Edit tour
Windows
Analysis Report
pXlV6TKi3E.exe
Overview
General Information
| Sample Name: | pXlV6TKi3E.exe |
| Original Sample Name: | f96ad2108001929ccc0d4244215239f8.exe |
| Analysis ID: | 844631 |
| MD5: | f96ad2108001929ccc0d4244215239f8 |
| SHA1: | 7f8d00ccdefe09d92adc1c87df833834123fd49f |
| SHA256: | 20ad1e6af5c86cb19ced3387f0a7928d98d5b62537d525d1a63e3ecd4a039bba |
| Tags: | exeSality |
| Infos: |  |
 | |
Detection
Sality
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Yara detected Sality
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Deletes keys which are related to windows safe boot (disables safe mode boot)
Machine Learning detection for sample
Allocates memory in foreign processes
May modify the system service descriptor table (often done to hook functions)
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Disables user account control notifications
Changes security center settings (notifications, updates, antivirus, firewall)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the windows firewall
Creates autorun.inf (USB autostart)
Disables UAC (registry)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks for available system drives (often done to infect USB drives)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Stores large binary data to the registry
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Enables debug privileges
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Classification
- System is w10x64
pXlV6TKi3E.exe (PID: 4600 cmdline: C:\Users\u ser\Deskto p\pXlV6TKi 3E.exe MD5: F96AD2108001929CCC0D4244215239F8) 
fontdrvhost.exe (PID: 696 cmdline: fontdrvhos t.exe MD5: 31113981180E69C2773BCADA4051738A) - fontdrvhost.exe (PID: 704 cmdline:
fontdrvhos t.exe MD5: 31113981180E69C2773BCADA4051738A) - dwm.exe (PID: 960 cmdline:
dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7) - svchost.exe (PID: 4424 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p MD5: 32569E403279B3FD2EDB7EBD036273FA) - sihost.exe (PID: 2936 cmdline:
sihost.exe MD5: 6F84A5C939F9DA91F5946AF4EC6E2503) - svchost.exe (PID: 2976 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p -s CDPUs erSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) - svchost.exe (PID: 3004 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p -s WpnUs erService MD5: 32569E403279B3FD2EDB7EBD036273FA) 
ctfmon.exe (PID: 3260 cmdline: ctfmon.exe MD5: D4DAF47FBF707B23B874DE6F139CB0C7) 
explorer.exe (PID: 3452 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - dllhost.exe (PID: 3716 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{AB8902 B4-09CA-4B B6-B78D-A8 F59079A8D5 } MD5: 2528137C6745C4EADD87817A1909677E) - ShellExperienceHost.exe (PID: 3908 cmdline:
"C:\Window s\SystemAp ps\ShellEx perienceHo st_cw5n1h2 txyewy\She llExperien ceHost.exe " -ServerN ame:App.Ap pXtk181tbx bce2qsex02 s8tw7hfxa9 xb3t.mca MD5: 94D34E489ACC08D4E36DF96E39561647) - SearchUI.exe (PID: 4068 cmdline:
"C:\Window s\SystemAp ps\Microso ft.Windows .Cortana_c w5n1h2txye wy\SearchU I.exe" -Se rverName:C ortanaUI.A ppXa50dqqa 5gqv4a428c 9y1jjw7m3b tvepj.mca MD5: C4A9ACE9CDB9E5DB7CBA996CFA9EA7A2) - RuntimeBroker.exe (PID: 3864 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - smartscreen.exe (PID: 4100 cmdline:
C:\Windows \System32\ smartscree n.exe -Emb edding MD5: ECD6F6120A4A1903508D24F9B1F10505) - RuntimeBroker.exe (PID: 4332 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - HxTsr.exe (PID: 4456 cmdline:
"C:\Progra m Files\Wi ndowsApps\ microsoft. windowscom munication sapps_17.8 827.22055. 0_x64__8we kyb3d8bbwe \HxTsr.exe " -ServerN ame:Hx.IPC .Server MD5: F6A51F7C21A81C1BA24182E76413BE17) - RuntimeBroker.exe (PID: 4480 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - RuntimeBroker.exe (PID: 4592 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - dllhost.exe (PID: 3180 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{3EB3C8 77-1F16-48 7C-9050-10 4DBCD66683 } MD5: 2528137C6745C4EADD87817A1909677E) 
mnIfGXLiqWUjFj.exe (PID: 5448 cmdline: C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5460 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5484 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5496 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5504 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5524 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5532 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5556 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717) - mnIfGXLiqWUjFj.exe (PID: 5564 cmdline:
C:\Program Files (x8 6)\JoMoAWo LoFTBATuUN hzGOfoSBiT zKgZisYLyS NkDqyeCXAN TFgUQH\mnI fGXLiqWUjF j.exe MD5: 32B8AD6ECA9094891E792631BAEA9717)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Sality | F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Sality_Malware_Oct16 | Detects an unspecififed malware - October 2016 | Florian Roth (Nextron Systems) |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| Sality_Malware_Oct16 | Detects an unspecififed malware - October 2016 | Florian Roth (Nextron Systems) |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Sality | Yara detected Sality | Joe Security | ||
