flyergre.blogg.se

Uses Microsoft's Enhanced Cryptographic Provider Sample file is different than original file name gathered from version info Sample execution stops while process was sleeping (likely an evasion) Queries the volume information (name, serial number etc) of a device Queries disk information (often used to detect virtual machines) May sleep (evasive loops) to hinder dynamic analysis system language)Ĭontains functionality to call native functionsĬontains functionality to check if a debugger is running (IsDebuggerPresent)Ĭontains functionality to delete servicesĬontains functionality to dynamically determine API callsĬontains functionality to get notified if a device is plugged in / outĬontains functionality to read device registry values (via SetupAPI)Ĭontains functionality to read the clipboard dataĬontains functionality to retrieve information about pressed keystrokesĬontains functionality to shutdown / reboot the systemĬreates a DirectInput object (often for capturing keystrokes)Ĭreates a process in suspended mode (likely to inject code)Ĭreates files inside the driver directoryĬreates files inside the system directoryĭrops PE files to the windows directory (C:\Windows)įound dropped PE file which has not been started or loadedįound evaded block containing many API callsįound evasive API chain (may stop execution after checking a module file name)įound potential string decryption / allocating functions Query firmware table information (likely to detect VMs)Ĭontains functionality for read data from the clipboardĬontains functionality locales information (e.g.

If IE is your default browser, it is being forced, and hyperlinks in MS Office are not working, you can use new option BlockIEEmbedding=y.Drops executables to the windows directory (C:\Windows) and starts themįound evasive API chain (may stop execution after checking mutex)