2300 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7719.ex e MD5: 60172CA946DE57C3529E9F05CC502870) setup.exe (PID: 6348 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\setup. exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60) GamePall.exe (PID: 1252 cmdline:
C:\Users\u ser\AppDat a\Roaming\ GamePall\G amePall.ex e MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2920 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3948 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4840 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 612 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3384 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1356 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1620 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5744 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2324 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3352 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2684 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1020 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5516 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5816 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5308 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5740 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6572 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 4068 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =gpu-proce ss --no-sa ndbox --lo g-severity =disable - -user-agen t="Mozilla /5.0 (Linu x; Android 10; K) Ap pleWebKit/ 537.36 (KH TML, like Gecko) Chr ome/126.0. 6478.127 M obile Safa ri/537.36" --lang=en -US --user -data-dir= "C:\Users\ user\AppDa ta\Local\C EF\User Da ta" --gpu- preference s=WAAAAAAA AADgAAAMAA AAAAAAAAAA AAAAAABgAA AAAAA4AAAA AAAAAAAAAA AEAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAGA AAAAAAAAAY AAAAAAAAAA gAAAAAAAAA CAAAAAAAAA AIAAAAAAAA AA== --log -file="C:\ Users\user \AppData\R oaming\Gam ePall\debu g.log" --m ojo-platfo rm-channel -handle=39 24 --field -trial-han dle=3932,i ,154792306 8110307964 2,97009200 8260029416 ,262144 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,Document PictureInP ictureAPI /prefetch: 2 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 3060 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=st orage.mojo m.StorageS ervice --l ang=en-US --service- sandbox-ty pe=service --no-sand box --log- severity=d isable --u ser-agent= "Mozilla/5 .0 (Linux; Android 1 0; K) Appl eWebKit/53 7.36 (KHTM L, like Ge cko) Chrom e/126.0.64 78.127 Mob ile Safari /537.36" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Use rs\user\Ap pData\Roam ing\GamePa ll\debug.l og" --mojo -platform- channel-ha ndle=2972 --field-tr ial-handle =3932,i,15 4792306811 03079642,9 7009200826 0029416,26 2144 --dis able-featu res=BackFo rwardCache ,Calculate NativeWinO cclusion,D ocumentPic tureInPict ureAPI /pr efetch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 2940 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-US --service- sandbox-ty pe=none -- no-sandbox --log-sev erity=disa ble --user -agent="Mo zilla/5.0 (Linux; An droid 10; K) AppleWe bKit/537.3 6 (KHTML, like Gecko ) Chrome/1 26.0.6478. 127 Mobile Safari/53 7.36" --la ng=en-US - -user-data -dir="C:\U sers\user\ AppData\Lo cal\CEF\Us er Data" - -log-file= "C:\Users\ user\AppDa ta\Roaming \GamePall\ debug.log" --mojo-pl atform-cha nnel-handl e=2260 --f ield-trial -handle=39 32,i,15479 2306811030 79642,9700 9200826002 9416,26214 4 --disabl e-features =BackForwa rdCache,Ca lculateNat iveWinOccl usion,Docu mentPictur eInPicture API /prefe tch:8 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 1496 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 10; K ) AppleWeb Kit/537.36 (KHTML, l ike Gecko) Chrome/12 6.0.6478.1 27 Mobile Safari/537 .36" --use r-data-dir ="C:\Users \user\AppD ata\Local\ CEF\User D ata" --fir st-rendere r-process --no-sandb ox --log-f ile="C:\Us ers\user\A ppData\Roa ming\GameP all\debug. log" --lan g=en-US -- device-sca le-factor= 1 --num-ra ster-threa ds=2 --ena ble-main-f rame-befor e-activati on --rende rer-client -id=6 --ti me-ticks-a t-unix-epo ch=-171995 7786566967 --launch- time-ticks =652121326 5 --mojo-p latform-ch annel-hand le=4044 -- field-tria l-handle=3 932,i,1547 9230681103 