| JoeSecurity_Sality | Yara detected Sality | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Sality_Malware_Oct16 | Detects an unspecififed malware - October 2016 | Florian Roth (Nextron Systems) |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| Sality_Malware_Oct16 | Detects an unspecififed malware - October 2016 | Florian Roth (Nextron Systems) |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| INDICATOR_EXE_Packed_SimplePolyEngine | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality | ditekSHen |
| |
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.337.230.104.8949720802804830 04/11/23-14:07:48.006949 |
| SID: | 2804830 |
| Source Port: | 49720 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549699802804830 04/11/23-14:07:30.652648 |
| SID: | 2804830 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549701802804830 04/11/23-14:07:31.836726 |
| SID: | 2804830 |
| Source Port: | 49701 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 63.251.106.25192.168.2.380497012037771 04/11/23-14:07:32.006592 |
| SID: | 2037771 |
| Source Port: | 80 |
| Destination Port: | 49701 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.191.152.5849698802804830 04/11/23-14:07:29.754464 |
| SID: | 2804830 |
| Source Port: | 49698 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.378.46.2.15549703802804830 04/11/23-14:07:32.470703 |
| SID: | 2804830 |
| Source Port: | 49703 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549724802804830 04/11/23-14:07:50.645696 |
| SID: | 2804830 |
| Source Port: | 49724 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549716802804830 04/11/23-14:07:46.157639 |
| SID: | 2804830 |
| Source Port: | 49716 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.189.61.12649709802804830 04/11/23-14:07:42.027481 |
| SID: | 2804830 |
| Source Port: | 49709 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.378.46.2.15549727802804830 04/11/23-14:07:51.529651 |
| SID: | 2804830 |
| Source Port: | 49727 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549718802804830 04/11/23-14:07:47.245790 |
| SID: | 2804830 |
| Source Port: | 49718 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.191.152.5849715802804830 04/11/23-14:07:45.241975 |
| SID: | 2804830 |
| Source Port: | 49715 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549710802804830 04/11/23-14:07:42.394782 |
| SID: | 2804830 |
| Source Port: | 49710 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.337.230.104.8949728802804830 04/11/23-14:07:51.949311 |
| SID: | 2804830 |
| Source Port: | 49728 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.189.61.12649717802804830 04/11/23-14:07:46.475492 |
| SID: | 2804830 |
| Source Port: | 49717 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.337.230.104.8949704802804830 04/11/23-14:07:33.290905 |
| SID: | 2804830 |
| Source Port: | 49704 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.191.152.5849731802804830 04/11/23-14:07:53.402294 |
| SID: | 2804830 |
| Source Port: | 49731 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.191.152.5849707802804830 04/11/23-14:07:40.848947 |
| SID: | 2804830 |
| Source Port: | 49707 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.189.61.12649700802804830 04/11/23-14:07:31.152411 |
| SID: | 2804830 |
| Source Port: | 49700 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.378.46.2.15549719802804830 04/11/23-14:07:47.552319 |
| SID: | 2804830 |
| Source Port: | 49719 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.378.46.2.15549711802804830 04/11/23-14:07:42.660250 |
| SID: | 2804830 |
| Source Port: | 49711 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.189.61.12649725802804830 04/11/23-14:07:50.964219 |
| SID: | 2804830 |
| Source Port: | 49725 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549732802804830 04/11/23-14:07:55.135799 |
| SID: | 2804830 |
| Source Port: | 49732 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3206.191.152.5849723802804830 04/11/23-14:07:50.093809 |
| SID: | 2804830 |
| Source Port: | 49723 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.337.230.104.8949712802804830 04/11/23-14:07:43.210687 |
| SID: | 2804830 |
| Source Port: | 49712 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549726802804830 04/11/23-14:07:51.294252 |
| SID: | 2804830 |
| Source Port: | 49726 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.363.251.106.2549708802804830 04/11/23-14:07:41.388921 |
| SID: | 2804830 |
| Source Port: | 49708 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||