079642,970 0920082600 29416,2621 44 --disab le-feature s=BackForw ardCache,C alculateNa tiveWinOcc lusion,Doc umentPictu reInPictur eAPI /pref etch:1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5508 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" --type =renderer --log-seve rity=disab le --user- agent="Moz illa/5.0 ( Linux; And roid 10; K ) AppleWeb Kit/537.36 (KHTML, l ike Gecko) Chrome/12 6.0.6478.1 27 Mobile Safari/537 .36" --use r-data-dir ="C:\Users \user\AppD ata\Local\ CEF\User D ata" --no- sandbox -- log-file=" C:\Users\u ser\AppDat a\Roaming\ GamePall\d ebug.log" --lang=en- US --devic e-scale-fa ctor=1 --n um-raster- threads=2 --enable-m ain-frame- before-act ivation -- renderer-c lient-id=5 --time-ti cks-at-uni x-epoch=-1 7199577865 66967 --la unch-time- ticks=6521 380179 --m ojo-platfo rm-channel -handle=40 56 --field -trial-han dle=3932,i ,154792306 8110307964 2,97009200 8260029416 ,262144 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,Document PictureInP ictureAPI /prefetch: 1 MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6668 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 6756 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) GamePall.exe (PID: 5900 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE) 96C7.exe (PID: 5952 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\96C7.ex e MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1) GamePall.exe (PID: 5716 cmdline:
"C:\Users\ user\AppDa ta\Roaming \GamePall\ GamePall.e xe" MD5: 7A3502C1119795D35569535DE243B6FE)
svgbeht (PID: 5988 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svgbeht MD5: 17CB739C8FD07235FD29FBAAB85E7777)
svgbeht (PID: 6788 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svgbeht MD5: 17CB739C8FD07235FD29FBAAB85E7777)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
{"C2 url": "146.70.169.164:2227"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Click to see the 22 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Max Altgelt (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 9_2_036E1C94 |
Source: | Static PE information: |
Source: | Registry value created: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Directory queried: |
Source: | Code function: | 8_2_00405B4A | |
Source: | Code function: | 8_2_004066FF | |
Source: | Code function: | 8_2_004027AA | |
Source: | Code function: | 9_2_00EB24BD | |
Source: | Code function: | 9_2_036E1000 | |
Source: | Code function: | 9_2_036E4E27 | |
Source: | Code function: | 9_2_036E1D3C | |
Source: | Code function: | 9_2_036E40BA | |
Source: | Code function: | 9_2_036E3EFC |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | Code function: | 9_2_00E45B80 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 8_2_004055E7 |
Source: | Code function: | 9_2_036E4BA2 |
Source: | Process created: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00401538 | |
Source: | Code function: | 0_2_00402FE9 | |
Source: | Code function: | 0_2_004014DE | |
Source: | Code function: | 0_2_00401496 | |
Source: | Code function: | 0_2_00401543 | |
Source: | Code function: | 0_2_00401565 | |
Source: | Code function: | 0_2_00401579 | |
Source: | Code function: | 0_2_0040157C | |
Source: | Code function: | 4_2_00401538 | |
Source: | Code function: | 4_2_00402FE9 | |
Source: | Code function: | 4_2_004014DE | |
Source: | Code function: | 4_2_00401496 | |
Source: | Code function: | 4_2_00401543 | |
Source: | Code function: | 4_2_00401565 | |
Source: | Code function: | 4_2_00401579 | |
Source: | Code function: | 4_2_0040157C | |
Source: | Code function: | 8_2_100010D0 | |
Source: | Code function: | 10_2_00401538 | |
Source: | Code function: | 10_2_00402FE9 | |
Source: | Code function: | 10_2_004014DE | |
Source: | Code function: | 10_2_00401496 | |
Source: | Code function: | 10_2_00401543 | |
Source: | Code function: | 10_2_00401565 | |
Source: | Code function: | 10_2_00401579 | |
Source: | Code function: | 10_2_0040157C |
Source: | Code function: | 8_2_004034CC |
Source: | Code function: | 8_2_00406A88 | |
Source: | Code function: | 9_2_00EA1490 | |
Source: | Code function: | 9_2_00EAD515 | |
Source: | Code function: | 9_2_00EB4775 | |
Source: | Code function: | 9_2_00EABE09 |
Source: | Code function: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: |